EU Cyber Resilience Act — Guide for Regulatory Affairs Manager

Regulatory affairs managers are responsible for navigating the CRA's conformity assessment framework and ensuring the organisation selects the correct route to CE marking. The CRA establishes three categories: Default products (the large majority) can self-assess against Annex I using internal procedures. Class I Important Products — those presenting elevated risk, such as network switches, VPNs, and password managers — can self-assess but may also use harmonised standards or third-party audit to demonstrate conformity. Class II Important Products — the highest-risk category, including industrial control systems, smartcard operating systems, and hardware security devices — require mandatory third-party assessment by an accredited notified body. Misclassifying a product or selecting an inappropriate assessment route constitutes a regulatory breach independent of the product's actual security posture.

Member States designate national competent authorities (NCAs) to conduct market surveillance under the CRA. NCAs have the power to request technical files, conduct product evaluations, issue product recalls, and impose financial penalties. Regulatory affairs managers should identify the relevant NCA in each Member State where the product is marketed and maintain a relationship before any enforcement action arises. If an NCA initiates a market surveillance inquiry, the manufacturer has limited time to respond with technical documentation. The regulatory affairs manager should ensure the technical file is audit-ready at all times — not assembled retrospectively. Where an NCA identifies a non-conformity, the manufacturer may have the opportunity to implement corrective action before formal penalties are imposed, but only if the response is timely and demonstrates genuine remediation.

Many manufacturers are subject to overlapping EU cybersecurity regulations. NIS2 applies to essential and important entities and imposes incident reporting and security management obligations that partially overlap with CRA Article 14. Where a manufacturer is both a CRA-obligated manufacturer and a NIS2-obligated entity, regulatory affairs must map the obligations carefully to avoid duplicate or conflicting processes. The Medical Device Regulation imposes its own cybersecurity requirements for software as a medical device — ENISA has published guidance on harmonising CRA and MDR obligations. The Radio Equipment Directive (RED) introduced cybersecurity requirements in Article 3(3)(d)-(f) for wireless devices, and the Commission has indicated that CRA conformity will satisfy RED cybersecurity requirements for products in scope of both regulations. Regulatory affairs managers should produce a regulatory matrix for each product line that maps all applicable obligations.

The CRA delegates significant detail to the European Commission through delegated acts and implementing regulations. Key areas subject to further specification include: the definitive list of Class I and Class II Important Products (Annex III), the format and content of Article 14 notifications, the technical file content requirements, and any sector-specific adaptations. Harmonised standards published by ETSI and CEN-CENELEC under a CRA standardisation request will provide presumption of conformity and significantly reduce the technical file burden for manufacturers who comply with them. Regulatory affairs managers should subscribe to the Official Journal of the European Union, monitor ENISA publications, and track the standardisation bodies' work programmes. Standards that are expected to be particularly relevant include EN 303 645, IEC 62443, and ISO/IEC 27001 adapted for product security contexts.

Begin by classifying every in-scope product line against the Default / Class I / Class II Important Product criteria in Annex III and the product descriptions in ENISA guidance documents. For each product, document the chosen conformity assessment route and the justification for that choice. Compile an inventory of the technical file artefacts already available and identify gaps. Draft or review the EU Declaration of Conformity template for each product class. If the manufacturer is established outside the EU, confirm that an EU Authorised Representative has been appointed and that the appointment agreement covers all CRA obligations including market surveillance cooperation. Produce a regulatory matrix mapping CRA obligations against all other applicable EU regulations. Set calendar reminders for the publication of implementing regulations anticipated before the December 2027 application date.