EU Cyber Resilience Act (CRA)
The EU Cyber Resilience Act (Regulation 2024/2847) is a landmark European regulation that introduces mandatory cybersecurity requirements for all products with digital elements � both hardware and software � sold on the European Union market. It is the first horizontal EU legislation to impose security-by-design obligations across the entire product lifecycle.
Key Facts
| Detail | Information |
|---|---|
| Full name | Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements |
| Entered into force | 10 December 2024 |
| Reporting obligations apply | 11 September 2026 |
| Full obligations apply | 11 December 2027 |
| Scope | All products with digital elements (hardware + software) on the EU market |
| Penalty for non-compliance | Up to �15 million or 2.5% of global annual turnover |
| Market surveillance | National authorities + EU-wide coordination |
What Does the CRA Require?
For Manufacturers
- Security by design & default � Products must be designed with cybersecurity in mind from the outset, not as an afterthought.
- Vulnerability management � Manufacturers must actively monitor, identify, and remediate vulnerabilities throughout the product’s expected lifetime. The support period must be defined; where the expected product lifetime exceeds 5 years, 5 years is the minimum support period.
- Secure updates � Products must support secure and timely security updates. The CRA requires that updates can be applied securely; automatic update mechanisms are recommended best practice but not explicitly mandated.
- Secure boot � Devices must ensure firmware integrity through cryptographic verification.
- No known vulnerabilities at shipment � Products cannot be placed on the market with known exploitable vulnerabilities.
- SBOM (Software Bill of Materials) � A machine-readable inventory of all software components must be maintained.
- Incident reporting (from September 11, 2026) � When an actively exploited vulnerability is discovered: 24-hour early warning to ENISA + national CSIRT, 72-hour full report, 14-day final report once a fix is available. For severe incidents (not actively exploited): 72-hour notification, 1-month final report.
For Importers & Distributors
- Verify that products bear CE marking and have required documentation.
- Withdraw non-compliant products from the market.
Product Categories
The CRA (Annex III) defines two main risk tiers with escalating requirements:
| Category | Examples | Conformity Assessment |
|---|---|---|
| Default | Smart TVs, connected toys, speakers | Self-declaration (Module A) |
| Important � Class I | Routers, VPNs, password managers, IoT gateways, browsers | Harmonized standard OR third-party audit |
| Important � Class II | Firewalls, intrusion detection systems, secure elements, HSMs, smart cards, MCUs with built-in secure element functionality, OS for servers/desktop/mobile | Notified Body certification required |
?? Always verify your product classification against the current Annex III text � classification determines your conformity assessment path.
Impact on Hardware Products
For embedded hardware manufacturers, the CRA requires:
- Hardware root of trust � Secure boot with hardware-anchored keys.
- Tamper protection � Physical security measures for critical devices.
- Secure provisioning � Key injection and device identity during manufacturing.
- Long-term maintenance � Vulnerability monitoring for the product’s entire expected lifetime.
- Supply chain security � SBOM documentation covering all firmware components, including open-source.
CRA vs. Other EU Cybersecurity Regulations
| Regulation | Scope | Focus |
|---|---|---|
| CRA | Products (hardware + software) | Product security throughout lifecycle |
| NIS2 Directive | Organizations (essential entities) | Organizational cybersecurity & incident response |
| RED 3(3)(d)(e)(f) | Radio equipment | Wireless device security � mandatory from Aug 2025 |
| ETSI EN 303 645 | Consumer IoT | Security baseline (13 provisions) |
| IEC 62443 | Industrial automation | Zone/conduit model for OT security |
The CRA complements NIS2: NIS2 secures organizations, while the CRA secures the products those organizations build and sell.
Timeline for Compliance
- Now ? Sep 2026 � Assess product portfolio, implement security-by-design processes, prepare SBOM tooling.
- Sep 2026 � Vulnerability reporting obligations begin.
- Dec 2027 � Full compliance required. Non-compliant products cannot receive CE marking and are banned from the EU market.
Related Terms
- Secure Boot � A core CRA requirement for device firmware integrity.
- IoT � Connected devices most affected by CRA requirements.
- HSM � Hardware security modules used for CRA-compliant key management.
- SBOM � Software Bill of Materials, mandated by CRA for supply chain transparency and vulnerability tracking.
- ENISA � The EU agency receiving CRA vulnerability reports.
- RED Delegated Act & EN 18031 hardware guide � In-depth breakdown of what the RED cybersecurity requirements mean at silicon level.
Inovasense offers end-to-end CRA compliance preparation � from gap analysis and security architecture design (secure boot, SBOM, vulnerability management) to CE marking documentation, so your products are market-ready before the December 2027 deadline.
Official References
- Regulation (EU) 2024/2847 (CRA) � Full text � EUR-Lex, Official Journal of the European Union
- Cyber Resilience Act � European Commission policy page � European Commission, Digital Strategy