Compliance Atlas/
Home/Topics/Cyber Resilience Act
TOPICS·CYBERSECURITY·EU REGULATION 2024/2847

EU Cyber Resilience Act

The first EU-wide horizontal regulation mandating cybersecurity requirements for all hardware and software products with digital elements -- from smart lightbulbs to enterprise operating systems -- throughout their entire lifecycle, with CE marking, SBOM obligations, and vulnerability reporting to ENISA.

EUREGULATION37 regulations trackedIn force since Dec 2024Updated April 2026
THE ESSENTIALS

Every connected product sold in Europe -- whether it is a baby monitor, a fitness tracker, a router, or an accounting software package -- must meet a baseline of cybersecurity rules before it can carry a CE mark. That is the core idea behind the Cyber Resilience Act, formally Regulation (EU) 2024/2847, which entered into force on 10 December 2024.

Until the CRA, the EU had no single law requiring manufacturers of digital products to build security in from the start and keep their products patched over time. Individual sectors had their own rules, but a cheap smart plug and a complex enterprise firewall faced the same legal vacuum. The CRA closes that gap: if your product connects to a network or to another device, you must design it securely, fix vulnerabilities when they appear, and tell ENISA quickly when something goes wrong.

The regulation does not treat every product equally. A word processor is less risky than an operating system used in hospitals, so the CRA sorts products into four categories -- from "default" (self-assessment is enough) up to "critical" (you need an EU cybersecurity certification scheme). Roughly 90% of products in scope fall in the lightest category, but the higher you go, the more an independent body must verify your work.

Companies have until December 2027 to reach full compliance, but mandatory vulnerability reporting to ENISA kicks in by September 2026. The penalties are substantial -- up to EUR 15 million or 2.5% of worldwide annual turnover for essential requirement violations -- so early preparation matters. The sections below break down every requirement, timeline, and assessment path in detail.

IN A NUTSHELL
What
EU regulation requiring hardware and software products with digital elements to meet cybersecurity requirements throughout their lifecycle. First horizontal product cybersecurity law in the world.
Who
Manufacturers, importers, and distributors of any product with digital components placed on the EU market -- from consumer IoT to enterprise software. Estimated to affect hundreds of thousands of products.
When
Entered into force December 2024. Vulnerability reporting obligations from September 2026. Full compliance requirements from December 2027.
Penalty
Up to EUR 15 million or 2.5% of global turnover for essential requirement violations. Up to EUR 10 million or 2% for other non-compliance. Product withdrawal and recall orders.
PRODUCT CLASSIFICATION TIERS

The CRA classifies products into four risk-based categories, each with different conformity assessment requirements. Higher risk means stricter third-party oversight.

Default Category
ASSESSMENT: Self-assessment (Module A)

The vast majority of products with digital elements. Manufacturers may self-assess conformity using internal control procedures. Estimated to cover ~90% of products in scope.

EXAMPLE PRODUCTS
Smart home appliancesConnected toysDesktop and mobile applicationsPhoto editing softwareWord processorsSmart speakersHard drivesGame consoles
DEFAULT
~90% of products
IMPORTANT CLASS I
~6% of products
IMPORTANT CLASS II
~3% of products
CRITICAL
~1% of products
VULNERABILITY REPORTING PROCESS

When a manufacturer becomes aware of an actively exploited vulnerability, a strict reporting timeline applies. ENISA operates a single reporting platform to streamline notifications across all Member States.

0h
Vulnerability discovered MANDATORY
Manufacturer becomes aware of an actively exploited vulnerability in their product with digital elements.
24h
Early warning to ENISA MANDATORY
Submit an early warning notification to ENISA via the single reporting platform. Must indicate the product affected, general nature of the exploit, and any corrective measures being taken. No patch required yet.
72h
Vulnerability notification MANDATORY
Provide a full vulnerability notification to ENISA with technical details: severity assessment, impact scope, available indicators of compromise, and whether corrective action has been taken.
14d
Final report MANDATORY
Submit a final report including root cause analysis, remediation measures applied, and confirmation of whether the vulnerability has been addressed. ENISA may request additional information.
Ongoing
Security updates
Provide free security patches for the remainder of the support period (minimum 5 years). Patches must be made available without undue delay. Users must be notified of available updates.
SOFTWARE BILL OF MATERIALS (SBOM)

The CRA is the first EU regulation to mandate SBOM as part of technical documentation. Manufacturers must identify and document all software components in their products.

01
Component identification
Document all top-level dependencies included in the product, with supplier name, component name, version, and unique identifier (e.g., CPE, PURL).
02
Vulnerability mapping
Enable correlation between SBOM components and known vulnerabilities (CVE, NVD). Must be kept up to date throughout the support period.
03
Machine-readable format
SBOM must be generated in a standardised, machine-readable format. CycloneDX and SPDX are expected to be referenced in harmonised standards.
04
Confidentiality provisions
SBOM is part of the technical documentation provided to market surveillance authorities. It does not need to be published publicly, but must be available upon request.
05
Dependency depth
At minimum, top-level dependencies must be listed. Deep transitive dependency enumeration is encouraged but not yet mandated pending harmonised standard development.
06
Continuous maintenance
SBOM must be updated when components are added, removed, or updated through security patches. It is a living document for the product lifetime.
CONFORMITY ASSESSMENT PATHS

The assessment path depends on the product classification. Higher-risk products require greater involvement from notified bodies.

A
Module AInternal control
Default products
Manufacturer self-assesses against essential requirements. Must maintain technical documentation, perform a cybersecurity risk assessment, and issue an EU declaration of conformity.
B+C
Module B + CEU-type examination + internal control
Important Class I (without harmonised standard)
A notified body examines a specimen of the product (Module B). Manufacturer then ensures production conformity through internal control (Module C).
H
Module HFull quality assurance
Important Class I & II
A notified body approves and monitors the manufacturer's quality management system covering design, production, and final product verification.
EU
EUCCEU cybersecurity certification
Critical products
Products must be certified under an applicable EU cybersecurity certification scheme established under the Cybersecurity Act. Highest assurance level.
MANUFACTURER vs IMPORTER vs DISTRIBUTOR

The CRA assigns different obligations depending on your role in the supply chain. Select a role to filter, or view all obligations side by side.

OBLIGATIONMFRIMPDIST
Ensure product meets essential cybersecurity requirements
Conduct cybersecurity risk assessment
Prepare technical documentation (incl. SBOM)
Perform conformity assessment
Draw up EU declaration of conformity
Affix CE marking
Verify CE marking and documentation exist
Handle and report vulnerabilities to ENISA
Provide security updates (min. 5 years)
Inform manufacturer of discovered vulnerabilities
Ensure proper storage/transport conditions
Cooperate with market surveillance authorities
Include name and contact info on product/packaging
Withdraw non-compliant products from market
IMPLEMENTATION ROADMAP

The CRA uses a phased rollout. Companies have until December 2027 for full compliance, but vulnerability reporting starts in September 2026.

COMPLETEDec 2024
Entry into force
CRA published and enters into force
Transition period begins
Standardisation requests issued to CEN/CENELEC
IN PROGRESSJun 2026
Notified body preparation
Member States designate conformity assessment bodies
Notification procedures for notified bodies
Harmonised standards development underway
UPCOMINGSep 2026
Vulnerability reporting
Mandatory vulnerability reporting to ENISA begins
ENISA single reporting platform operational
24h/72h/14d reporting obligations active
UPCOMINGDec 2027
Full application
All essential cybersecurity requirements applicable
Conformity assessment mandatory for market placement
CE marking must reflect CRA compliance
Market surveillance enforcement begins
RELATIONSHIP TO OTHER EU REGULATIONS

The CRA sits within a complex web of EU digital legislation. Understanding overlaps and demarcations is critical to avoid double compliance and exploit synergies.

KEY MILESTONES
Apr 23, 2026
YOU ARE HERE
ESSENTIAL CYBERSECURITY REQUIREMENTS
01
Security by design
Build products with appropriate cybersecurity measures from the design phase, including secure defaults.
02
Vulnerability handling
Establish coordinated vulnerability disclosure policies and provide security updates for at least 5 years.
03
Incident reporting
Report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware.
04
Conformity assessment
Undergo conformity assessment (self-assessment or third-party) before placing products on the market.
05
SBOM documentation
Maintain a software bill of materials (SBOM) and technical documentation for each product.
06
CE marking
Affix CE marking to products that comply with all applicable CRA requirements.
WHO DOES THIS AFFECT?

Select your company type for tailored compliance guidance.

KEY OBLIGATIONS
Ensure software products meet essential cybersecurity requirements before market placement
Conduct cybersecurity risk assessments and maintain technical documentation
Implement vulnerability handling and provide security updates for product lifetime (min 5 years)
Report actively exploited vulnerabilities to ENISA within 24 hours
Obtain CE marking indicating CRA conformity
YOUR FIRST STEP

Inventory all software products you place on the EU market and assess each against CRA essential cybersecurity requirements and risk categorisation

KEY INTERPRETATIONS & FAQ
RELATED TOPICS
NIS2 DirectiveDigital Operational Resilience Act (DORA)EU CE Marking Framework
MOST CONNECTED REGULATIONS
JUR.TITLESTATUSLINKS
EURegulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)adopted18
EURegulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance)adopted12
EURegulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)adopted8
EUCommission Implementing Regulation (EU) 2023/203 of 27 October 2022 laying down rules for the application of Regulation (EU) 2018/1139 of the European Parliament and of the Council, as regards requirements for the management of information security risks with a potential impact on aviation safety for organisations covered by Commission Regulations (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664, and for competent authorities covered by Commission Regulations (EU) No 748/2012, (EU) No 1321/2014, (EU) No 965/2012, (EU) No 1178/2011, (EU) 2015/340 and (EU) No 139/2014, Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664 and amending Commission Regulations (EU) No 1178/2011, (EU) No 748/2012, (EU) No 965/2012, (EU) No 139/2014, (EU) No 1321/2014, (EU) 2015/340, and Commission Implementing Regulations (EU) 2017/373 and (EU) 2021/664adopted6
EUDecision (EU) 2025/1654 of the European Parliament of 7 May 2025 on the closure of the accounts of the European Union Agency for Cybersecurity for the financial year 2023adopted4
EUDecision (EU) 2025/1653 of the European Parliament of 7 May 2025 on discharge in respect of the implementation of the budget of the European Union Agency for Cybersecurity for the financial year 2023adopted4
EUDirective (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)adopted4
EUDecision (EU) 2024/2315 of the European Parliament of 11 April 2024 on discharge in respect of the implementation of the budget of ENISA (European Union Agency for Cybersecurity) for the financial year 2022adopted3
EUDecision (EU) 2024/2317 of the European Parliament of 11 April 2024 on the closure of the accounts of ENISA (European Union Agency for Cybersecurity) for the financial year 2022adopted3
EUCommission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC)adopted3
← ALL TOPICS

We use cookies to analyze and improve our website.