EU Cyber Resilience Act (CRA)
The EU Cyber Resilience Act (Regulation 2024/2847) is a landmark European regulation that introduces mandatory cybersecurity requirements for all products with digital elements both hardware and software sold on the European Union market. It is the first horizontal EU legislation to impose security-by-design obligations across the entire product lifecycle.
Key Facts
| Detail | Information |
|---|---|
| Full name | Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements |
| Entered into force | 10 December 2024 |
| Reporting obligations apply | 11 September 2026 |
| Full obligations apply | 11 December 2027 |
| Scope | All products with digital elements (hardware + software) on the EU market |
| Penalty for non-compliance | Up to 15 million or 2.5% of global annual turnover |
| Market surveillance | National authorities + EU-wide coordination |
What Does the CRA Require?
For Manufacturers
- Security by design & default Products must be designed with cybersecurity in mind from the outset, not as an afterthought.
- Vulnerability management Manufacturers must actively monitor, identify, and remediate vulnerabilities throughout the product’s expected lifetime. The support period must be defined; where the expected product lifetime exceeds 5 years, 5 years is the minimum support period.
- Secure updates Products must support secure and timely security updates. The CRA requires that updates can be applied securely; automatic update mechanisms are recommended best practice but not explicitly mandated.
- Secure boot Devices must ensure firmware integrity through cryptographic verification.
- No known vulnerabilities at shipment Products cannot be placed on the market with known exploitable vulnerabilities.
- SBOM (Software Bill of Materials) A machine-readable inventory of all software components must be maintained.
- Incident reporting (from September 11, 2026) When an actively exploited vulnerability is discovered: 24-hour early warning to ENISA + national CSIRT, 72-hour full report, 14-day final report once a fix is available. For severe incidents (not actively exploited): 72-hour notification, 1-month final report.
For Importers & Distributors
- Verify that products bear CE marking and have required documentation.
- Withdraw non-compliant products from the market.
Product Categories
The CRA (Annex III) defines two main risk tiers with escalating requirements:
| Category | Examples | Conformity Assessment |
|---|---|---|
| Default | Smart TVs, connected toys, speakers | Self-declaration (Module A) |
| Important Class I | Routers, VPNs, password managers, IoT gateways, browsers | Harmonized standard OR third-party audit |
| Important Class II | Firewalls, intrusion detection systems, secure elements, HSMs, smart cards, MCUs with built-in secure element functionality, OS for servers/desktop/mobile | Notified Body certification required |
Note: Always verify your product classification against the current Annex III text classification determines your conformity assessment path.
Impact on Hardware Products
For embedded hardware manufacturers, the CRA requires:
- Hardware root of trust Secure boot with hardware-anchored keys.
- Tamper protection Physical security measures for critical devices.
- Secure provisioning Key injection and device identity during manufacturing.
- Long-term maintenance Vulnerability monitoring for the product’s entire expected lifetime.
- Supply chain security SBOM documentation covering all firmware components, including open-source.
CRA vs. Other EU Cybersecurity Regulations
| Regulation | Scope | Focus |
|---|---|---|
| CRA | Products (hardware + software) | Product security throughout lifecycle |
| NIS2 Directive | Organizations (essential entities) | Organizational cybersecurity & incident response |
| RED 3(3)(d)(e)(f) | Radio equipment | Wireless device security mandatory from Aug 2025 |
| ETSI EN 303 645 | Consumer IoT | Security baseline (13 provisions) |
| IEC 62443 | Industrial automation | Zone/conduit model for OT security |
The CRA complements NIS2: NIS2 secures organizations, while the CRA secures the products those organizations build and sell.
Timeline for Compliance
- Now - Sep 2026 Assess product portfolio, implement security-by-design processes, prepare SBOM tooling.
- Sep 2026 Vulnerability reporting obligations begin.
- Dec 2027 Full compliance required. Non-compliant products cannot receive CE marking and are banned from the EU market.
Related Terms
- Secure Boot A core CRA requirement for device firmware integrity.
- IoT Connected devices most affected by CRA requirements.
- HSM Hardware security modules used for CRA-compliant key management.
- SBOM Software Bill of Materials, mandated by CRA for supply chain transparency and vulnerability tracking.
- ENISA The EU agency receiving CRA vulnerability reports.
- RED Delegated Act & EN 18031 hardware guide In-depth breakdown of what the RED cybersecurity requirements mean at silicon level.
Inovasense offers end-to-end CRA compliance preparation from gap analysis and security architecture design (secure boot, SBOM, vulnerability management) to CE marking documentation, so your products are market-ready before the December 2027 deadline.
Official References
- Regulation (EU) 2024/2847 (CRA) Full text EUR-Lex, Official Journal of the European Union
- Cyber Resilience Act European Commission policy page European Commission, Digital Strategy