What is the Cyber Resilience Act – CRA
The Cyber Resilience Act is the first European regulation to set a mandatory minimum level of cyber security for all connected products available on the EU market – something that did not exist before.
The CRA is a regulation from the European Union — formally Regulation (EU) 2024/2847 — but it is likely to be applied soon in other parts of the world, which produce for and sell products in the EU.
It covers both hardware and software products whose intended or foreseeable use involves connection (direct or indirect) to a device or network. That includes things like smartphones, laptops, IoT devices (smart-home cameras, smart fridges, connected toys), embedded systems, routers, industrial control systems, and even software with network connectivity.
Non-commercial open source software products are exempt from the CRA and therefore do not have to fulfill the requirements of the CRA.
Some product categories are excluded because they are already covered by other sector-specific regulation (e.g. certain medical devices, aviation, automotive, defense).
As can be seen, the aim is to increase cybersecurity within the European Union. The new regulation applies in all EU Member States and will be implemented gradually.
Timeline & Legal Effect
The CRA entered into force on 10 December 2024. There is a transition / compliance period: the full requirements become applicable by 11 December 2027 for new products.
Starting 11 June 2026, the Conformity Assessment Bodies can assess the fulfillment of the requirements.
Reporting of vulnerabilities and security incidents starts on 11 September 2026.
*CABs = Conformity Assessment Bodies
Source: BSI
Key Requirements & Obligations
For manufacturers, importers or distributors of in-scope products, CRA demands:
Secure-by-design and secure-by-default
During design and development, implement baseline cybersecurity controls (minimizing attack surface, secure defaults, applying cryptography, access control, integrity protection, etc.).
If you design or manufacture hardware or software intended for the EU market — start including security early: threat modelling, secure defaults, update mechanisms, patch management, SBOM (software-bill-of-materials) for components, documentation.
Lifecycle security
Maintain security across the lifecycle — through production, deployment, maintenance, updates (patches), and eventual decommissioning.
Prepare to collect and maintain documentation of the build, supply chain components, update/maintenance history, and test results for many years.
Vulnerability & incident reporting
If a product becomes subject to a “actively exploited vulnerability” or a “severe security incident”, the manufacturer must report promptly (early warning within 24 h, full notification within 72 h, final report within certain timeframes) via the CRA Single Reporting Platform.
For software vendors — ensure update/patch infrastructure is robust and built-in, and notification processes in place for vulnerabilities.
Documentation & traceability
Maintain technical documentation, data inventories and evidence of security measures for a defined period (often many years) after placing the product on the market.
CE-marking with security
Products that comply must carry the CE-mark, indicating conformity with the CRA’s cybersecurity requirements — similar to CE marking for safety or environmental compliance.
For buyers/customers — expect CE-mark + transparency regarding security posture. Choose vendors who commit to long-term patching and vulnerability response.
Conformity assessments for higher-risk products
While many products (roughly 90%) fall under a “default” tier and can be self-assessed by manufacturers, certain more critical or important product types (e.g. firewalls, security modules, intrusion detection systems, certain embedded systems) may require third-party assessment before being placed on market.
Why It Matters
The CRA establishes a common, EU-wide baseline for cybersecurity of digital products. This helps avoid fragmentation where different member states might otherwise have different rules. It forces manufacturers and vendors to adopt security by default + lifecycle security, rather than treating cybersecurity as an optional afterthought. This helps reduce the attack surface and improves resilience against cyber threats.
It increases transparency for consumers and businesses: when they buy a product with digital elements, they can expect a baseline of security and support — including updates and vulnerability management.
For vendors and developers — in enterprise, embedded, IoT or consumer space — it’s a legal obligation. Non-compliance when required could lead to regulatory consequences, and non-compliant products will not be allowed on the EU market once the deadlines lapse.
CRA Product Classification
Criteria & Examples
The CRA divides “products with digital elements (PDEs)” into four classification tiers. Classification drives what conformity assessment, certification, and compliance rigour you must apply.
| Category | When a product is placed here (criteria / rationale) | Typical product examples* |
|---|---|---|
| Default | Products that are not listed in the “Important” or “Critical” annexes — i.e. no particularly sensitive cybersecurity function or high risks associated with compromise. | Many consumer devices & software: smart toys, basic IoT devices, simple smart-home equipment, non-security-critical apps, common consumer electronics. |
| Important – Class I | PDEs that provide a cybersecurity-relevant function (authentication, access control, network access, system functions) but whose compromise would have a moderate risk (less than Class II). | Identity management systems / privileged-access software or hardware (e.g. access readers), standalone/embedded browsers, password managers, VPN clients, network management tools, operating systems, microcontrollers/microprocessors with security-related functions, routers/modems/switches. |
| Important – Class II | PDEs whose function involves a significant cybersecurity risk, or whose compromise could have wide or severe impact, especially on many other systems — thus higher criticality than Class I. For these, third-party conformity assessment is mandatory. | Firewalls, intrusion detection/prevention systems (IDS/IPS), virtualisation/hypervisor/ container runtime systems, tamper-resistant microprocessors/microcontrollers, industrial-grade network/security systems. |
| Critical | PDEs with cybersecurity-related functionality whose compromise could disrupt or control a large number of other products, critical infrastructure, supply chains or sensitive services. These must either get an EU cybersecurity certificate (per relevant scheme) or undergo strict third-party assessment. | Hardware security modules (“security boxes”), smart meter gateways, smartcards / secure-elements, secure cryptoprocessing hardware — i.e. devices central to critical infrastructure, secure identity, secure communication or supply chain security. |
* These examples reflect currently published annex examples and guidance. Regulatory technical specification updates (e.g. by the European Commission) may refine or expand the lists.
Assessment & conformity requirements per class
Below are examples of software products affected by the Cyber Resilience Act, organized into two tables and classified into the CRA categories:
-
Default Category – non-critical, low inherent risk
-
Important Class I – higher exposure, widely deployed, could be abused at scale
-
Important Class II – products with elevated security relevance, including security software and products in Annex III
-
Critical – core components of cybersecurity, identity, encryption, or essential network infrastructure
These classifications follow the CRA’s conceptual tiers, not an official certification list, because exact classification depends on the manufacturer’s intended use and applicability of Annex III.
Examples of Software Products Classification
Disclaimer: this is my current understanding of products with digital elements (PDEs). There is no official list of categories of products published, or at least I did not find one.
This list was created with help of AI and it is no guarantee to be complete or correct.
| Software Type | Example(s) | CRA Category | Rationale |
|---|---|---|---|
| CRM Platforms | Salesforce, HubSpot, MS Dynamics | Default | General business software; no direct security function. |
| Blogging/CMS Platforms | WordPress, Ghost, Drupal | Default | Consumer and enterprise web software; not security-critical by default. |
| Office Productivity Tools | LibreOffice, MS Office | Default | Widely used but not security components. |
| Developer Tools | IDEs, build systems | Important Class I | Used in software supply chains; compromise impacts downstream. |
| Cloud Management Consoles | AWS CLI tools, Azure Portal extensions | Important Class I | Access to infrastructure; security implications. |
| Antivirus / Endpoint Protection | CrowdStrike, Defender, Bitdefender | Important Class II | Security products explicitly listed under risk-sensitive categories. |
| EDR/XDR Platforms | SentinelOne, Trellix, Microsoft XDR | Important Class II | Security monitoring and threat response capabilities. |
| Firewalls (Software-based) | pfSense, OPNsense, Cisco, Juniper | Important Class II | Security enforcement components. |
| VPN Clients | OpenVPN Client, WireGuard clients | Important Class II | Encryption and secure communications; directly covered. |
| Identity & Access Software | SSO, MFA clients, IdP agents | Critical | Core identity systems; high systemic impact. |
| Key Management & Crypto Libraries | OpenSSL, libsodium | Critical | Cryptographic primitives/implementations; part of critical components. |
| Secure Configuration Agents | MDM agents, compliance agents | Important Class II | Affect system posture and policy enforcement. |
| Network Monitoring / SIEM | Splunk, Elastic, QRadar | Important Class II | Security event analysis and detection. |
| Container Security Tools | Aqua, Twistlock | Important Class II | Protect containerized workloads; tied to infrastructure security.
|
Further reading and sources
-
https://digital-strategy.ec.europa.eu/en/policies/cra-summary
-
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
-
https://digital-strategy.ec.europa.eu/en/policies/cra-reporting
-
https://digital-strategy.ec.europa.eu/en/policies/cra-conformity-assessment
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj
- https://iapp.org/news/a/10-tips-to-prepare-for-the-eu-cyber-resilience-act
2 thoughts on “EU Cyber Resilience Act (CRA) – Overview”
Comments are closed.