The Cyber Resilience Act (CRA, Regulation 2024/2847) entered into force in December 2024 and will be phased in from September 2026. It is the first EU legislation to impose mandatory cybersecurity requirements on products with digital elements throughout their entire lifecycle.
While the NIS2 Directive focuses on organizations and their network and information systems, the CRA targets the products themselves. Every smart doorbell, router, software application, or industrial control system placed on the EU market must comply with the CRA.
What falls under the CRA?
The CRA applies to all products with digital elements made available on the EU market. This includes hardware with a digital component (IoT devices, routers, smartphones, smart home appliances), standalone software (operating systems, browsers, applications), and software-as-a-service components that are installed locally or linked to a hardware product.
There are exceptions. Products already covered by sector-specific EU legislation with comparable cybersecurity requirements, such as medical devices (MDR), vehicles, aviation, and defense, are exempted. Open source software offered non-commercially also falls outside the scope.
The CRA distinguishes three product categories: default products, important products (class I and II), and critical products. The higher the category, the stricter the conformity assessment. Default products can be certified through self-assessment. Important products class II and critical products require third-party assessment.
Manufacturer obligations
Manufacturers bear the heaviest obligations under the CRA. They must perform a cybersecurity risk analysis for their product and implement appropriate security measures. The product must be developed with security by design, with a secure default configuration.
Manufacturers must manage vulnerabilities throughout the product's lifecycle, providing security updates for at least five years or the expected product lifetime. Updates must be provided free of charge and in a timely manner.
A reporting obligation applies: actively exploited vulnerabilities must be reported to ENISA within 24 hours. This is significantly shorter than the 72-hour window under NIS2 for incidents.
Technical documentation must be prepared and maintained, including a Software Bill of Materials (SBOM) documenting the product's components and dependencies.
Timeline
The CRA has a phased implementation. From September 2026, the reporting obligations for actively exploited vulnerabilities apply. From September 2027, the full product requirements take effect. Manufacturers currently developing products should already incorporate CRA requirements into their design and development processes.
Secure Audit helps manufacturers, importers, and distributors assess their CRA obligations, perform cybersecurity risk analyses for digital products, and prepare for conformity assessments. Contact us for a CRA readiness scan.
About the author
Partner | IT Auditor