Cyber Resilience Act (CRA)

The EU Cyber Resilience Act (CRA) is a regulation designed to enhance the cybersecurity of “products with digital elements” (PDEs) placed on the European Union market. This means mandatory cybersecurity requirements for both hardware and software, ensuring that manufacturers address vulnerabilities throughout a product’s lifecycle.

Non-compliance can result in substantial penalties up to a maximum of €15 million or 2.5% of global annual turnover, whichever is higher.

In addition to financial penalties, non-compliance can result in product recalls, reputational damage, and loss of market access in the EU.

The good news: CRA requirements align with modern secure development practices. For forward-thinking organizations, the CRA is an opportunity to strengthen security posture and resilience!

Compliance with the CRA will be a requirement for obtaining the CE marking for products sold in the EU.

What is the Purpose of the Cyber Resilience Act?

The CRA aims to:

  • Reduce cyber risks and protect consumers and businesses
  • Establish a harmonized standard for product cybersecurity across the EU
  • Ensure that all products meet a baseline level of security. Both hardware and software

The CRA was introduced because many vendors lack consistent cybersecurity processes. The regulation seeks to raise the maturity level across the industry, addressing gaps where companies may be strong in some areas but lacking in others.

Importantly, the CRA applies to a wide range of software products, including those from companies that may not traditionally consider themselves “product companies.”

Who Must Comply with the CRA?

The CRA applies to any organization manufacturing, importing, or distributing hardware or software products with digital elements on the EU market. If your product connects directly or indirectly to a network (which is the norm today), you are likely in scope.

Key exceptions include:

  • Open-source software developed or supplied outside commercial activity
  • Sectors already regulated for cybersecurity (e.g., medical devices, aviation, automotive)

This broad applicability means many companies beyond traditional “product” manufacturers need to prepare for the CRA.

Main requirements of CRA

The CRA sets out a series of mandatory cybersecurity requirements, including:

  • Secure-by-design and by-default: Products must be designed and developed to minimize cybersecurity risks from the outset.
  • Vulnerability management and timely updates: Manufacturers must provide timely security updates and manage vulnerabilities throughout the product’s lifecycle.
  • Incident and vulnerability reporting: Organizations must urgently report actively exploited vulnerabilities and security incidents to authorities.
  • Compliance assessment: Products must be assessed for compliance. Most can do this via self-assessment, but critical products require third-party evaluation.
  • Security documentation: Maintain and provide a Security Bill of Materials (SBOM) and other security-related documentation to users and authorities.

When Will CRA Compliance be Mandatory?

The CRA was adopted in December 2024. Enforcement will be phased:

  • September 2026: Obligations for reporting exploited vulnerabilities and incidents become mandatory.
  • December 2027: Main requirements for product compliance and conformity assessment become fully enforceable.

Now is the time to prepare your organization for CRA compliance!

How Are Products Categorized Under the CRA?

The CRA defines four categories for products with digital elements, each with different requirements:

  1. Default: All products not listed as Important or Critical.
  2. Important Class I: Products with elevated cybersecurity risk due to their function (e.g., certain network management tools, smart home products with security functionality, password managers).
  3. Important Class II: Products with significant cybersecurity risk, often used in essential services (e.g., operating systems, virtualization software, firewalls, intrusion detection and prevention systems).
  4. Critical: The highest-risk products, such as smartcards and secure elements used for cryptographic authentication and secure transactions.

The category your product falls into determines the level of scrutiny and type of conformity assessment required.

How to Prepare for the CRA: Key Steps

  1. Assess applicability: Determine if your products fall under the CRA’s scope.
  2. Classify your products: Identify which CRA category your products belong to (Default, Important Class I, Important Class II or Critical).
  3. Gap analysis: Evaluate your current processes against CRA requirements.
  4. Remediate gaps: Implement necessary improvements in secure development, vulnerability management, documentation, and incident response.
  5. Document and demonstrate compliance: Prepare evidence and documentation for conformity assessment.

Truesec: Your Partner for CRA Compliance and Product Security

The Cyber Resilience Act introduces requirements that not only protect your business and customers but also present an opportunity to advance your organization’s security maturity. For many, the CRA is a wake-up call to address gaps and technical debt in product security.

Our team of experts can support you at every stage:

  • Product Regulation Readiness Assessment: Evaluate your current product security posture against CRA, RED, PSTI, SB-327, and industry standards like IEC 62443.
  • Maturity Assessments: Identify strengths and gaps in your secure development lifecycle.
  • Continuous Product Security Support: Ongoing guidance, vulnerability management, and incident response tailored to your needs.
  • Strategic support and roadmap development: Clear, actionable plans for achieving and maintaining compliance.

Don’t wait for enforcement deadlines. Start your CRA compliance journey today.

Read more about Truesec’s Application Security Services and Strategic Advisory.

What is the EU Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act (CRA) is a regulation introducing mandatory cybersecurity requirements for hardware and software products with digital elements sold in the European Union.

Who must comply with the Cyber Resilience Act?

Manufacturers, importers, and distributors of digital hardware or software products must comply with the CRA if their products are made available on the EU market.

Which products are covered by the CRA?

The CRA covers “products with digital elements” that connect directly or indirectly to a network, including consumer and business software, hardware, IoT devices, and more. There are exceptions for certain open-source and industry sectors that are already covered by other cybersecurity regulations.

What are the product categories under the CRA?

Products are categorized as Default, Important Class I, Important Class II, or Critical. Each category has specific cybersecurity requirements and assessment procedures.

When does the CRA become mandatory?

Most CRA requirements become mandatory by December 2027, with certain obligations such as incident and vulnerability reporting being enforced from September 2026.

What are the main requirements of the CRA?

Key requirements include secure-by-design development, vulnerability management, timely security updates, incident reporting, and maintaining a Security Bill of Materials (SBOM).

What happens if my company does not comply with the CRA?

Non-compliance can result in fines up to €15 million or 2.5% of global annual turnover, as well as potential product recalls and market restrictions.

How do I know which CRA category my product falls into?

An assessment is needed to determine if your product is Default, Important Class I, Important Class II, or Critical. Truesec offers expert guidance and readiness assessments to help you classify your products.

Does the CRA apply to open-source software?

Open-source software developed or supplied outside of commercial activity is generally exempt from the CRA, but commercial distributions must comply.

How can Truesec help with CRA compliance?

Truesec provides Product Regulation Readiness Assessments, secure development maturity assessments, cybersecurity advisory and strategy support as well as ongoing product security support to help organizations achieve and maintain CRA compliance.

How does the CRA relate to the Radio Equipment Directive (RED) and IEC 62443?

The CRA complements the Radio Equipment Directive by expanding cybersecurity requirements to a broader range of products and will most likely align with industry standards like IEC 62443 for secure development.

What is a Security Bill of Materials (SBOM) and why is it required under the CRA?

An SBOM is a detailed inventory of all software components in a product. The CRA requires manufacturers to maintain an SBOM and share it under some circumstances to enhance transparency and manage vulnerabilities.

What are the steps to prepare for CRA compliance?

Key steps include assessing applicability, classifying your products, performing a gap analysis, remediating security weaknesses, and documenting compliance processes.

Where can I find the official list of CRA product categories?

The European Commission publishes and updates the official list of product categories in the CRA regulation annexes, available on the EUR-Lex website.

How long will it take to become CRA compliant?

Compliance timelines vary based on your current security maturity and product complexity. Early assessment and roadmap planning are essential for timely compliance. Especially for physical products with long development cycles, it is important to not wait too long before assessing compliance.