Plain-English explanations of every CRA obligation relevant to manufacturers of products with digital elements. Effective September 2026.
Article 13 requires manufacturers of products with digital elements to establish and maintain a coordinated vulnerability disclosure (CVD) policy. This is one of the most operationally significant obligations in the CRA, affecting how you accept, process, and communicate about vulnerability reports from external security researchers.
Article 14 introduces the most time-sensitive obligations in the Cyber Resilience Act. When a manufacturer becomes aware that a vulnerability in their product is being actively exploited, or when a severe security incident occurs, they must notify ENISA within strict deadlines — 24 hours for an early warning, 72 hours for a full notification, and 14 days for a final report.
Article 11 complements Article 14 by specifying reporting obligations to market surveillance authorities (MSAs) in addition to ENISA. It also addresses how reports are shared between national authorities and what information manufacturers must provide to users affected by security incidents.
Article 10 is the central obligation article for manufacturers. It requires that products with digital elements be designed, developed, and produced in accordance with the essential requirements in Annex I, and establishes the documentation, testing, and ongoing security management obligations manufacturers must fulfil.
Article 3 defines the CRA's scope. Understanding whether your product falls within scope is the essential first step in CRA compliance planning. The regulation applies broadly to hardware and software products with network connectivity sold in the EU, with a defined set of exclusions for products already covered by other sector-specific regulations.
Article 6 applies to importers — companies that bring products from non-EU manufacturers into the EU market. If you sell products manufactured outside the EU under your own brand or distribution model, Article 6 makes you responsible for verifying CRA compliance and potentially stepping into the manufacturer's obligations if the original manufacturer is unreachable.
Article 20 requires manufacturers to draw up an EU Declaration of Conformity (DoC) for each product before placing it on the EU market. The DoC formally declares that the product meets all applicable CRA requirements (Annex I) and relevant harmonised standards. It is the legal cornerstone of CE marking.
Annex I of the EU Cyber Resilience Act defines the essential cybersecurity requirements that all in-scope products must satisfy before CE marking and EU market access. It covers two sets of requirements: Part I covers product security properties (design and development), and Part II covers vulnerability handling processes (post-market obligations).
Annex III of the EU Cyber Resilience Act classifies products as 'Important' — meaning they pose a higher cybersecurity risk and therefore require third-party conformity assessment before CE marking. Products are split into Class I (lower-risk important) and Class II (higher-risk important). If your product appears in Annex III, self-assessment alone is not sufficient.
Annex IV of the EU Cyber Resilience Act identifies Critical Products — those whose compromise would have the most severe societal or infrastructure impact. Products in Annex IV require the most rigorous conformity assessment, including mandatory EU type-examination by an accredited notified body. These products cannot self-certify under any circumstance.
CVD Portal provides a complete vulnerability disclosure programme — free for EU manufacturers subject to the Cyber Resilience Act.
Set up your free portal