How Does the EU Cyber Resilience Act (CRA) Set Cybersecurity Requirements for Digital Products?

Everything you need to know about cybersecurity requirements for securing your digital products

The EU Cyber Resilience Act mandates that manufacturers, importers, and distributors ensure all products with digital elements sold in the European Union are secure throughout their lifecycle. This regulation requires security by design, automatic updates, and mandatory vulnerability reporting to protect against cyber threats.

The European Union Cyber Resilience Act (CRA) represents a groundbreaking shift in how cybersecurity is regulated for digital products across the EU market. This comprehensive legislation aims to ensure that hardware and software products are secure throughout their entire lifecycle, creating a safer digital environment for businesses and consumers alike.

What is the European Union Cyber Resilience Act?

The European Union Cyber Resilience Act is a regulation imposing horizontal cybersecurity requirements on products with digital elements sold in the European Union.

The European Union Cyber Resilience Act mandates that manufacturers, importers, and distributors ensure digital products remain secure throughout the product lifecycle.

What Are the Core Requirements of the Cyber Resilience Act?

The Cyber Resilience Act introduces a unified set of cybersecurity requirements designed to ensure that products with digital elements are secure by design, resilient against vulnerabilities, and transparent about their security posture. These requirements form the foundation for compliance and accountability across the EU digital product ecosystem.

The CRA addresses two critical problems in today’s digital landscape:

Low Level of Cybersecurity: Products suffer from widespread vulnerabilities and insufficient security updates, creating attack vectors for malicious actors.

Lack of Transparency: Users lack clear information about product security properties, making it impossible to make informed purchasing decisions.

The Cyber Resilience Act requirements aim to ensure that hardware and software products are placed on the market with fewer to no vulnerabilities and that manufacturers take security seriously throughout a product’s entire lifecycle.

According to Cyber Defense Magazine, the total global cost of cybercrime was projected to reach $1.2 trillion annually by the end of 2025. In today’s connected world, a single cybersecurity incident can quickly cascade across organizations and supply chains—often crossing borders within minutes, as seen in the recent NPM supply chain attack.

When Does the Cyber Resilience Act Become Enforceable?

Understanding when the CRA was proposed, passed, and when it will become enforceable is critical for planning compliance efforts:

December 10, 2024: Entry Into Force

The CRA entered into force 20 days after publication in the EU Official Journal. From this point, the clock started ticking on the 36-month transition period.

June 11, 2026: Notification of Conformity Assessment Bodies

Provisions on notification of conformity assessment bodies will come into effect. Organizations must have identified and begun working with qualified third parties for product assessments.

September 11, 2026: Vulnerability & Incident Reporting Begins

Reporting obligations concerning actively exploited vulnerabilities and severe incidents impacting product security will come into effect. Organizations must have incident reporting processes and procedures in place.

December 11, 2027: Full Compliance Deadline

All Cyber Resilience Act requirements apply in full. Manufacturers and distributors must ensure all products with digital elements placed on the market comply with essential cybersecurity requirements, security by design principles, and all operational measures.

Which Products Fall Under the Scope of the Cyber Resilience Act?

The CRA compliance applies to all products with digital elements that are placed on the EU market in the course of commercial activity. A product with digital elements is defined as hardware or software whose intended and foreseeable use includes direct or indirect data connection to a device or network.

Examples of Covered Products:

Product CategoryExamples
Consumer End DevicesLaptops, smartphones, tablets, smart speakers, routers, switches
Smart Home DevicesConnected cameras, smart door locks, baby monitors, alarm systems, smart thermostats, connected refrigerators, smart TVs
IoT & SensorsSmart meters, sensors, cameras, industrial control systems
WearablesSmartwatches, fitness trackers
Software & FirmwareOperating systems, mobile apps, desktop applications, firmware, software libraries
ComponentsComputer processors, video cards, semiconductors, software development kits (SDKs)
Cloud & Remote ServicesRemote data processing solutions integrated into products

Critical Considerations

The CRA distinguishes between different types of supply and commercial activity. It specifically provides exemptions and lighter regulations for non-commercial open-source software developers, not-for-profit organizations, and public administrations developing products exclusively for their own use.

Visit the official European Union Cyber Resilience Act website for complete information: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

How Must Manufacturers Implement Cyber Resilience Act Requirements?

Cyber Resilience Act - security by design and default

The CRA establishes essential cybersecurity requirements that manufacturers must implement. These requirements fall into two main categories:

A. Product Cybersecurity Requirements

Manufacturers must ensure products are designed, developed, and maintained with security as a fundamental principle:

Security by Design

Products must be designed and developed with built-in security from the ground up, not added as an afterthought. Security must be integral to the architecture and development process.

Cybersecurity Risk Assessment

Manufacturers must conduct comprehensive cybersecurity risk assessments before placing products on the market and retain documentation for 10 years or the product’s support period, whichever is longer.

Automatic Security Updates

When technically feasible, security updates must be deployed automatically by default. Users can opt out, but automatic deployment is the requirement. Updates should be separated from feature updates when possible.

Vulnerability Management

Manufacturers must establish robust processes to identify, track, and remediate vulnerabilities throughout the product lifecycle. This includes maintaining a Software Bill of Materials (SBOM).

Support Period Transparency

Manufacturers must clearly communicate the support period for each product, enabling users to understand how long they can expect security updates and maintenance.

B. Vulnerability Handling & Incident Reporting

Manufacturers must establish formal processes for handling security vulnerabilities and reporting them on a strict, escalating timeline. From September 11, 2026, actively exploited vulnerabilities and severe incidents affecting product security must be reported to the relevant national CSIRT and ENISA (the European Union Agency for Cybersecurity) through the CRA Single Reporting Platform (SRP).

The reporting cascade:

  • Early warning (24 hours): Submit an early warning within 24 hours of becoming aware of an actively exploited vulnerability or a severe incident.
  • Notification (72 hours): Submit a fuller notification within 72 hours, including an initial assessment of severity and impact.
  • Final report (14 days or one month): For actively exploited vulnerabilities, submit a final report no later than 14 days after a corrective or mitigating measure becomes available. For severe incidents, submit the final report within one month of the 72-hour notification.

Beyond reporting, manufacturers must:

  • Investigate and resolve: Take appropriate measures to investigate and remediate security incidents.
  • Coordinate disclosure: Maintain proper vulnerability handling processes to manage coordinated, responsible disclosure.
  • Monitor continuously: Watch for new vulnerabilities throughout the product lifecycle.

How Does the Cyber Resilience Act Affect Open Source Software?

One of the most significant improvements to the CRA compliance came through amendments addressing concerns from the open-source community. The final regulation includes protective provisions for open-source developers and organizations:

Non-Commercial Open Source Exemption

Free and open-source software that is not monetized by its developers and creators is generally exempted from the Cyber Resilience Act requirements. This exemption protects community-driven projects and volunteer developers.

Open Source Stewards

A new concept introduced in the CRA, “open-source stewards” are legal entities (often foundations) that provide sustained support for open-source software development. Examples include:

  • The Apache Software Foundation
  • The Eclipse Foundation
  • Linux Foundation
  • OpenStack Foundation

Open-source stewards are subject to a lighter-touch regulatory regime specifically tailored to the unique nature of open-source development models, reflecting the community’s feedback during the legislative process.

Important Distinction

The CRA recognizes that monetization status determines compliance obligations. For open-source software, commercial activity is determined by whether the software is monetized, not by whether developers receive funding or the software receives contributions from commercial entities.

Why is Cyber Resilience Act Compliance Critical for Businesses?

Why is Cyber Resilience Act compliance critical for businesses?
  • CRA raises the bar for cybersecurity in digital products across the EU market, shifting responsibility firmly onto manufacturers and supply chain actors.
  • With a structured implementation timeline and early warning phases, organizations have a window to prepare.
  • Noncompliance carries significant financial, legal, and reputational risk.
  • The Cyber Resilience Act requirements also shape how future digital trust, supply chain security, and product assurance will evolve.
  • Even non-EU companies must engage if they want market access.

Think of this not just as a compliance exercise, but as an opportunity to embed robust security practices, differentiate products, and build customer trust.

Next Steps with ArmorCode

At ArmorCode, we unify application security posture management, unified vulnerability management, software supply chain security, and AI exposure management on a single Agentic AI Platform. If you’re preparing for CRA or want to embed strong security across your product lifecycle, we can help you get there faster and with confidence. Discover how ArmorCode helps you meet Cyber Resilience Act requirements faster here.

Frequently Asked Questions (FAQ)

What are the penalties for non-compliance with the Cyber Resilience Act?

Non-compliance with the European Union Cyber Resilience Act carries significant financial penalties. Organizations may face fines up to €15 million or 2.5% of their total worldwide annual turnover for the preceding financial year, whichever is higher, depending on the severity of the violation.

Does the Cyber Resilience Act apply to companies outside the European Union?

Yes, the European Union Cyber Resilience Act applies to any company placing products with digital elements on the European Union market, regardless of where the manufacturer is headquartered. Non-EU companies must comply to maintain market access.

Important Resources

  1. https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act 
  2. https://en.wikipedia.org/wiki/Cyber_Resilience_Act 
  3. https://training.linuxfoundation.org/express-learning/understanding-the-eu-cyber-resilience-act-cra-lfel1001/ 

Cyber Resilience Act Summary

  • The EU Cyber Resilience Act sets mandatory cybersecurity requirements for any product with digital elements placed on the EU market, and the obligations extend across the full product lifecycle to manufacturers, importers, and distributors. Non-EU companies must comply to keep market access.
  • Core obligations center on security by design, ongoing vulnerability management (including a Software Bill of Materials), automatic security updates by default where feasible, and clear support-period transparency.
  • The timeline is staggered: conformity assessment body provisions apply June 11, 2026, vulnerability and incident reporting obligations begin September 11, 2026, and full compliance is required by December 11, 2027.
  • Manufacturers must report actively exploited vulnerabilities and severe incidents on an escalating cascade: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within 14 days for vulnerabilities (once a fix or mitigation is available) or within one month for severe incidents. These obligations begin September 11, 2026, and submissions go to the relevant national CSIRT and ENISA through the CRA Single Reporting Platform.
  • Non-compliance can carry fines up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher, so CRA readiness is a business priority rather than a box-ticking exercise.