Home/Blog/Cyber Resilience Act Overview
February 2026 · 10 min read

Cyber Resilience Act: What Manufacturers Need to Know

The EU's landmark horizontal cybersecurity regulation for products with digital elements — scope, requirements, timelines, and practical preparation guidance.

What Is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) — officially Regulation (EU) 2024/2847 — is the European Union's first horizontal cybersecurity regulation for products with digital elements. It establishes mandatory cybersecurity requirements for hardware and software products throughout their entire lifecycle, from design through end-of-life.

Unlike directive-level legislation, the CRA is a regulation, meaning it applies directly in all EU member states without the need for national transposition.

Who Does It Apply To?

The CRA applies to manufacturers, importers, and distributors of products with digital elements that are placed on the EU market. "Products with digital elements" is broadly defined and covers:

  • Hardware products with embedded software (IoT devices, network equipment, industrial controllers)
  • Standalone software products (applications, operating systems, libraries)
  • Remote data processing solutions essential to the product's functionality

Exclusions include medical devices (covered by MDR), motor vehicles (covered by type-approval), aviation equipment, and products for national security purposes.

Product Classification

The CRA categorises products into three classes, each with different conformity assessment requirements:

Default Category

The majority of products fall into this category. Manufacturers can self-assess conformity (Module A) using harmonised standards. Examples: smart TVs, smart speakers, basic IoT sensors.

Important Products — Class I

Products with higher cybersecurity risk. Conformity can be demonstrated via harmonised standards (self-assessment) or third-party assessment. Examples: password managers, VPN products, network management systems, firewalls.

Important Products — Class II

Products with the highest cybersecurity risk in the "important" category. Third-party conformity assessment is required. Examples: operating systems, hypervisors, firewalls for industrial use, intrusion detection systems, secure elements.

Critical Products

A separate category defined in Annex IV for products critical to the cybersecurity of other products. European cybersecurity certification may be required. Examples: hardware security modules (HSMs), smart meter gateways.

Key Requirements for Manufacturers

Essential Cybersecurity Requirements (Annex I)

Products must be designed and developed with appropriate cybersecurity measures. The CRA specifies requirements including:

  • Secure by default configuration
  • Protection of data confidentiality, integrity, and availability
  • Minimisation of attack surfaces
  • Appropriate access control mechanisms
  • Protection against unauthorised access
  • Secure software update mechanisms

Vulnerability Handling (Article 13)

Manufacturers must:

  • Identify and document vulnerabilities, including in third-party components
  • Provide security updates for at least 5 years (or the expected product lifetime)
  • Establish a coordinated vulnerability disclosure policy
  • Report actively exploited vulnerabilities to ENISA within 24 hours
  • Notify users of security incidents and available patches

Software Bill of Materials

Manufacturers must generate and maintain a machine-readable SBOM documenting at minimum the top-level dependencies of their product. The SBOM must be available to market surveillance authorities upon request.

Conformity Assessment

The required assessment route depends on the product classification. Self-assessment is available for default-category products and (when using harmonised standards) Class I products. Third-party assessment is mandatory for Class II and critical products.

Timeline

The CRA entered into force on 10 December 2024. Key application dates:

  • 11 June 2026: Provisions on conformity assessment bodies apply — Notified Bodies must be designated
  • 11 September 2026: Vulnerability reporting obligations apply — manufacturers must report actively exploited vulnerabilities to ENISA
  • 11 December 2027: All provisions apply in full — products must meet all essential requirements

Relationship with Other Regulations

The CRA complements existing legislation:

  • Radio Equipment Directive (RED): Products subject to RED cybersecurity requirements (Article 3.3) must also comply with the CRA. Learn more about RED compliance.
  • NIS2 Directive: The CRA covers product security; NIS2 covers organisational and network security for essential and important entities.
  • EU Cybersecurity Act: The CRA builds on the certification framework established by the EU Cybersecurity Act.

How to Prepare Now

  1. Classify your products — determine which CRA category each product falls into
  2. Conduct a gap analysis — assess your current products and processes against Annex I requirements
  3. Establish vulnerability handling — set up coordinated disclosure, ENISA reporting workflows, and patch management. The reporting obligations apply from September 2026
  4. Implement SBOM management — start generating and maintaining SBOMs for all products
  5. Design for compliance — ensure new products are designed with CRA requirements from the start
  6. Engage early with Notified Bodies — if your products require third-party assessment, capacity may be limited initially

Our CRA readiness services cover all of these steps. We also recommend aligning your CRA preparation with EN 18031 compliance activities where products are subject to both regulations.

Start Your CRA Preparation