Publications

Cyber Resilience Act: Implementation Status October 2025

17/10/2025

    What We Know, What’s Still Unclear, and What We Can Already Prepare For

    The Cyber Resilience Act (CRA) is reshaping the cybersecurity landscape for digital products in the European Union. While some regulatory details are still pending clarification, the framework already provides manufacturers and laboratories with a solid foundation to begin preparing. This article summarizes key insights from the Applus+ Laboratories webinar titled CRA: What We Know & What We Don’t Know (Yet), and aligns them with the latest official publications. The video recording is available alongside this article.
     

    CRA Framework at a Glance

    The CRA applies to most connected hardware and software products, with full enforcement expected by December 2027. By September 2026, manufacturers must begin reporting actively exploited vulnerabilities and severe incidents. The regulation mandates cybersecurity by design and by default, continuous vulnerability management, and comprehensive technical documentation. These elements are well-established and have been covered extensively in previous Applus+ Laboratories publications.

    CRA Conformity Assessment Models: Defined Routes, Pending Guidance

    The CRA outlines several conformity assessment models, each tied to the product’s classification and risk level:

    • Module A (Self-Assessment): For default products, allowing manufacturers to declare conformity without external validation.
    • Modules B+C (Type Examination + Production Control): Involves a notified body for design validation (Module B) and internal production control (Module C).
    • Module H (Quality System Audit): A conformity assessment based on auditing the manufacturer’s quality system and processes to ensure they meet CRA requirements.
    • European Certification Schemes: Such as EUCC or EUCS, which may offer partial or full presumption of conformity if recognized by the European Commission.

    Spotlight on Module H

    As of October 2025, Module H has emerged as a particularly hot topic. It offers a potentially efficient route to compliance by leveraging audits of a manufacturer’s quality management system—similar in structure to ISO 9001—rather than requiring product-by-product testing. This model could be especially attractive for manufacturers with mature internal processes.

    However, several aspects remain unresolved:

    • There is no official guidance yet on how Module H will be applied in the context of the CRA.
    • It is unclear what level of audit depth will be required or how it will be harmonized with existing quality standards.
    • The criteria for notified body accreditation under Module H are still under development, raising questions about consistency and scope across different product types.

    Despite these gaps, organizations like Applus+ Laboratories are already working on modular approaches aligned with the New Legislative Framework (NLF) to prepare for Module H implementation.

    CRA Harmonized Standards: A Moving Target

    European standards organizations are actively developing harmonized standards to support CRA compliance. These include:

    • Horizontal standards: Framework-level standards applicable across product types and uses to build the vertical standards.
    • Vertical standards: Specific to product categories such as identity management systems, operating systems or tamper-resistance microprocessors and microcontrollers. These types of standards are now being built for important Class I and II and Critical products.

    At the time of publication:

    • Vertical harmonized standards will offer presumption of conformity, simplifying the compliance process.
    • Their use is voluntary, but highly recommended.

    However, several questions remain:

    • The final list of applicable standards has not yet been published, even if standardization stakeholders are actively working on them.
    • Not all product types may have dedicated vertical standards in time for the 2027 deadline. There are no vertical standards currently planned for default products or types of default products, which make up an estimated 90% of the market, even if horizontal framework can still be used for reference. This raises concerns about how these products will demonstrate compliance without tailored guidance.

    CRA Manufacturer Obligations: Clear Requirements, Complex Implementation

    The CRA imposes a comprehensive set of obligations on manufacturers, including:

    • Meeting the essential cybersecurity requirements outlined in Annex I (Parts 1 and 2), covering both product security properties and vulnerability handling.
    • Conducting risk assessments based on intended use, foreseeable misuse, and deployment context.
    • Performing due diligence on all components, including third-party and open-source software, to ensure they meet CRA requirements—even if they are not yet regulated or sold in the EU.
    • Maintaining a machine-readable Software Bill of Materials (SBOM) to track all software components.
    • Providing security updates throughout the product’s support period.
    • Preparing detailed technical documentation (Annex VII) and end-user guidance (Annex II), including secure configuration instructions, contact points for vulnerability reporting, and declarations of conformity.

    At the time this article was drafted, while these obligations are well-defined in the regulation, practical implementation remains challenging:

    • Manufacturers must establish internal processes for continuous vulnerability monitoring and response.
    • Guidance is still expected on how to handle open-source components and legacy products already in the market.
    • The requirement to report vulnerabilities for products sold before December 2027 (per Article 69.3) adds complexity to lifecycle management.

    CRA Reporting Obligations: Strict Timelines, Operational Complexity

    Under the CRA, manufacturers must report:

    • Actively exploited vulnerabilities
    • Severe cybersecurity incidents

    These must be reported to ENISA and the designated CSIRT via a single reporting platform, following strict timelines:

    • Within 24 hours: Early warning.
    • Within 72 hours: Notification with initial assessment and mitigation plan.
    • Within 14 days: Final report for vulnerabilities.
    • Within 1 month: Final report for incidents.

    Conclusion

    While the CRA’s foundational requirements are clear, many technical and procedural details are still evolving. As of October 2025, manufacturers can already begin preparing in key areas such as product classification, documentation, vulnerability management, and reporting. Staying informed and engaged with regulatory updates will be essential to ensure compliance and maintain market access.

     

    Watch the webinar in youtube

     

    Download the webinar presentation (.pdf)

    Back to Publications

    Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.

    Cookie settings panel