EU Cyber Resilience Act (CRA)

The EU Cyber Resilience Act (Regulation 2024/2847) is a landmark European regulation that introduces mandatory cybersecurity requirements for all products with digital elements — both hardware and software — sold on the European Union market. It is the first horizontal EU legislation to impose security-by-design obligations across the entire product lifecycle.

Key Facts

Detail	Information
Full name	Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements
Entered into force	10 December 2024
Reporting obligations apply	11 September 2026
Full obligations apply	11 December 2027
Scope	All products with digital elements (hardware + software) on the EU market
Penalty for non-compliance	Up to €15 million or 2.5% of global annual turnover
Market surveillance	National authorities + EU-wide coordination

What Does the CRA Require?

For Manufacturers

Security by design & default — Products must be designed with cybersecurity in mind from the outset, not as an afterthought.
Vulnerability management — Manufacturers must actively monitor, identify, and remediate vulnerabilities throughout the product’s expected lifetime (minimum 5 years).
Secure updates — Products must support secure, automatic security updates.
Secure boot — Devices must ensure firmware integrity through cryptographic verification.
No known vulnerabilities at shipment — Products cannot be placed on the market with known exploitable vulnerabilities.
SBOM (Software Bill of Materials) — A machine-readable inventory of all software components must be maintained.
Incident reporting — Actively exploited vulnerabilities must be reported to ENISA within 24 hours.

For Importers & Distributors

Verify that products bear CE marking and have required documentation.
Withdraw non-compliant products from the market.

Product Categories

The CRA defines three risk tiers with escalating requirements:

Category	Examples	Conformity Assessment
Default	Smart TVs, toys, speakers	Self-assessment (manufacturer)
Important (Class I)	Routers, VPNs, password managers, IoT gateways	Harmonized standard or third-party
Important (Class II)	Firewalls, intrusion detection, secure elements, OS, microcontrollers	Mandatory third-party audit
Critical	Smart cards, HSMs, smartmeters	EU cybersecurity certification

Impact on Hardware Products

For embedded hardware manufacturers, the CRA requires:

Hardware root of trust — Secure boot with hardware-anchored keys.
Tamper protection — Physical security measures for critical devices.
Secure provisioning — Key injection and device identity during manufacturing.
Long-term maintenance — Vulnerability monitoring for the product’s entire expected lifetime.
Supply chain security — SBOM documentation covering all firmware components, including open-source.

CRA vs. Other EU Cybersecurity Regulations

Regulation	Scope	Focus
CRA	Products (hardware + software)	Product security throughout lifecycle
NIS2 Directive	Organizations (essential entities)	Organizational cybersecurity & incident response
RED 3(3)(d)(e)(f)	Radio equipment	Wireless device security
ETSI EN 303 645	Consumer IoT	Security baseline (13 provisions)
IEC 62443	Industrial automation	Zone/conduit model for OT security

The CRA complements NIS2: NIS2 secures organizations, while the CRA secures the products those organizations build and sell.

Timeline for Compliance

Now → Sep 2026 — Assess product portfolio, implement security-by-design processes, prepare SBOM tooling.
Sep 2026 — Vulnerability reporting obligations begin.
Dec 2027 — Full compliance required. Non-compliant products cannot receive CE marking and are banned from the EU market.

Secure Boot — A core CRA requirement for device firmware integrity.
IoT — Connected devices most affected by CRA requirements.
HSM — Hardware security modules used for CRA-compliant key management.
SBOM — Software Bill of Materials, mandated by CRA for supply chain transparency and vulnerability tracking.

CRA