EU Cyber Resilience Act (CRA) Requirements Guide
EU Cyber Resilience Act: Everything you need to know about cybersecurity requirements for securing your digital products
Table of Contents
The European Union Cyber Resilience Act (CRA) represents a groundbreaking shift in how cybersecurity is regulated for digital products across the EU market. This comprehensive legislation aims to ensure that hardware and software products are secure throughout their entire lifecycle, creating a safer digital environment for businesses and consumers alike.
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) is a regulation adopted by the European Union to impose horizontal cybersecurity requirements on products with “digital elements” sold or made available in the EU.
In short, it raises the bar and mandates that manufacturers, importers, distributors, and others in the supply chain must ensure that their products (hardware or software) are secure throughout their lifecycle.
Cyber Resilience Act Requirements Overview
The Cyber Resilience Act introduces a unified set of cybersecurity requirements designed to ensure that products with digital elements are secure by design, resilient against vulnerabilities, and transparent about their security posture. These requirements form the foundation for compliance and accountability across the EU digital product ecosystem.
The CRA addresses two critical problems in today’s digital landscape:
Low Level of Cybersecurity: Products suffer from widespread vulnerabilities and insufficient security updates, creating attack vectors for malicious actors.
Lack of Transparency: Users lack clear information about product security properties, making it impossible to make informed purchasing decisions.
The Cyber Resilience Act requirements aim to ensure that hardware and software products are placed on the market with fewer to no vulnerabilities and that manufacturers take security seriously throughout a product’s entire lifecycle.
The total global cost of cybercrime is projected to reach $1.2 trillion annually by the end of 2025. In today’s connected world, a single cybersecurity incident can quickly cascade across organizations and supply chains—often crossing borders within minutes, as seen in the recent NPM supply chain attack.
The CRA Timeline: From Proposal to Enforcement
Understanding when the CRA was proposed, passed, and when it will become enforceable is critical for planning compliance efforts:
December 10, 2024: Entry Into Force
The CRA entered into force 20 days after publication in the EU Official Journal. From this point, the clock started ticking on the 36-month transition period.
June 11, 2026: Notification of Conformity Assessment Bodies
Provisions on notification of conformity assessment bodies will come into effect. Organizations must have identified and begun working with qualified third parties for product assessments.
September 11, 2026: Vulnerability & Incident Reporting Begins
Reporting obligations concerning actively exploited vulnerabilities and severe incidents impacting product security will come into effect. Organizations must have incident reporting processes and procedures in place.
December 11, 2027: Full Compliance Deadline
All Cyber Resilience Act requirements apply in full. Manufacturers and distributors must ensure all products with digital elements placed on the market comply with essential cybersecurity requirements, security by design principles, and all operational measures.
Scope: What Products Are Covered in CRA?
The CRA compliance applies to all products with digital elements that are placed on the EU market in the course of commercial activity. A product with digital elements is defined as hardware or software whose intended and foreseeable use includes direct or indirect data connection to a device or network.
Examples of Covered Products:
- Consumer End Devices: Laptops, smartphones, tablets, smart speakers, routers, switches
- Smart Home Devices: Connected cameras, smart door locks, baby monitors, alarm systems, smart thermostats, connected refrigerators, smart TVs
- IoT & Sensors: Smart meters, sensors, cameras, industrial control systems
- Wearables: Smartwatches, fitness trackers
- Software & Firmware: Operating systems, mobile apps, desktop applications, firmware, software libraries
- Components: Computer processors, video cards, semiconductors, software development kits (SDKs)
- Cloud & Remote Services: Remote data processing solutions integrated into products
Critical Considerations
The CRA distinguishes between different types of supply and commercial activity. It specifically provides exemptions and lighter regulations for non-commercial open-source software developers, not-for-profit organizations, and public administrations developing products exclusively for their own use.
Visit the official European Union Cyber Resilience Act website for complete information: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act.
Core Cybersecurity Resilience Act Requirements
The CRA establishes essential cybersecurity requirements that manufacturers must implement. These requirements fall into two main categories:
A. Product Cybersecurity Requirements
Manufacturers must ensure products are designed, developed, and maintained with security as a fundamental principle:
Security by Design
Products must be designed and developed with built-in security from the ground up, not added as an afterthought. Security must be integral to the architecture and development process.
Cybersecurity Risk Assessment
Manufacturers must conduct comprehensive cybersecurity risk assessments before placing products on the market and retain documentation for 10 years or the product’s support period, whichever is longer.
Automatic Security Updates
When technically feasible, security updates must be deployed automatically by default. Users can opt out, but automatic deployment is the requirement. Updates should be separated from feature updates when possible.
Vulnerability Management
Manufacturers must establish robust processes to identify, track, and remediate vulnerabilities throughout the product lifecycle. This includes maintaining a Software Bill of Materials (SBOM).
Support Period Transparency
Manufacturers must clearly communicate the support period for each product, enabling users to understand how long they can expect security updates and maintenance.
B. Vulnerability Handling & Incident Reporting
Manufacturers must establish formal processes for handling security vulnerabilities:
- 24-Hour notification: ENISA (European Union Agency for Cybersecurity) must be notified within 24 hours of becoming aware of significant cybersecurity incidents.
- Incident resolution: Manufacturers must take appropriate measures to investigate and resolve security incidents.
- Coordinated disclosure: Proper vulnerability handling processes must be in place to manage responsible disclosure.
- Continuous monitoring: Ongoing monitoring for new vulnerabilities throughout the product lifecycle.
Open Source & Special Provisions
One of the most significant improvements to the CRA compliance came through amendments addressing concerns from the open-source community. The final regulation includes protective provisions for open-source developers and organizations:
Non-Commercial Open Source Exemption
Free and open-source software that is not monetized by its developers and creators is generally exempted from the Cybersecurity Resilience Act requirements. This exemption protects community-driven projects and volunteer developers.
Open Source Stewards
A new concept introduced in the CRA, “open-source stewards” are legal entities (often foundations) that provide sustained support for open-source software development. Examples include:
- The Apache Software Foundation
- The Eclipse Foundation
- Linux Foundation
- OpenStack Foundation
Open-source stewards are subject to a lighter-touch regulatory regime specifically tailored to the unique nature of open-source development models, reflecting the community’s feedback during the legislative process.
Important Distinction
The CRA recognizes that monetization status determines compliance obligations. For open-source software, commercial activity is determined by whether the software is monetized, not by whether developers receive funding or the software receives contributions from commercial entities.
Why CRA Compliance Matters
- CRA raises the bar for cybersecurity in digital products across the EU market, shifting responsibility firmly onto manufacturers and supply chain actors.
- With a structured implementation timeline and early warning phases, organizations have a window to prepare.
- Noncompliance carries significant financial, legal, and reputational risk.
- The Cybersecurity Resilience Act requirements also shape how future digital trust, supply chain security, and product assurance will evolve.
- Even non-EU companies must engage if they want market access.
Think of this not just as a compliance exercise, but as an opportunity to embed robust security practices, differentiate products, and build customer trust.
Next Steps with ArmorCode
At ArmorCode, we specialize in compliance, secure development, posture management, unified vulnerability management, and software supply chain security. If you’re preparing for CRA compliance or want to embed robust security across your product lifecycle, we can help you get there faster and with confidence. Discover how ArmorCode simplifies your journey to meet Cyber Resilience Act requirements faster here.
