← CRA Glossary
CRA Legal Terms

EU Cyber Resilience Act (CRA)

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.

CRA Legal Terms
Free CVD portal →

What Is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (Regulation (EU) 2024/2847, commonly abbreviated 'CRA') is an EU regulation that for the first time establishes mandatory cybersecurity requirements for products with digital elements (PDE) — any hardware or software product that connects to a network or another device. The CRA was published in the Official Journal on 20 November 2024 and entered into force on 10 December 2024. It applies to manufacturers, importers, and distributors who place products on the EU market. The regulation's essential requirements are set out in Annex I; product classification (Default, Important Class I, Important Class II) is set out in Annex III.

CRA reference:Article 1

Key Obligations for Manufacturers

The CRA's core obligations for manufacturers include:

  • Annex I Part I — secure-by-design requirements: no known exploitable vulnerabilities at launch, secure default configuration, minimal attack surface, protection of confidentiality and integrity.
  • Annex I Part II — vulnerability handling: maintain a CVD policy, monitor for vulnerabilities, provide free security patches without undue delay, publish security advisories.
  • Article 14 — notify ENISA and national CSIRTs within 24 hours of discovering an actively exploited vulnerability; submit an early warning within 72 hours and a final report within 14 days.
  • Article 13(3) — maintain technical documentation including an SBOM.
  • Article 28 — register products in the EU database prior to market placement (for Important and Critical products).
CRA reference:Articles 13, 14, 28, Annex I

CRA Implementation Timeline

The CRA's obligations phase in over the period 2024–2027:

  • 10 December 2024 — Regulation enters into force.
  • 11 June 2026 — Article 14 vulnerability notification obligations apply; manufacturers must notify ENISA of actively exploited vulnerabilities.
  • 11 September 2026 — Market surveillance authority designation and ENISA vulnerability registry obligations apply.
  • 11 December 2027 — All remaining obligations apply, including essential requirements (Annex I), conformity assessment, CE marking, and technical documentation requirements.

Manufacturers are advised to begin compliance programmes immediately: supply chain remediation, SBOM implementation, and CVD programme setup each require 12–24 months of lead time.

CRA reference:Article 71

Penalties and Enforcement

The CRA establishes significant penalties for non-compliance:

  • Failure to meet essential requirements — fines up to €15 million or 2.5% of global annual turnover, whichever is higher.
  • Failure to fulfil other obligations (e.g. documentation, notification) — fines up to €10 million or 2% of global annual turnover.
  • Providing incorrect or incomplete information — fines up to €5 million or 1% of global annual turnover.

Enforcement is carried out by national market surveillance authorities (MSAs) in each EU member state, coordinated at EU level through ADCO (Administrative Cooperation Working Group on Cyber Resilience). Products found non-compliant can be recalled, restricted, or banned from the EU market.

CVD Portal makes EU Cyber Resilience Act (CRA) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does the CRA apply to software-only products?+

Yes. The CRA applies to all products with digital elements, which includes software products that process, store, or transmit data and that connect to a network or another device. Pure SaaS solutions accessed entirely through a browser are likely excluded, but standalone software applications, mobile apps, firmware, operating systems, and software components are within scope. The European Commission is expected to provide further clarification on edge cases through implementing acts.

When do CRA obligations start applying?+

Article 14 vulnerability notification obligations apply from 11 June 2026. All other essential requirements, conformity assessment, CE marking, and documentation obligations apply from 11 December 2027. Products lawfully placed on the market before the application date may continue to be sold without full CRA compliance for a transitional period, but manufacturers placing new products on the market after the application date must be fully compliant.

Are open-source software components subject to the CRA?+

Open-source software developed in a non-commercial context is generally outside the CRA's scope. However, when a manufacturer integrates open-source components into a commercial product, the manufacturer becomes responsible for the security of those components under the CRA. The CRA's SBOM requirement is partly designed to make this responsibility explicit: manufacturers must identify all open-source components and monitor them for vulnerabilities.

Related terms

Products with Digital Elements (PDE)A 'product with digital elements' (PDE) is the CRA's term for any hardware or software product that has the ability to process, store, or transmit data and that connects, directly or indirectly, to another device or network. This definition determines whether the CRA applies to a given product.Annex I Essential RequirementsAnnex I of the EU Cyber Resilience Act sets out the mandatory cybersecurity requirements that all products with digital elements must meet. It is divided into two parts: Part I covers secure product properties, and Part II covers manufacturer vulnerability handling obligations.Annex III Important Product ClassificationAnnex III of the EU Cyber Resilience Act lists product categories classified as 'Important' (Class I or Class II) or 'Critical', which are subject to stricter conformity assessment requirements than the Default class. Most products not listed in Annex III fall into the Default class and can self-certify.Conformity AssessmentConformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.

CRA articles using this term

Article 3Scope — Which Products Are Covered by the CRA?Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how EU Cyber Resilience Act (CRA) fits into your complete CRA compliance programme.

View checklists →