Plain-English explanations of every CRA obligation relevant to manufacturers of products with digital elements. Effective September 2026.
Article 13 requires manufacturers of products with digital elements to establish and maintain a coordinated vulnerability disclosure (CVD) policy. This is one of the most operationally significant obligations in the CRA, affecting how you accept, process, and communicate about vulnerability reports from external security researchers.
Article 14 introduces the most time-sensitive obligations in the Cyber Resilience Act. When a manufacturer becomes aware that a vulnerability in their product is being actively exploited, or when a severe security incident occurs, they must notify ENISA within strict deadlines - 24 hours for an early warning, 72 hours for a full notification, and 14 days for a final report.
Article 11 complements Article 14 by specifying reporting obligations to market surveillance authorities (MSAs) in addition to ENISA. It also addresses how reports are shared between national authorities and what information manufacturers must provide to users affected by security incidents.
Article 10 is the central obligation article for manufacturers. It requires that products with digital elements be designed, developed, and produced in accordance with the essential requirements in Annex I, and establishes the documentation, testing, and ongoing security management obligations manufacturers must fulfil.
Article 3 defines the CRA's scope. Understanding whether your product falls within scope is the essential first step in CRA compliance planning. The regulation applies broadly to hardware and software products with network connectivity sold in the EU, with a defined set of exclusions for products already covered by other sector-specific regulations.
Article 6 applies to importers - companies that bring products from non-EU manufacturers into the EU market. If you sell products manufactured outside the EU under your own brand or distribution model, Article 6 makes you responsible for verifying CRA compliance and potentially stepping into the manufacturer's obligations if the original manufacturer is unreachable.
Article 20 requires manufacturers to draw up an EU Declaration of Conformity (DoC) for each product before placing it on the EU market. The DoC formally declares that the product meets all applicable CRA requirements (Annex I) and relevant harmonised standards. It is the legal cornerstone of CE marking.
Annex I of the EU Cyber Resilience Act defines the essential cybersecurity requirements that all in-scope products must satisfy before CE marking and EU market access. It covers two sets of requirements: Part I covers product security properties (design and development), and Part II covers vulnerability handling processes (post-market obligations).
Annex III of the EU Cyber Resilience Act classifies products as 'Important' - meaning they pose a higher cybersecurity risk and therefore require third-party conformity assessment before CE marking. Products are split into Class I (lower-risk important) and Class II (higher-risk important). If your product appears in Annex III, self-assessment alone is not sufficient.
Annex IV of the EU Cyber Resilience Act identifies Critical Products - those whose compromise would have the most severe societal or infrastructure impact. Products in Annex IV require the most rigorous conformity assessment, including mandatory EU type-examination by an accredited notified body. These products cannot self-certify under any circumstance.
Annex II defines the minimum information and instructions that manufacturers must provide to users of products with digital elements. This user-facing information package is a legally required element of CRA compliance - it enables users to assess the security properties of a product before purchase and to take appropriate action throughout the product's lifetime. Failure to provide the required information is a CRA violation subject to penalties under Article 32.
Annex IX provides a simplified format for the EU Declaration of Conformity intended for products where space, form factor, or product type makes it impractical to include the full Annex V declaration in the packaging or product documentation. The simplified declaration contains a short statement and a URL pointing to the full online declaration. It is most commonly used for miniaturised hardware products, embedded components, and digital products distributed without physical packaging.
Annex V provides the structural template for the EU Declaration of Conformity (DoC) required under Article 22. It specifies every field that must appear in the declaration, from product identification through to the conformity assessment procedure used and the signatory's details. Manufacturers preparing a DoC should use Annex V as their checklist to ensure no required element is missing.
Annex VI sets out the conformity assessment procedures that manufacturers must follow to demonstrate CRA compliance. It describes Module A (internal control / self-declaration) for default-class products and the third-party assessment modules applicable to Annex III Class I and Class II products. Choosing the correct procedure and executing it rigorously is the foundation of valid CE marking under the CRA.
Annex VII specifies the content of the technical documentation that manufacturers must prepare and maintain to support CRA compliance. The technical file is the complete evidence base demonstrating that a product meets the essential requirements - it includes product design documentation, cybersecurity risk assessments, software bills of materials, test results, and references to the CVD policy. This documentation must be available to market surveillance authorities on request and must be maintained for 10 years after the last product is placed on the market.
Annex VIII is the reference list of harmonised European standards and technical specifications published in the EU Official Journal that create a presumption of conformity with CRA essential requirements. Manufacturers who apply listed standards benefit from the presumption of conformity under Article 8 - meaning authorities cannot challenge compliance for requirements covered by those standards without evidence of non-compliance. The list evolves as new harmonised standards are developed and designated.
Article 1 establishes the overarching purpose of the EU Cyber Resilience Act: to ensure that products with digital elements placed on the EU market meet baseline cybersecurity requirements throughout their lifecycle. It sets the foundation for all subsequent obligations by defining what the regulation aims to achieve and why. Manufacturers, importers, and distributors operating in the EU single market must understand Article 1 as the lens through which all other provisions are interpreted.
Article 12 establishes the process by which member states notify the European Commission of conformity assessment bodies authorised to perform third-party CRA assessments. Notified bodies are the organisations that conduct mandatory third-party conformity assessments for Class I and Class II products listed in Annex III. Understanding the notified body framework is essential for manufacturers of higher-risk products who require third-party certification rather than self-declaration.
Article 15 establishes that CRA compliance is not a one-time exercise completed at product launch. Manufacturers must actively monitor their products for newly discovered vulnerabilities throughout the product's support period and take prompt corrective action when vulnerabilities are identified. This ongoing monitoring obligation is one of the most operationally demanding requirements of the CRA and requires manufacturers to build continuous security processes into their product management operations.
Article 16 requires manufacturers established outside the European Union who place products with digital elements on the EU market to appoint an authorised representative established within the EU. The authorised representative is the legal point of contact for national market surveillance authorities, ENISA, and other competent bodies. This provision ensures that there is always an EU-based entity accountable for CRA compliance, regardless of where the manufacturer is located.
Article 17 places specific obligations on importers - entities that bring products with digital elements manufactured outside the EU into the EU market for the first time. Importers must verify that manufacturers have met their CRA obligations before placing products on the market, and they bear personal liability for non-compliant products they import. This provision creates a compliance gateway role for importers within the EU supply chain.
Article 18 addresses distributors - entities in the supply chain that make products with digital elements available on the EU market but who are not the manufacturer or importer. Distributors have lighter obligations than manufacturers and importers, but they still have a duty to verify that products are compliant before making them available and to cooperate with authorities when issues arise. Distributors who modify products or sell them under their own name take on manufacturer-level obligations.
Article 19 closes a potential compliance gap by treating importers and distributors as manufacturers - with the full weight of manufacturer obligations - in two key scenarios: when they place a product on the market under their own name or brand, and when they modify a product in a way that could affect its compliance with CRA requirements. This provision prevents companies from avoiding CRA obligations by acting as intermediaries while substantively behaving as manufacturers.
Article 2 defines the scope of the CRA - which products and economic operators are covered - and sets out important exclusions for sectors already regulated under other EU frameworks. Understanding the scope boundaries is critical for manufacturers who operate across multiple product categories or who supply products to regulated industries such as medical devices, aviation, or automotive. Where exclusions apply, the CRA does not impose additional obligations, but the underlying sector regulation typically has its own cybersecurity requirements.
Article 21 establishes overarching obligations that apply to all economic operators in the CRA supply chain - manufacturers, importers, authorised representatives, and distributors. It creates cross-cutting requirements for supply chain transparency, cooperation with authorities, and information sharing that complement the more specific obligations in earlier articles. Article 21 ensures that the entire distribution chain, not just manufacturers, contributes to market surveillance and compliance.
Article 22 requires manufacturers to draw up an EU Declaration of Conformity (DoC) before placing a product with digital elements on the EU market. The DoC is the formal document in which the manufacturer declares that the product meets all applicable CRA essential requirements. Article 22 specifies exactly what information the DoC must contain, making it a legally binding compliance statement that supports the CE marking.
Article 23 governs the physical and procedural rules for affixing the CE marking to products with digital elements. The CE marking signals compliance with the CRA's essential cybersecurity requirements and entitles the product to free movement in the EU single market. Article 23 sets out specific requirements regarding when the marking can be affixed, its appearance, and how it must be applied to ensure it is not misleading.
Article 24 specifies the requirements that conformity assessment bodies must meet before a member state can notify them to the European Commission for CRA purposes. It establishes the competence, independence, and impartiality criteria that notified bodies must demonstrate, and the ongoing obligations they bear once notified. For manufacturers, understanding Article 24 helps in evaluating whether a potential assessment body genuinely qualifies to conduct CRA conformity assessments.
Article 25 specifies which conformity assessment procedure applies to different categories of products with digital elements. Default-class products can use Module A (manufacturer self-assessment and declaration), while higher-risk Class I and Class II products listed in Annex III require third-party involvement through a notified body. Understanding which procedure applies to your product is the starting point for planning your CRA conformity pathway.
Article 26 establishes Union testing facilities to be operated by or designated by the European Union Agency for Cybersecurity (ENISA). These facilities provide independent testing capacity that national market surveillance authorities can use to assess products, investigate compliance, and conduct enforcement activities. Union testing facilities enhance the EU's capacity to identify non-compliant products in the market and provide neutral, high-quality technical assessments to support enforcement.
Article 27 establishes the framework for coordinating market surveillance activities across EU member states. Because the EU single market means products flow freely across borders, a non-compliant product identified in one member state may be on sale in 26 others. Article 27 ensures national surveillance authorities share information, coordinate investigations, and apply consistent enforcement standards so that manufacturers cannot exploit differences in national enforcement capacity.
Article 28 defines the European Union Agency for Cybersecurity's (ENISA) operational roles under the CRA. Central to these is the establishment and operation of the European Vulnerability Database (EVDB), which serves as the EU's authoritative registry of vulnerabilities in CRA-regulated products. Article 28 also establishes ENISA's coordination functions in vulnerability disclosure, its advisory role to manufacturers and member states, and its responsibility for maintaining the infrastructure through which Article 14 notifications are processed.
Article 29 establishes the technical infrastructure for the Article 14 notification system - specifically the single reporting platform operated under ENISA's coordination through which manufacturers submit vulnerability notifications and significant incident reports to national CSIRTs. This platform is the operational backbone of the CRA's mandatory early warning and reporting regime, translating the legal obligations in Article 14 into a practical, standardised submission process.
Article 30 establishes the legal and procedural framework for national market surveillance authorities to conduct joint investigations into suspected CRA non-compliance. Joint investigations are particularly important where a manufacturer's products are sold across multiple EU member states, where the manufacturer is established in a third country, or where the cybersecurity risk has cross-border implications. Joint investigations allow authorities to pool resources and present a unified enforcement front.
Article 32 establishes the penalty regime for CRA violations - one of the most demanding in EU product regulation. Fines of up to €15 million or 2.5% of global annual turnover apply to the most serious violations of essential requirements and vulnerability handling obligations. These are maximum penalties; member states set the precise enforcement framework within these limits. Understanding the penalty structure is essential for risk quantification and compliance investment decisions.
Article 4 is the market access provision at the heart of the CRA's regulatory logic: products that satisfy the essential cybersecurity requirements and bear the CE marking are entitled to free movement throughout the EU single market. Member states cannot impose additional national cybersecurity requirements on CE-marked products without specific EU authorisation. This provision benefits manufacturers by creating a single compliance pathway for the entire EU market rather than requiring country-by-country certification.
Article 5 is the pivotal compliance provision of the CRA: it requires manufacturers to ensure their products with digital elements satisfy the essential requirements set out in Annex I. Annex I is divided into two parts - Part I covers the security properties products must have at the point of design and manufacture, and Part II covers the vulnerability handling processes manufacturers must maintain after placing products on the market. Compliance with Article 5 is the condition for bearing the CE marking and accessing the EU single market.
Article 7 establishes the role of harmonised European standards (EN standards) as the primary technical tool for demonstrating CRA compliance. When a manufacturer applies a harmonised standard that has been published in the EU Official Journal, the product is presumed to meet the essential requirements covered by that standard. This presumption of conformity significantly simplifies the conformity assessment process and reduces the burden of proof on manufacturers.
Article 8 operationalises the presumption of conformity benefit introduced by Article 7. It establishes that products which conform to harmonised standards published in the EU Official Journal are presumed to satisfy the essential requirements in Annex I to the extent those standards cover those requirements. This provision is the legal mechanism that makes harmonised standards the preferred compliance tool for manufacturers seeking market access with minimal third-party assessment.
Article 9 establishes a safeguard mechanism: if the European Commission determines that a harmonised standard does not fully satisfy the essential cybersecurity requirements it purports to cover, the Commission can raise a formal objection, potentially withdrawing the presumption of conformity for that standard. This provision protects the integrity of the CRA's requirements by ensuring that harmonised standards cannot be used to create a weaker compliance regime than the regulation intends.
Deadline · 11 September 2026
Only three of these articles are legally required by September 2026.
EN 18031 §5.3.3.4, §5.3.2.4, §5.4.3.4 — intake channel, triage playbook, paper trail.
CVD Portal provides a complete vulnerability disclosure programme — free for Article 14 compliance, for all manufacturers placing products with digital elements on the EU market.
Set up your free portal