EU Cyber Resilience Act (CRA)
The EU Cyber Resilience Act (Regulation 2024/2847) is a landmark European regulation that introduces mandatory cybersecurity requirements for all products with digital elements — both hardware and software — sold on the European Union market. It is the first horizontal EU legislation to impose security-by-design obligations across the entire product lifecycle.
Key Facts
| Detail | Information |
|---|---|
| Full name | Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements |
| Entered into force | 10 December 2024 |
| Reporting obligations apply | 11 September 2026 |
| Full obligations apply | 11 December 2027 |
| Scope | All products with digital elements (hardware + software) on the EU market |
| Penalty for non-compliance | Up to €15 million or 2.5% of global annual turnover |
| Market surveillance | National authorities + EU-wide coordination |
What Does the CRA Require?
For Manufacturers
- Security by design & default — Products must be designed with cybersecurity in mind from the outset, not as an afterthought.
- Vulnerability management — Manufacturers must actively monitor, identify, and remediate vulnerabilities throughout the product’s expected lifetime. The support period must be defined; where the expected product lifetime exceeds 5 years, 5 years is the minimum support period.
- Secure updates — Products must support secure and timely security updates. The CRA requires that updates can be applied securely; automatic update mechanisms are recommended best practice but not explicitly mandated.
- Secure boot — Devices must ensure firmware integrity through cryptographic verification.
- No known vulnerabilities at shipment — Products cannot be placed on the market with known exploitable vulnerabilities.
- SBOM (Software Bill of Materials) — A machine-readable inventory of all software components must be maintained.
- Incident reporting (from September 11, 2026) — When an actively exploited vulnerability is discovered: 24-hour early warning to ENISA + national CSIRT, 72-hour full report, 14-day final report once a fix is available. For severe incidents (not actively exploited): 72-hour notification, 1-month final report.
For Importers & Distributors
- Verify that products bear CE marking and have required documentation.
- Withdraw non-compliant products from the market.
Product Categories
The CRA (Annex III) defines two main risk tiers with escalating requirements:
| Category | Examples | Conformity Assessment |
|---|---|---|
| Default | Smart TVs, connected toys, speakers | Self-declaration (Module A) |
| Important — Class I | Routers, VPNs, password managers, IoT gateways, browsers | Harmonized standard OR third-party audit |
| Important — Class II | Firewalls, intrusion detection systems, secure elements, HSMs, smart cards, MCUs with built-in secure element functionality, OS for servers/desktop/mobile | Notified Body certification required |
📋 Always verify your product classification against the current Annex III text — classification determines your conformity assessment path.
Impact on Hardware Products
For embedded hardware manufacturers, the CRA requires:
- Hardware root of trust — Secure boot with hardware-anchored keys.
- Tamper protection — Physical security measures for critical devices.
- Secure provisioning — Key injection and device identity during manufacturing.
- Long-term maintenance — Vulnerability monitoring for the product’s entire expected lifetime.
- Supply chain security — SBOM documentation covering all firmware components, including open-source.
CRA vs. Other EU Cybersecurity Regulations
| Regulation | Scope | Focus |
|---|---|---|
| CRA | Products (hardware + software) | Product security throughout lifecycle |
| NIS2 Directive | Organizations (essential entities) | Organizational cybersecurity & incident response |
| RED 3(3)(d)(e)(f) | Radio equipment | Wireless device security — mandatory from Aug 2025 |
| ETSI EN 303 645 | Consumer IoT | Security baseline (13 provisions) |
| IEC 62443 | Industrial automation | Zone/conduit model for OT security |
The CRA complements NIS2: NIS2 secures organizations, while the CRA secures the products those organizations build and sell.
Timeline for Compliance
- Now → Sep 2026 — Assess product portfolio, implement security-by-design processes, prepare SBOM tooling.
- Sep 2026 — Vulnerability reporting obligations begin.
- Dec 2027 — Full compliance required. Non-compliant products cannot receive CE marking and are banned from the EU market.
Related Terms
- Secure Boot — A core CRA requirement for device firmware integrity.
- IoT — Connected devices most affected by CRA requirements.
- HSM — Hardware security modules used for CRA-compliant key management.
- SBOM — Software Bill of Materials, mandated by CRA for supply chain transparency and vulnerability tracking.
- ENISA — The EU agency receiving CRA vulnerability reports.
- RED Delegated Act & EN 18031 hardware guide — In-depth breakdown of what the RED cybersecurity requirements mean at silicon level.
Inovasense offers end-to-end CRA compliance preparation — from gap analysis and security architecture design (secure boot, SBOM, vulnerability management) to CE marking documentation, so your products are market-ready before the December 2027 deadline.
Official References
- Regulation (EU) 2024/2847 (CRA) — Full text — EUR-Lex, Official Journal of the European Union
- Cyber Resilience Act — European Commission policy page — European Commission, Digital Strategy