The EU Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on December 10, 2024, establishing mandatory cybersecurity requirements for products with digital elements, meaning hardware and software, placed on the EU market. Manufacturers, importers, and distributors must comply with the core obligations by December 11, 2027.
The CRA is the first regulation to mandate security by design and vulnerability handling across the full lifecycle of digital products sold in the EU.
Scope
Products Covered
Any product with digital elements that has a direct or indirect logical or physical data connection to a device or network:
- Software including operating systems, applications, firmware, libraries, SDKs
- Hardware with embedded software including IoT devices, routers, smart home devices, industrial controllers
- Remote data processing including cloud-based components that are integral to a product’s functionality
Products Excluded
Medical devices (covered by MDR/IVDR), motor vehicles (covered by type-approval regulation), aviation equipment (covered by aviation safety regulation), and open-source software developed outside commercial activity (with important nuances described below).
Open Source Considerations
Non-commercial open source is generally excluded, but open source provided in a commercial context (such as part of a paid product or service) is in scope. Open Source Software Stewards (foundations like Apache, Eclipse, Linux Foundation) have lighter obligations covering security policies, vulnerability coordination, and cooperation with market surveillance authorities. This provision was heavily debated and remains a concern for the open source community.
Product Categories
| Category | Examples | Conformity Assessment |
|---|---|---|
| Default | Most consumer software, IoT devices, games | Self-assessment |
| Important (Class I) | Password managers, VPNs, firewalls, OS, routers, smart home hubs | Harmonized standard allows self-assessment; no standard requires third-party |
| Important (Class II) | Hypervisors, CPUs, HSMs, smartcard readers, industrial firewalls | Third-party assessment required |
| Critical | Smart meter gateways, hardware security boxes | European cybersecurity certification required |
Key Obligations for Manufacturers
Security by Design
Perform cybersecurity risk assessment during product design and development. Ship products with secure default configuration, meaning no default passwords and unnecessary ports closed. Ensure confidentiality, integrity, and availability of data processed by the product. Minimize the attack surface. Implement access control mechanisms appropriate to the product.
Vulnerability Handling
Establish a coordinated vulnerability disclosure policy. Provide security updates for the product’s expected lifetime or a minimum of 5 years, whichever is shorter. Report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware. Report severe incidents affecting the security of the product to ENISA within 24 hours. Maintain a Software Bill of Materials in machine-readable format identifying all components including open source dependencies.
SBOM Requirements
The CRA makes SBOMs mandatory for all products with digital elements. The SBOM must identify all components including open source libraries and be in a machine-readable format (CycloneDX and SPDX are expected standards). It must be maintained and updated throughout the product lifecycle and made available to market surveillance authorities upon request. The SBOM itself is not required to be made public, but it must exist and be current.
Timeline
| Date | Milestone |
|---|---|
| Dec 10, 2024 | CRA enters into force |
| Jun 11, 2026 | Conformity assessment bodies can begin operating |
| Sep 11, 2026 | Vulnerability and incident reporting obligations take effect |
| Dec 11, 2027 | Full compliance deadline for all obligations |
Penalties
| Violation | Maximum Fine |
|---|---|
| Essential cybersecurity requirements | 15 million euros or 2.5% of global annual turnover |
| Other CRA obligations | 10 million euros or 2% of global annual turnover |
| Incorrect or misleading information to authorities | 5 million euros or 1% of global annual turnover |
Practical Steps
Inventory your products by determining which products with digital elements are sold in or connected to the EU market. Classify each product into the appropriate category (default, Important Class I/II, or critical). Conduct a gap analysis assessing current product security practices against CRA requirements for secure defaults, vulnerability handling, and SBOM. Implement SBOM generation by integrating SBOM creation into your CI/CD pipeline using CycloneDX or SPDX. Create a public coordinated vulnerability disclosure policy and response process. Build the capability to report actively exploited vulnerabilities to ENISA within 24 hours by September 2026. Determine whether self-assessment or third-party assessment is required for each product.