The Cyber Resilience Act (CRA) is a new EU regulation that sets binding security standards for products with digital elements. We explain the cybersecurity requirements that manufacturers, importers and distributors must meet in order to be allowed to place products on the market in the EU.
In a nutshell
- The Cyber Resilience Act (CRA) is an EU regulation and therefore applies directly in all member states without the need for implementation into national law.
- The CRA came into force on 11 December 2024. From 11 December 2027, all new products must comply with all CRA requirements. Vulnerabilities and security incidents must be reported from 11 September 2026.
- To ensure the cybersecurity of software and hardware, manufacturers must assess risks, fix vulnerabilities and provide security updates at fixed intervals.
- The implementation of the CRA requirements is likely to require significant changes in support and maintenance for many companies.
What is the Cyber Resilience Act?
The CRA creates uniform EU-wide standards for the cybersecurity of hardware and software. The aim is to minimise security risks and protect network and information systems, consumers and businesses.
This includes all software or hardware products, as well as their remote data processing, which does not necessarily take place directly on the software or hardware itself but without which the product would not be able to perform its intended function, such as identity management system that performs verification against a database, or a virtual assistant that forwards requests to a server for processing. Specifically, the products covered include, for example, smartphones, laptops, smart home products, smartwatches, connected toys, microprocessors, firewalls, accounting software, computer games and mobile applications.
Certain medical devices, aviation technology and most automotive products are excluded from the scope of the CRA.
The CRA divides affected products into categories:
- important products – Class I;
- important products – Class II;
- critical products.
Important products (Annex III CRA) in Class I include identity management systems, access control devices, password managers, operating systems and products for the smart home environment with security features such as door locks or cameras.
Class II includes hypervisors and container runtime systems, as well as tamper-resistant microprocessors and controllers.
Critical products (Annex IV CRA) include hardware devices with security boxes, smart cards or similar devices, including security elements. European cybersecurity certification may be required for critical products (see Art. 8(1) CRA).
Tip: We recommend immediate classification of all products according to the CRA product categories in order to plan the appropriate conformity path and the associated testing effort at an early stage.
Who is affected by the CRA?
On the one hand, the CRA is aimed at manufacturers. They must ensure that products and their own processes meet certain requirements. In addition, they must, among other things, prepare technical documentation and declarations of conformity and affix CE markings to their products.
In addition to manufacturers, the CRA also applies to importers and distributors. They may only place products with digital elements on the market if these and the procedures specified by the manufacturer comply with the cybersecurity requirements.
Key CRA requirements
Manufacturers must implement security measures as early as the development phase (security by design), continuously remedy vulnerabilities and provide security updates for at least five years. In addition, extensive documentation and reporting requirements apply. A key requirement is an assessment of cyber security risks and their consideration in all phases of the product life cycle. This is intended to minimise risks and prevent security incidents. In concrete terms, this means that threat and risk analyses must be carried out at an early stage and measures such as authentication, access control and encryption functions must be taken into account from the outset. The assessment must be documented and must include a description of which security requirements have been implemented for the product and how.
Vulnerability management
Manufacturers are obliged to effectively remedy vulnerabilities during the expected service life of a product and throughout the entire support period. The support period must be appropriate and shall be at least 5 years, unless the normal service life of the product is shorter. This period must be noted in the technical documentation.
Vulnerabilities must be continuously analysed, documented and addressed through security updates. The CRA requires not only the implementation of vulnerability handling processes, but also a coordinated vulnerability disclosure procedure vis-à-vis the national supervisory authority.
Please note: In the event of security-related incidents, please observe the reporting obligation specified in Art. 14 CRA. Actively exploited vulnerabilities and serious security incidents must be reported to the responsible national Computer Security Incident Response Team (CSIRT/CERT) and ENISA within the specified deadlines.
Technical documentation
Before products are offered on the market, comprehensive technical documentation must be created and continuously updated. This includes, among other things, a description of the system architecture, defined procedures for remedying vulnerabilities, and a contact address for any reports (Annex VII CRA).
In addition, clear safety and usage instructions must be provided for consumers (Annex II CRA).
Tip: Establish a central platform for security documentation, as this will allow recurring enquiries to be processed much more efficiently.
Product conformity
A conformity assessment in accordance with Art. 32 CRA must also have been carried out before the products are placed on the market. On this basis, an EU declaration of conformity is drawn up in accordance with the specific requirements in Annex V CRA. In particular, it must be written in every language prescribed by the Member State in which the product is to be placed on the market. A copy of this declaration of conformity or a simplified declaration of conformity (Annex VI) must be included with the product.
In addition, the CRA – like the Accessibility Enhancement Act (BFSG) – provides for a presumption of conformity if a product complies with a harmonised European standard and insofar as this standard covers the requirements of the CRA. These standards are still being developed.
Small businesses are to receive special support from Member States in implementing the regulation. The Commission and Member States are to provide guidelines and help desks as well as regulatory sandboxes for cyber resilience.
Implementation in Germany and further regulations
With Technical Guideline TR-03183, the Federal Office for Information Security (BSI), as the competent supervisory authority in Germany, offers manufacturers of digital products guidance on how to better implement the requirements of the CRA. In addition, the Commission has already published the first implementing acts and delegated regulations for the CRA. Regulation (EU) 2025/2392 provides technical descriptions of the categories of important and critical products with digital elements, which simplify classification.
Sanctions
Violations of the Cyber Resilience Act in the area of obligations for manufacturers or the reporting of vulnerabilities and security incidents can be punished with fines of up to 15 million euros or 2.5% of global annual turnover, whichever is higher (Art. 64 CRA).
Violations of the obligations of other economic operators or the requirements for EU declarations of conformity may be punished with fines of €10 million or 2% of global annual turnover.
Providing false, incomplete or misleading information to the market surveillance authority can result in fines of up to €5 million or 1% of total worldwide annual turnover.
The market surveillance authority responsible for the CRA is the Federal Office for Information Security (BSI) in Germany.
Deadlines for implementing the CRA
- 11 September 2026: Start of reporting obligations
- 11 December 2027: Full implementation of all CRA requirements
Conclusion and recommended action
The provisions of the CRA are not only comprehensive, they are also likely to significantly change the current approach to support and security updates for many manufacturers. It is therefore strongly recommended that processes and documentation be adapted at an early stage. Both technical and procedural measures must be taken.
For product classification, gap analysis, prioritised roadmaps, the establishment of central reporting channels and accessible documentation, it is worth turning to specialised software solutions and the advice of compliance experts with cybersecurity expertise in order to pursue a sustainable and scalable approach.