A new era of digital security for products sold in the European Union
The CRA is the EU's answer to a growing global problem. It establishes mandatory cybersecurity requirements for all hardware and software products with digital elements.
The Cyber Resilience Act (CRA) is a landmark EU regulation establishing mandatory, horizontal cybersecurity requirements for all hardware and software products with digital elements. Its goal is to protect consumers and businesses by ensuring products are secure by design and throughout their entire lifecycle.
Global Impact
Estimated global annual cost of cybercrime by 2021, a key driver for the new regulation.
The CRA applies to all 'economic operators' placing products on the EU market. While manufacturers bear the primary burden, importers and distributors have crucial verification roles.
Design, develop, and produce compliant products. Must handle risk assessment, vulnerability management, and reporting.
Verify manufacturer compliance (e.g., CE marking, documentation) before placing products on the market.
Ensure products have the required markings and information before making them available to end-users.
Most products fall under a default category where manufacturers self-assess their security compliance. More critical products require stricter, independent verification.
Default Products
Important & Critical Products
Take this quick assessment to find out if your product requires CRA compliance
The CRA shifts the security paradigm from reactive fixes to proactive, lifecycle-long responsibility. These are the foundational requirements.
Products must be developed with security as a core component from the outset and ship with secure configurations enabled by default.
Manufacturers must have processes to handle vulnerabilities effectively for the product's expected lifecycle (min. 5 years), providing free and timely security updates.
Any actively exploited vulnerability or severe security incident must be reported to the appropriate EU authorities (like ENISA) within 24 hours of awareness.
Clear documentation, including a Software Bill of Materials (SBOM) and user instructions on secure usage, must be provided.
Products must undergo a conformity assessment and bear the CE mark to demonstrate they meet CRA standards before being sold in the EU.
Products must include mechanisms to prevent unauthorized access, ensuring the confidentiality and integrity of data.
The Cyber Resilience Act officially enters into force, starting the clock for implementation.
The 24-hour vulnerability and incident reporting obligations for manufacturers begin.
Full enforcement begins. All new products placed on the EU market must comply with all CRA requirements.
The regulation comes with significant financial penalties to ensure adherence and deter corner-cutting on security.
Of total worldwide annual turnover
Penalties are enforced at the national level
EU member states have the authority to impose these fines for non-compliance with the Cyber Resilience Act requirements.