EU Cyber Resilience Act (CRA) Essential Guide

The Cyber Resilience Act (CRA) is a European Union regulation aimed at ensuring some level of cybersecurity for products with digital elements placed on the EU market depending on its criticality. Its primary objective is to enhance the overall cybersecurity posture by embedding security throughout the entire lifecycle of the product with digital elements, from design and development to post-market support. 

What is the Cyber Resilience Act and why is everyone talking about its impact?

For manufacturers, the CRA represents a significant shift in regulatory expectations, placing clear responsibilities on them to deliver secure products by default and to manage vulnerabilities effectively over time. Understanding and complying with the CRA is essential not only for legal market access but also for maintaining customer trust, avoiding penalties, and staying competitive in an increasingly security-conscious market.

What does 'placing a product on the Union market' mean?

Placing on the market is defined as 'making a product available on the Union market for the first time with a view to its distribution or use within the Union, whether for reward or free of charge and irrespective of the selling technique'.

According to the Blue Guide, it is important to note that a new batch of an existing product will need to be compliant with the new requirements even if the version is the same as before the deadline.

What are the CRA essential cybersecurity requirements and to whom do they apply?

The Cyber Resilience Act applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. The regulation establishes a set of essential cybersecurity requirements aimed at ensuring that products are designed, developed, and maintained with an appropriate level of cybersecurity throughout their entire lifecycle. 

For manufacturers, these essential requirements cover areas such as cybersecurity risk management, secure-by-default configurations, access control, secure data storage, and the establishment of vulnerability handling and incident reporting processes, as set out in Article 14. In addition, products must be accompanied by the relevant Technical Documentation demonstrating compliance with the applicable requirements. This documentation serves as evidence that the product has been designed, developed, and maintained in accordance with the regulatory obligations.

The exact scope and application of these requirements depend on the role of the economic operator, the characteristics of the product, and its classification under the CRA. For an overview of some of the legal responsibilities that manufacturers must fulfil before and after placing products on the market, see our dedicated articles on CRA manufacturer obligations and CRA reporting obligations.

When do companies need to comply with the CRA?

• The regulation entered into force on 10th December 2024. A transition period lasting 36 months followed:
• Reporting obligations became enforceable 21 months after entry, 11th September 2026.
• Technical requirements apply after another 15 months, so by 11th December 2027, full CRA compliance is expected. 

It is important to note that the reporting obligations apply to all products. According to Article 69 (3), obligations extend to all products with digital elements, even those sold before 11 Dec 2027. So, from 11 Sept 2026, any product still on the market, including those placed before 2026, must have processes to detect and report vulnerabilities.

Beyond this high-level timeline, the implementation of the EU Cyber Resilience Act includes a wide range of additional milestones. These include, among others, the designation and accreditation of Notified Bodies, the development and harmonisation of European standards, and the publication of further implementation guidance. These elements are essential to fully understand how and when formal conformity assessments will become available. For a more detailed overview of key milestones and deadlines, please refer to the dedicated guidance on CRA timeline.

The product scope of the Cyber Resilience Act

Which products are in scope of the CRA? Is there any guidance on how to determine product categorization?

The CRA applies to “products with digital elements” (PDEs), which include both hardware and software, as well as associated remote data processing solutions. To be covered, the product’s use must foreseeably involve either a logical or a physical connection to a network or another device.

The categorization of a product under the CRA is the first step, as it determines which conformity assessment procedures will apply. The Regulation foresees different levels of assessment depending on whether a product is classified under the general default category of PDEs or falls within a higher-risk class (Important and Critical).

Products Under Default Category

Those products include most consumer devices with digital elements as well as general software. The main conformity route for this category is self-assessment (Module A) although manufacturers can voluntariry go for a third-party assessment to reduce non-compliance risks. 

Products Under Important Category – Class I 

This category includes a wide range of solutions that traditionally implement specific security functions, such as networking security and authentication. Examples include password managers, antivirus software, routers, VPNs, web browsers, operating systems, and secure chips. It also covers certain consumer products that process sensitive information or critical functions, such as smart home devices, smart toys, and health or personal wearables. Specific standards are being developed for each product category. Once these standards are harmonised and cited in the EUOJ, self‑assessment may become an applicable conformity route for Important Class I. Until then, third‑party assessment remains the only available compliance option.

Products Under Important Category – Class II

This category mainly covers four types of products: hypervisors and containers, firewalls (including IDS/IPS), and tamper‑resistant microprocessors and microcontrollers.
The main difference compared to Class I is that products in this category will require third‑party conformity assessment.

Products Under Critical Category

This category covers three types of products: hardware devices with security boxes, smart cards or similar devices, and smart meter gateways. As many of these products are linked to high‑security applications such as banking or electronic identification (eID), they are typically within the scope of EUCC / Common Criteria certifications. Critical products will also require third‑party conformity assessment, with EUCC representing the most common and appropriate compliance route for most manufacturers.

Guidance for Product Categorization

For more detailed information, you can check in which category your product falls in Annex III and IV of the CRA text. Guidance is expected from the European Commission and implementing acts to help manufacturers and providers determine the correct categorization. In the meantime, the Commission has drafted the technical description of the categories of important and critical products in the Technical description of important and critical products with digital elements.

What products or sectors are excluded?

Excluded from CRA are product categories already regulated by specific EU frameworks:

• Medical devices and in vitro diagnosis medical devices (Regulation (EU) 2017/745 and (EU) No 2017/746)
• Motor vehicles (Regulation (EU) 2019/2144)
• Certified aviation products (Regulation (EU) 2018/1139)
• Marine equipment (Directive 2014/90/EU)
• Identical spare parts (spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications)
• Digital elements developed exclusively for national security (products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information)
• Pure SaaS offerings may be outside scope unless they qualify as remote data processing solutions
• Non-monetized open-source software may also be exempt.

Be careful because pertaining to a sector does not mean you are excluded. The idea behind the CRA is that products covered by other regulations.

CRA standardization context for manufacturers 

Under the Cyber Resilience Act, compliance will be supported by a combination of horizontal standards, as a standardization framework, and product‑specific (vertical) standards for Important and Critical products. These standards are expected to play a key role in demonstrating conformity with the CRA essential requirements. Understanding the status of CRA standardization is therefore particularly important for manufacturers of Important and Critical products, especially where the applicable product‑specific standards are still under development. During this phase, manufacturers remain fully responsible for meeting the CRA essential requirements, which may affect conformity strategies, technical documentation, and assessment routes throughout the transition period.

For an up‑to‑date overview of ongoing standardization activities, consult our CRA standards mapping, and for context on key deadlines and implementation milestones, refer to the CRA timelines and implementation status section.

Are there penalties for non-compliance?

Yes. Some of the defined cases of non-compliance are:

• Non-compliance of essential requirements: Fines up to €15 million or up to 2.5% of worldwide annual turnover.
• Other cases of non-compliance with the obligations set out in Articles like 18 to 23, Article 28, Article 30(1) to (4), Article 31(1) to (4), Article 32(1), (2) and (3), Article 33(5), and Articles 39, 41, 47, 49 and 53 shall be subject to administrative fines of up to €10 million or up to 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.
• The supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities in reply to a request shall be subject to administrative fines of up to €5 million or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.

Best Practices for Compliance Preparation

The best practices for CRA engagement.

• Engage with training and workshops for CRA.
• Verify and evaluate whether your products are 'Products with Digital Elements (PDEs)'. If so, determine their risk class (default, important or critical) and decide the conformity assessment type that can be used and better suits your type(s) of product. Complete our CRA Readiness questionnaire for a better understanding of what is needed. 
• Start documentation and risk assessments early. Include SBOM, technical files, and update processes which contain:
  • General descriptions, indented purpose, user information, and instructions
  • Risk assessment
  • Support periods determination
  • Reports of tests carried out to verify the conformity.
• Design products with cybersecurity in mind from the beginning and throughout the lifecycle: secure by default configurations, best cryptographic mechanisms, secure update mechanisms, vulnerability handling, or incident reporting.
• Verify the obligations for manufacturers, importers and distributors (and authorised representatives).
• Engage with notified bodies or prepare for third-party assessment if products are deemed important or critical or if you do not have enough resources or knowledge to start the conformity process.
• Keep detailed technical and support documentation for at least 10 years or the product’s support lifecycle.

For more detail, check our Cyber Resilience Act compliance hub

How Applus+ Laboratories can help you?

We help our customers get ahead of compliance deadlines by offering:

• Training and Workshops: Practical sessions to build your team’s knowledge of the EU Cyber Resilience Act (CRA) requirements and best general practices.
• CRA Readiness Assessment and Gap analysis: Identification of gaps against the CRA requirements and definition of a roadmap towards compliance. Recommended for companies with products likely affected by the CRA, especially in the Default category, and with limited experience in cybersecurity regulatory requirements.
• CRA Conformity Pre Assessment (Module B+C / H): Preparation of products and technical documentation for conformity assessment under the CRA. As Applus+ progresses through the Notified Body accreditation and notification process, this service enables manufacturers to prepare evidence, tests and documentation that can later be reused during the formal evaluation with a notified body.
• EUCC Certification is expected to be used as a conformity assessment for critical products. Applus+ has wide experience in Common Criteria methodology.