In our modern world, almost everything is connected – our homes, our cars, even our watches. But that also means there are more opportunities for cybercriminals to exploit vulnerabilities in these devices. The CRA is the EU’s response to making sure these products are safe and resilient against threats. It’s the first of its kind to create a consistent set of rules for cybersecurity that manufacturers must follow across the entire European Union. No more patchy laws or confusing rules -just one set of standards to protect everyone.

The CRA aims to create trust in digital technology. It’s about making sure that the products we use every day – like baby monitors, wearables, or even connected toys – aren’t silently opening doors for cybercriminals. With clearer rules and stronger accountability for manufacturers, consumers will have more confidence in the digital world.

Following its publication in the Official Journal of the European Union on November 20, 2024, the CRA entered into force on the twentieth day after its publication, ensuring a swift transition towards enhanced cybersecurity standards.

• Reporting Obligations Start on September 11, 2026: This means that manufacturers will need to start reporting cybersecurity issues, making the process more transparent for everyone involved.
• Full Implementation by December 11, 2027: By this time, all products on the market will need to comply with the CRA’s standards. This will give manufacturers time to adjust and align with the new regulations.

Under the Cyber Resilience Act (CRA), several stakeholders are responsible for ensuring compliance with cybersecurity requirements:

1. Manufacturers

• They are primarily responsible for ensuring that products with digital elements comply with the CRA’s requirements before being placed on the EU market.

• This includes implementing cybersecurity measures throughout the product’s lifecycle, from design to end-of-life.

• Manufacturers must maintain vulnerability management processes, provide security updates, and ensure that products meet conformity assessments where applicable.

2. Importers

• When placing products from outside the EU onto the market, importers must verify that those products comply with the CRA.

• They are responsible for ensuring that manufacturers have conducted proper conformity assessments and that required documentation is available.

3. Distributors

• Distributors must ensure that the products they supply are compliant with the CRA.

• They must verify that products bear the CE marking and are accompanied by required documentation.

4. Service Providers (e.g., SaaS providers):

Those providing digital services related to products with digital elements are also responsible for ensuring that their services meet the CRA’s cybersecurity requirements.

5. Suppliers within the Digital Supply Chain:

Each actor in the supply chain, including suppliers of components or software integrated into final products, must ensure their parts meet CRA requirements.

The CRA mandates that all these stakeholders collaborate to ensure products with digital elements meet stringent cybersecurity standards before they reach the market. Failure to comply can result in fines, legal liability, and market restrictions.

Customers

While not directly responsible under the CRA, customers can verify compliance through the CE marking on products, which indicates conformity with CRA requirements.

The Cyber Resilience Act (CRA), formally known as Regulation (EU) 2024/2847, outlines strict enforcement mechanisms to ensure that manufacturers and other economic operators adhere to the new cybersecurity obligations for products with digital elements.

Under Article 53 of the CRA, the penalties are significant and designed to incentivize compliance across the entire supply chain.

Key Penalties for Non-Compliance

Failure to comply with essential cybersecurity requirements (Article 10):

• Penalty: Up to €15 million, or

• 2.5% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
  This applies to serious breaches, such as failure to implement security-by-design, patch management, or to address known vulnerabilities.

Providing incorrect, incomplete, or misleading information to authorities (e.g., false declarations):

• Penalty: Up to €10 million, or

• 2% of global annual turnover, whichever is higher.

Other infringements of obligations under the CRA:

• Penalty: Up to €5 million, or

• 1% of global annual turnover, whichever is higher.

Additional Sanctions

Competent authorities have the power to order the withdrawal or recall of non-compliant products from the EU market. They may also suspend or prohibit the sale of products until full compliance with the CRA requirements is achieved.

Who Can Be Penalized?

Any manufacturer, importer, or distributor of digital products that fails to meet the CRA’s cybersecurity obligations can face penalties. This includes companies offering software, hardware, IoT devices, or SaaS solutions on the EU market that do not comply with the regulation’s requirements.

The CRA establishes that cybersecurity is not optional – it’s a core regulatory requirement. The penalties are designed to ensure that all digital products placed on the EU market are developed, maintained, and monitored with security as a priority throughout their lifecycle.

The Cyber Resilience Act (CRA) aims to enhance cybersecurity standards for all products with digital elements sold within the EU. Its scope covers:

• Buildings: No, the CRA does not apply to buildings themselves.
• Individual Machines: Yes, individual machines are covered under the CRA if they contain digital elements.
• Entire Systems Operated by a General Contractor: Yes, entire systems managed by a general contractor fall within the scope of the CRA.
• Only Individual Components: No, the CRA addresses more than just individual components; it applies to the broader systems and their security architecture.
• Software, Hardware, IoT, and SaaS Applications: Yes, all of these are subject to the CRA’s requirements, including building management systems. However, the regulation does not apply to the physical building itself.
• Connected Devices and Systems: Products with digital elements, including those with remote data processing capabilities and interconnected devices, are covered by the CRA. This includes consumer devices like smart home systems, wearable technology, and industrial systems used in critical infrastructure.
• Supply Chain Components: The CRA applies to manufacturers, importers, distributors, and suppliers within the digital product supply chain, ensuring consistent cybersecurity standards across all levels.

The CRA applies broadly to hardware, software, and digital services, aiming to mitigate vulnerabilities throughout the product lifecycle – from design to end-of-life. It enforces horizontal cybersecurity requirements, making it essential for all actors in the supply chain to comply.

Whether you’re a business selling smart devices or a consumer purchasing them here a few things about the CRA.

The CRA sets essential rules to enhance cybersecurity for everyone

From now on, if a company wants to sell a product with a digital component in the EU, it needs to meet specific cybersecurity requirements. These rules apply to both hardware (like smart speakers) and software (like mobile apps).

Lifelong Security Commitment

Manufacturers need to think about cybersecurity at every stage – from the initial design to the product’s end of life. Plus, they have to tell users how long they will provide security updates for a product. This means that when you buy a device, you’ll know exactly how long it will be kept secure.

Unified EU Rules

Before the CRA, different EU countries had different rules, which made it confusing for manufacturers and left users at risk. The CRA harmonizes these laws, creating a safer, more predictable environment for everyone – from consumers to tech companies.

The Cyber Resilience Act does recognize the importance of free and open-source software (FOSS) in fostering innovation, collaboration, and digital sovereignty across the EU. Therefore, it excludes non-commercial open-source software from most of its obligations.

When Open-Source Software Is Exempt?

If open-source software is made freely available without any commercial intent—for example, it is developed and shared by individuals, academic institutions, or non-profit organizations without monetization or commercial support services—it does not fall under the scope of the CRA. This includes projects shared on platforms like GitHub purely for educational, experimental, or community-driven purposes.

When CRA Obligations May Apply?

However, the CRA does apply if open-source software is:

• Distributed or integrated as part of a commercial product or service.

• Provided in the course of a commercial activity, such as charging for support, updates, additional features, or packaging the software in a device that is sold.

• Used as part of a Software-as-a-Service (SaaS) or cloud solution where it’s essential to the functioning of the product offered commercially.

In these cases, the economic operator (e.g. manufacturer, developer, or service provider) who places the product on the EU market is responsible for compliance, even if the software itself was originally open-source.

Have also in mind that the applicability of the Cyber Resilience Act depends on the commercial context, not on whether the software is open-source. Entities integrating open-source software into commercial digital products are responsible for ensuring that those components meet CRA requirements, including vulnerability management, regular security updates, and proper documentation. As a result, there is an increasing need for a Software Bill of Materials (SBOM) to track open-source components and their vulnerabilities—especially in the context of supply chain security.

While the CRA supports the continued development of non-commercial open-source tools, it ensures that when FOSS becomes part of a product sold or distributed within the EU, it must meet the same security expectations as proprietary code. This prevents insecure software components from becoming weak links in the digital ecosystem.

To comply with the Cyber Resilience Act (CRA), companies must take a structured and proactive approach to cybersecurity across the entire product lifecycle.

The first step is to identify all products with digital elements that fall under the scope of the regulation. Once identified, companies should conduct a risk-based assessment to evaluate potential vulnerabilities and determine the level of criticality (e.g. whether the product is considered “important” or “critical” under the CRA).

From there, manufacturers need to implement cybersecurity-by-design and by-default principles – this includes integrating security measures during the development phase, ensuring secure configurations, and preparing for future updates and incident handling. Companies must establish a vulnerability management process, ensuring they can detect, report, and address vulnerabilities in a timely and transparent manner.

Another core requirement is the conformity assessment. Depending on the product’s classification, this can range from internal controls to third-party involvement. After compliance is verified, products must be affixed with the CE marking, confirming that they meet CRA requirements.

Documentation is equally critical. Companies are required to prepare and maintain technical documentation, a declaration of conformity, and other supporting materials. These must be available to competent authorities upon request and kept up to date throughout the product’s lifecycle.

Finally, companies must establish clear reporting mechanisms. This includes notifying ENISA within 24 hours of becoming aware of any actively exploited vulnerabilities or incidents related to their products.

In short, compliance with the CRA is not a one-time checklist – it’s an ongoing commitment to product security, transparency, and accountability throughout the digital value chain.

Under the Cyber Resilience Act (CRA), the assessment and certification process is not bound to the country of development but rather to the fact that the product is being placed on the EU market. This means that regardless of where the product is developed, it must comply with CRA requirements before being made available for sale or distribution within any EU Member State.

The conformity assessment must be carried out in line with the CRA’s procedures, which may involve internal checks or third-party evaluations depending on the product classification (e.g. Class I, II, or Critical). Certification can be carried out by Notified Bodies designated by EU Member States and recognized across the EU. Once the product meets the requirements, the manufacturer can affix the CE marking, which signifies compliance and enables free circulation throughout the EU.

In short, the product must be assessed and certified according to EU rules, and the process should ensure that it complies with CRA standards before entering any EU market, no matter where it was originally developed.

Yes, the transition periods for the Cyber Resilience Act (CRA) have been clearly defined. Following its official publication in the Official Journal of the European Union on November 20, 2024, the CRA entered into force on December 10, 2024 (20 days after publication).

The regulation outlines two key transition milestones:

• September 11, 2026 – This is the date when reporting obligations begin. From this point, manufacturers must report any actively exploited vulnerabilities or incidents related to their digital products to ENISA within 24 hours.
• December 11, 2027 – This marks the date of full application. From then on, all products with digital elements placed on the EU market must fully comply with the CRA’s cybersecurity requirements, including conformity assessments, documentation, and CE marking.

These transition periods are designed to give manufacturers, importers, and distributors sufficient time to prepare for compliance. However, given the technical and organizational changes required, companies are strongly advised to begin their compliance planning and implementation as early as possible.

The best way to ensure software is designed and developed securely is to build security into the process from the start and track it throughout development. This means defining security requirements early, using secure coding practices, and integrating automated security testing in every stage. Implementing threat modeling, code reviews, and dependency management helps catch issues before they become problems. By embedding security into CI/CD pipelines and continuously monitoring for risks, teams can create secure software efficiently, without costly fixes later.

If a vulnerability is found in a component of a product, the key is to assess its impact, coordinate a fix, and integrate it safely. First, determine how the vulnerability affects the overall product and whether it introduces security risks. Next, work with the component’s manufacturer or maintainer to obtain a fix or update. Before integrating it, test for compatibility, stability, and security to ensure it doesn’t cause new issues. Finally, deploy the fix securely with digital signatures and clear update instructions, ensuring that it reaches products safely and reliably.

Under the Cyber Resilience Act (CRA), manufacturers are primarily responsible for ensuring the cybersecurity of their products before and after they enter the market. They must implement secure by design principles, conduct risk assessments, maintain an SBOM, and provide security updates throughout the product’s lifecycle. Importers and distributors also have responsibilities, ensuring products meet CRA requirements before distribution. If vulnerabilities arise, manufacturers must address them promptly and report significant security incidents within 24 hours. Products must remain secure for their declared support period, with a minimum requirement of five years for critical updates, ensuring long-term security and compliance.

You can also check our additional answer under General CRA questions: Who is responsible under the CRA?

Yes, if you sell a machine that includes a PLC with your own application, you likely have responsibilities under the Cyber Resilience Act (CRA), but the extent of compliance depends on your role in the supply chain.

If the PLC is an off-the-shelf product, the manufacturer of the PLC is responsible for CRA compliance, including security updates and SBOM requirements. However, if your custom application introduces security-relevant functionality, you may bear responsibility for ensuring it does not weaken the PLC’s security and for properly integrating security updates.

If your application significantly changes the PLC’s intended function, you may be considered a manufacturer under the CRA, meaning you would be responsible for risk assessment, secure development practices (SDL), vulnerability management, and updates for at least five years.

For VPN boxes used in machines, compliance depends on whether they are off-the-shelf products (where the original vendor is responsible) or custom-integrated solutions. If you configure, modify, or maintain them, you may have obligations to ensure secure implementation, monitoring, and updates.

In summary, if you modify, customize, or integrate software in a security-relevant way, you likely have CRA obligations – including secure development practices, vulnerability tracking, and an SBOM – to ensure compliance and long-term security support.

Being secure by default means that a product is designed and configured with the highest level of security enabled out of the box, requiring no additional action from the user to ensure its protection. This includes strong default settings, such as least privilege access, disabled unnecessary features, secure authentication mechanisms, and automatic updates. Secure defaults minimize attack surfaces and reduce the risk of misconfigurations that could lead to vulnerabilities. The goal is to ensure that security is built-in from the start, rather than relying on users to manually configure protections

Being secure by default means that a product is designed and configured with the highest level of security enabled out of the box, requiring no additional action from the user to ensure its protection. This includes strong default settings, such as least privilege access, disabled unnecessary features, secure authentication mechanisms, and automatic updates. Secure defaults minimize attack surfaces and reduce the risk of misconfigurations that could lead to vulnerabilities. The goal is to ensure that security is built-in from the start, rather than relying on users to manually configure protections

Non-compliance with the Cyber Resilience Act (CRA) can result in significant penalties, with fines varying based on the severity of the violation.

Failure to meet essential cybersecurity requirements or obligations under Articles 13 and 14 can lead to fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Other regulatory breaches (e.g., non-compliance with obligations in Articles 18–23, 28, and 30–53) can result in fines up to €10 million or 2% of turnover. Providing incorrect, incomplete, or misleading information to authorities can lead to penalties of up to €5 million or 1% of turnover.

The exact fines depend on factors such as the severity and duration of the infringement, prior violations, and the size of the company. Small enterprises and open-source software stewards may receive exemptions in specific cases. Each EU Member State will define its own enforcement mechanisms, ensuring penalties are effective, proportionate, and dissuasive.

You can also check our answer in the section General CRA questions: What are the pentalties for Non-Compliance with the CRA

The Cyber Resilience Act (CRA) applies to non-European manufacturers if they sell or offer products with digital elements in the EU market. Any company, regardless of where it is based, must comply with CRA requirements if its products are sold, distributed, or made available to EU customers.

Non-EU manufacturers must either appoint an authorized representative within the EU to ensure compliance or work with importers and distributors who verify that the product meets CRA security standards. This includes implementing secure by design principles, vulnerability management, SBOM documentation, and long-term security support to avoid fines or market restrictions within the EU.

A substantial modification under the Cyber Resilience Act (CRA) is any change made to a product after it has been placed on the market that either affects its compliance with essential cybersecurity requirements (Annex I) or modifies its intended purpose. If a legacy product undergoes such a modification, it may be considered a new product under the CRA and require a new conformity assessment to ensure compliance. This could include major software updates, new features, or security changes that alter the product’s risk profile. However, routine bug fixes, patches, and minor updates typically do not count as substantial modifications unless they significantly impact security or functionality.

Under the Cyber Resilience Act (CRA), manufacturers must maintain comprehensive documentation and records to demonstrate compliance. The key requirements include:

• Technical Documentation: Must detail the product’s design, cybersecurity measures, risk assessments, and conformity with Annex I security requirements.
• Software Bill of Materials (SBOM): A list of all software components, including third-party and open-source elements, to track vulnerabilities.
• Conformity Assessment Records: Documentation proving that the product meets CRA cybersecurity requirements, including test reports and audit findings.
• Security Support & Incident Handling: Records of vulnerability management processes, security updates, and incident reporting.
• Retention Period: Documentation must be kept for 10 years after the product is placed on the market.

Under the Cyber Resilience Act (CRA), manufacturers are required to continuously monitor for vulnerabilities and provide timely security updates for at least five years. However, enforcement is largely reactive rather than proactive, meaning once a product is certified, authorities are unlikely to monitor it unless a security incident, consumer complaint, or public vulnerability disclosure triggers an investigation. Market surveillance authorities (MSAs) can conduct audits, and manufacturers must report actively exploited vulnerabilities within 24 hours. If a company fails to patch known vulnerabilities, it may face fines, liability, or market restrictions, but enforcement will mainly rely on external pressure from researchers, competitors, or regulators responding to incidents rather than routine checks.

The Cyber Resilience Act (CRA) does not introduce AI-specific requirements, but if a product includes AI components, it must still comply with the CRA’s cybersecurity and vulnerability management obligations. However, if the AI system falls under the EU AI Act, additional requirements may apply, depending on the AI’s risk classification (e.g., high-risk AI systems require stricter security measures). Manufacturers must ensure that AI components are included in the SBOM, monitored for vulnerabilities, and integrated securely without introducing cybersecurity risks. If AI functionality affects security-critical decisions (e.g., authentication, intrusion detection), additional risk assessments and safeguards may be required under both the CRA and AI Act.

Module A allows manufacturers to self-assess compliance for low-risk products using harmonized standards, requiring only technical documentation and CE marking. In contrast, third-party conformity assessment is mandatory for important and critical products, involving a notified body under Modules B, C, or H to ensure stricter cybersecurity validation.

For companies with global presence, the CSIRT will need to be designated based on the location of the main legal entity where the principal business and main operations are in the EU.

Cybersecurity assessments for networked devices must go beyond a one-time or static evaluation. Under the Cyber Resilience Act (CRA), cybersecurity must be considered as an ongoing responsibility throughout the entire lifecycle of a product with digital elements.

A single snapshot – such as analyzing a device at a specific point in time – can provide useful information, but it is not sufficient for full CRA compliance. This is because networked devices are dynamic by nature: they regularly interact with other systems, receive updates, and operate in changing threat environments.

A proper assessment should therefore include:

• Lifecycle-based evaluation: covering design, development, deployment, operation, and end-of-life phases.
• Vulnerability management processes: including mechanisms to detect, disclose, and respond to new vulnerabilities over time.
• Update and patching strategies: ensuring that the product remains secure even after it has entered the market.
• Real-world use cases: simulating how the device functions in actual network environments to assess exposure to cyber threats.

The CRA also emphasizes continuous monitoring, especially for important and critical product categories, and requires that any actively exploited vulnerability be reported to authorities such as ENISA within 24 hours.

In summary, cybersecurity assessments must be comprehensive, continuous, and contextual – evaluating not only the current state of a product but also how it behaves over time in a networked environment. A one-time check may be a starting point, but it does not fulfill the CRA’s expectations for long-term product resilience.

No, a manufacturer cannot argue that the Cyber Resilience Act (CRA) does not apply to them simply because their product initially processes analog signals that are later digitized. The CRA applies to products with digital elements, which includes any hardware or software that can process or transmit data digitally—regardless of whether the initial signal input is analog.

In the context of the CRA, “products with digital elements” are defined as products that have either software or hardware components with data processing capabilities, particularly when they are connected directly or indirectly to a network or other devices. This includes devices that communicate via Ethernet, WLAN, Bluetooth, Zigbee, or other transmission technologies. The regulation does not make a distinction based on how signals are received (analog vs. digital), but rather on the product’s ability to process, store, or transmit data digitally during its operation.

So, if a product ultimately converts signals into digital form and participates in digital communication, control, or data processing, it falls within the CRA’s scope. This includes most modern connected devices and smart systems, even those with analog interfaces at the hardware level.

The CRA focuses on the functional role of the digital components, not the technical pathway by which data becomes digital. Therefore, such an argument would not hold up under the CRA’s legal definition and intent.