The Cyber Resilience Act (CRA) regulates the security of products with digital elements in the EU. Learn about scope, manufacturer obligations and CE marking.
Scope and application of the CRA
The Cyber Resilience Act essentially applies to all products with digital elements (i.e., that are or contain software), that have a network or device connection and are placed on the EU market.
However, products already regulated by other EU legislation—such as medical devices, vehicles or aviation—are excluded. Defence goods, spare parts and products for which the Commission has adopted an exemption are also not covered. The regulation mainly aims to harmonize and strengthen cybersecurity requirements for most connected products in the EU.
A special role in the scope is played by Open Source Software and cloud solutions or Software-as-a-Service (SaaS).
Open Source Software
Open source software is explicitly included in the scope. Article 3(48) defines “Free and Open-Source Software” as software whose source code is openly shared and made available under a free and open licence that allows it to be accessed, used, modified and redistributed freely. For such open-source products, Article 24 requires that the “open-source software stewards” implement a cybersecurity policy and cooperate with authorities in risk mitigation.
Cloud and software as a service (SaaS)
SaaS and cloud solutions fall under the Cyber Resilience Act only if they are considered “remote data processing solutions” within the meaning of Article 3(2). Otherwise they are not to be regarded as a “product with digital elements” as defined in Article 3(1) and therefore not covered by the regulation.
Scope of the CRA — products with digital elements
In essence, all connected software, hardware and electronic products with data processing capabilities fall under the term “products with digital elements”.
According to Article 2 (Scope), the Cyber Resilience Act applies to:
> products with digital elements that are made available on the market and whose intended use or reasonably foreseeable use implies a direct or indirect logical or physical data connection to a device or network.
“Products with digital elements” (Article 3) are any software or hardware product and their remote data processing solutions, including software or hardware components placed on the market separately.
The core of the definition is that these are electronic information systems that can process, store or transmit digital data. This includes both software components and physical hardware components.
Remote data processing solutions refer to data processing for which the manufacturer is responsible and without which the product cannot perform one of its functions.
Products may have a logical (virtual) and/or physical (electrical, optical, mechanical) connection to other devices or networks, either directly or indirectly as part of a larger system.
Exemptions from the CRA scope
The CRA applies broadly to most products with digital elements connected to devices or networks when placed on the EU market. It does not apply, however, to products already regulated elsewhere. These include:
Medial devices
Products with digital elements covered by Regulation (EU) 2017/745 on medical devices (Article 2(2a)).
In vitro diagnostics
Products with digital elements covered by Regulation (EU) 2017/746 on in vitro diagnostic medical devices (Article 2(2b)).
Components for motor vehicles
Products with digital elements covered by Regulation (EU) 2019/2144 on motor vehicles (Article 2(2c)).
Civil aviation
Products with digital elements certified under Regulation (EU) 2018/1139 on aviation safety (Article 2(3)).
Ship equipment
Equipment falling under Directive 2014/90/EU on marine equipment (Article 2(4)).
Products with a higher security level
Products with digital elements covered by other EU legislation that meet an equivalent or higher level of cybersecurity, as determined by the Commission in delegated acts (Article 2(5)).
Spare parts
Spare parts that replace identical components in existing products with digital elements (Article 2(6)).
National security and defence
Products developed or modified exclusively for national security, defence or processing classified information (Article 2(7)).
Obligations of manufacturers of products
Manufacturers of products with digital elements have numerous obligations to ensure the cybersecurity and conformity of their products. These obligations include:
Risk management and conformity with essential requirements
Manufacturers must ensure that their products are designed, developed and produced in line with the essential requirements, including the cybersecurity requirements set out in Annex I, Part I (Article 13(1)).
To comply, manufacturers must carry out a cybersecurity risk assessment and take it into account throughout the product lifecycle, including planning, design, development, production, delivery and maintenance (Article 13(2)).
The risk assessment must be documented, kept up to date and included in the technical documentation prepared at market placement (Article 13(3)-(4)).
Manufacturers must exercise due care when integrating components, including third-party components, to ensure they do not undermine the product’s cybersecurity. This also applies to open-source software that was not made commercially available (Article 13(5)).
Provision of updates and remediation of vulnerabilities
When a vulnerability is identified in a component, including open-source components, manufacturers must report the vulnerability to the component’s manufacturer or maintenance provider and take measures to remedy it (Article 13(6)).
Manufacturers must systematically document the cybersecurity aspects of products and update the risk assessment accordingly (Article 13(7)).
Manufacturers must ensure that vulnerabilities are effectively addressed throughout the entire support period, which must be at least five years (Article 13(8)).
Security updates must remain available for at least ten years after market placement or for the duration of the support period (Article 13(9)).
When subsequent versions of software are released, manufacturers must ensure that earlier versions can be updated to the latest version free of charge (Article 13(10)).
Technical documentation and conformity assessment
Manufacturers must prepare technical documentation, carry out or have carried out conformity assessment procedures, issue the EU declaration of conformity and affix the CE marking (Article 13(12)).
The technical documentation and the EU declaration of conformity must be kept for at least ten years (Article 13(13)).
Manufacturers must ensure that products produced as part of a series remain compliant (Article 13(14)).
Product labelling and information for users
Manufacturers must ensure their products bear a unique identification number and that their contact information is provided on the product or packaging (Article 13(15)-(16)).
Manufacturers must designate a single point of contact to enable users to communicate directly and promptly, and ensure that this contact is easily identifiable (Article 13(17)).
Products must be supplied with the required information and instructions for users, which must be available for at least ten years (Article 13(18)).
The end of support must be clearly and comprehensibly indicated at the point of purchase (Article 13(19)).
Manufacturers must provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity together with the product (Article 13(20)).
Corrective actions and cooperation with authorities
Manufacturers must promptly take corrective measures to bring the product or processes into compliance if they are not compliant (Article 13(21)).
At the request of market surveillance authorities, manufacturers must provide all necessary information and documentation and cooperate in measures to eliminate cybersecurity risks (Article 13(22)).
Manufacturers who cease their business activities must inform the relevant market surveillance authorities and, where possible, users about the planned discontinuation (Article 13(23)).
These comprehensive obligations ensure that manufacturers are responsible for the security and conformity of their digital products and take the necessary measures to minimise potential cybersecurity risks.
Essential requirements of the CRA
Article 13 requires manufacturers to ensure their products are designed, developed and produced in accordance with the essential requirements, which include the cybersecurity requirements in Annex I, Part I.
Fundamentally, the Cyber Resilience Act requires a risk-based approach to product development. This is reflected in the first requirement:
- Appropriate cybersecurity level based on risks (Part I, paragraph 1) Example: A manufacturer conducts a risk assessment and implements appropriate security measures for its internet-enabled product.
Further requirements must be implemented based on the risk assessment:
- No known exploitable vulnerabilities at market placement (Part I, paragraph 2a) Example: All known vulnerabilities are remedied before market placement.
- Secure default configuration (Part I, paragraph 2b) Example: The product is shipped with unnecessary services disabled and strong default passwords.
- Vulnerabilities addressable by security updates (Part I, paragraph 2c) Example: The product notifies users about new updates and offers a function for (automatic) security updates.
- Prevention of unauthorised access through access control (Part I, paragraph 2d) Example: Multi-factor authentication and user access management are implemented.
- Confidentiality of data protected by encryption (Part I, paragraph 2e) Example: Stored and transmitted data are protected by encryption.
- Integrity of data, commands and configurations protected (Part I, paragraph 2f) Example: Digital signatures and integrity checks are used to detect unauthorised modifications.
- Data minimisation (Part I, paragraph 2g) Example: Only data necessary for functionality are collected and processed.
- Core functions remain available after incidents (Part I, paragraph 2h) Example: Redundant architectures and DDoS protection measures are implemented.
- Minimal negative impact on other devices and networks (Part I, paragraph 2i) Example: Restricted network access and bandwidth controls are implemented.
- Attack surface minimisation (Part I, paragraph 2j) Example: Unused ports, services and interfaces are disabled.
- Damage limitation in incidents (Part I, paragraph 2k) Example: Mechanisms such as sandboxing, least-privilege principles and address space layout randomisation (ASLR) are used.
- Security monitoring and logging (Part I, paragraph 2l) Example: Security-relevant events are logged and monitored.
- Secure data sanitisation (Part I, paragraph 2m) Example: Users can perform a complete and secure wipe of all data and settings.
In addition, manufacturers must ensure that vulnerabilities are effectively addressed throughout the support period.
Essential requirements for this include:
- Documentation of vulnerabilities and components (Part II, paragraph 1) Example: A software bill of materials (SBOM) is provided in a common, machine-readable format.
- Timely remediation of vulnerabilities (Part II, paragraph 2) Example: Security updates are published promptly after a vulnerability is discovered.
- Regular security testing (Part II, paragraph 3) Example: Penetration tests and code reviews are performed routinely.
- Disclosure of remediated vulnerabilities (Part II, paragraph 4) Example: Details about vulnerabilities and security updates are published.
- Coordinated vulnerability disclosure (Part II, paragraph 5) Example: A policy for timely remediation and controlled disclosure of vulnerabilities is implemented.
- Point of contact for vulnerability reports (Part II, paragraph 6) Example: A secure communication channel for reporting vulnerabilities is provided.
- Secure distribution of updates (Part II, paragraph 7) Example: Security updates are distributed via encrypted and authenticated channels.
- Timely and free provision of security updates (Part II, paragraph 8) Example: Security updates are provided promptly and generally free of charge.
Reporting obligations of the CRA
Manufacturers must report vulnerabilities and security-relevant incidents comprehensively and in a timely manner to ensure product cybersecurity and enable a rapid response to threats.
These reporting obligations include notifications to the competent CSIRT and to ENISA via a single reporting platform. Timeframes are defined to ensure information on vulnerabilities and security-relevant incidents is transmitted promptly and accurately.
Below are the detailed manufacturer obligations for vulnerabilities and security-relevant incidents, including the associated timeframes.
Handling vulnerabilities
Manufacturers must promptly report actively exploited vulnerabilities discovered in their products to minimise exploitation by attackers. Reports must be made within specified timeframes to ensure relevant authorities can act quickly.
First warning
The first warning must be made within 24 hours of becoming aware of an actively exploited vulnerability. This warning must be sent to the competent CSIRT and ENISA and include an early warning about the vulnerability and the Member States where the product is available (Article 14(2)(a)).
Detailed report
Within 72 hours of becoming aware of the vulnerability, a detailed vulnerability report must be sent to the competent CSIRT and ENISA. This report must contain general information about the affected product, the general nature of the vulnerability and exploits, corrective or mitigation measures taken and measures users can take. It must also indicate the sensitivity of the information reported (Article 14(2)(b)).
Final report
At the latest 14 days after a corrective measure becomes available, a final report must be submitted to the competent CSIRT and ENISA. This report must include a detailed description of the vulnerability, including severity and impact, information about the attacker (if available) and details of the corrective measures taken (Article 14(2)(c)).
Handling security-relevant incidents
Manufacturers must also report serious security incidents that may affect the security of their products. These reports must be made within defined timeframes to ensure impacts are minimised and countermeasures implemented rapidly.
First warning
The first warning must be made within 24 hours of becoming aware of the security-relevant event. This notification must be sent to the competent CSIRT and ENISA and contain a preliminary description of the incident, including whether it is suspected to be due to unlawful or malicious activity, and information on affected Member States (Article 14(4)(a)).
Detailed report
Within 72 hours of becoming aware of the incident, a detailed incident report must be sent to the competent CSIRT and ENISA. This report must include general information about the incident, an initial assessment, corrective or mitigation measures taken and actions users can take. The sensitivity of the information must also be indicated (Article 14(4)(b)).
Final report
Within one month of the detailed report, a final report must be submitted to the competent CSIRT and ENISA. This report must include a detailed description of the incident, including severity and impact, the nature of the threat or cause and corrective and ongoing countermeasures (Article 14(4)(c)).
Notification of users
Manufacturers must inform affected users and, where necessary, all users about actively exploited vulnerabilities or security incidents. These communications must include risk mitigation and remediation measures users can take (Article 14(8)).
Obligations of other actors
In addition to product manufacturers, the Cyber Resilience Act defines requirements for importers and distributors of products and for open-source software stewards.
Importers
Under Article 19, importers may only place products on the market that fulfil the essential requirements. They must ensure the manufacturer has carried out conformity assessment procedures, that technical documentation is available and that the CE marking is affixed. They must also provide their name and contact details on the product, packaging or accompanying documents. In the event of non-conformity or security risks, they must take action and inform the authorities. The EU declaration of conformity and technical documentation must be kept for at least ten years, and importers must cooperate with market surveillance authorities on request.
Distributors
Under Article 20, distributors must act with due care and ensure the product bears the CE marking and meets the requirements. They must check whether the manufacturer and importer have provided the required information and markings. If they suspect non-conformity or security risks, they must not place the product on the market and must inform the manufacturer and market surveillance authorities. Distributors must also cooperate with authorities and provide relevant information upon request.
Open-source software stewards
The CRA recognises the special role of free and open-source software (FOSS). FOSS projects generally fall into the category of self-assessed products. The CRA introduces the concept of an “open-source software steward” for legal entities that support FOSS projects without directly monetising them.
These stewards have specific, albeit less extensive, obligations than commercial software manufacturers. Article 24 requires open-source stewards to adopt and document a cybersecurity policy that promotes secure development and handling of vulnerabilities. They must cooperate with market surveillance authorities and provide required documentation on request. Stewards are required to report actively exploited vulnerabilities and serious incidents where they are involved in development or where their systems are affected.
The detailed impact of the CRA on the open-source community, including related challenges and opportunities, is examined further in the article “Der Cyber Resilience Act und seine Auswirkungen auf Open-Source-Software” (Open Source Software).
Noncompliance with the CRA
Sanctions and consequences for noncompliance with the Cyber Resilience Act are structured and tailored to different types of violations to ensure product security:
- Noncompliance with essential requirements: Failure to meet the essential cybersecurity requirements in Annex I or obligations under Articles 13 and 14 may be fined up to 15 million euros or up to 2.5% of the worldwide annual turnover of the preceding financial year, whichever is higher.
- Violations of procedural and labelling obligations: Violations such as improper affixing of the CE marking, absence of the EU declaration of conformity or failure to maintain technical documentation may be fined up to 10 million euros or up to 2% of worldwide annual turnover. This category also includes noncompliance by importers and distributors.
- False statements and misleading information: Providing incorrect, incomplete or misleading information to notified bodies or market surveillance authorities, especially when responding to their requests, may be fined up to 5 million euros or up to 1% of worldwide annual turnover.
When determining fines, the nature, gravity and duration of the infringement and the economic impact on the affected market are considered in each individual case. The aim of these sanctions is to achieve a strong deterrent effect while maintaining proportionality in order to improve digital single market security.
Implementation of the CRA and IEC 62443
The IEC 62443 standards series plays an important role in implementing the Cyber Resilience Act. In particular, IEC 62443-4-1, IEC 62443-4-2 and IEC 62443-3-3 address central CRA requirements in the areas of security requirements and vulnerability management.
The mapping published by ENISA showing the relationship of CRA requirements to various standards confirms this relevance. It demonstrates how IEC 62443 covers many CRA requirements, particularly for industrial automation and control systems. The standards series therefore provides a valuable framework for manufacturers to systematically implement CRA provisions. At the same time, the ENISA mapping highlights gaps that further standardisation work must close.
Overall, IEC 62443 helps companies meet the CRA’s regulatory requirements and improve the cybersecurity of their products.
Harmonised standards for the Cyber Resilience Act
A key element of CRA implementation are harmonised standards that provide manufacturers with concrete technical specifications to meet the essential cybersecurity requirements. Products developed in accordance with harmonised standards benefit from a presumption of conformity with the corresponding CRA requirements.
The standardisation for the CRA follows a two‑part approach:
Horizontal standards — EN 40000 series
Horizontal standards apply across product categories for all products with digital elements. They are developed by CEN/CENELEC and define:
- prEN 40000-1-1 (Vocabulary): unified terminology for the entire standards family
- prEN 40000-1-2 (Principles for Cyber Resilience): four fundamental principles (risk-based approach, security by design, secure by default, transparency) plus six risk management elements and eleven cybersecurity activities across the product lifecycle
Other planned horizontal standards:
- Generic security requirements (control catalogue)
- Vulnerability handling requirements
Vertical standards — ETSI EN 304 6xx series
Vertical standards specify the horizontal requirements for specific product categories. ETSI published first drafts in September 2025:
- EN 304 618: Password managers
- EN 304 619: Antivirus
- EN 304 623: Boot managers
- EN 304 625: Network interfaces
- EN 304 626: Operating systems
- EN 304 627: Routers, modems, switches
- EN 304 635: Virtualisation and containers
These standards follow a consistent four-step structure:
- Use cases: realistic deployment scenarios and usage patterns
- Threats and risk considerations: product-specific threat analysis and risk-tolerance classification
- Mitigations: capability-based conditions and specific security measures
- Assessment: objective test criteria and checkbox requirements
The drafts are available on the ETSI open consultation platform for public comment.
Only the combination of both standard types creates the presumption of full CRA conformity:
- Horizontal standards define the overarching framework
- Vertical standards concretise this for specific product categories
- Manufacturers must address both levels
Annex A of EN 40000-1-2 provides vertical standards with explicit guidance to ensure coherence with the horizontal framework.
Further information
- EN 40000 standard series in detail
- ETSI draft standards for the CRA
Conformity with the CRA
The Cyber Resilience Act establishes a comprehensive system for assessing and ensuring conformity of products with digital elements. The system aims to ensure a high level of cybersecurity and resilience across the EU single market. Conformity assessment is a central element of the CRA and varies according to the risk classification and criticality of the product.
Which conformity assessment procedure is required depends on the product’s risk level.
Products with digital elements
Products with digital elements (Article 6) are the base category. These products must meet the basic requirements from Annex I, Part I and their manufacturing processes must comply with Annex I, Part II. No specific conformity assessment procedures are prescribed for this category, but manufacturers must ensure that their products meet security requirements when properly installed, maintained and used as intended.
Important products
Important products with digital elements (Article 7) form the second category. These products are defined by core functionalities corresponding to categories listed in Annex III. They must undergo specific conformity assessment procedures to ensure compliance with essential cybersecurity requirements.
Important product categories are divided into Class I and Class II as set out in Annex III. The classes are based on:
- Class I: products critical for cybersecurity, including authentication, intrusion prevention, endpoint security, etc.
- Class II: products that pose a significant risk of adverse effects, such as network management, configuration control, virtualisation or processing of personal data.
For important Class I products: if harmonised standards or European certification schemes for cybersecurity are not applied or only partially applied, the product and its manufacturing procedures must either undergo an EU type examination (Module B) together with internal production control (Module C) or a conformity assessment based on comprehensive quality assurance (Module H).
For important Class II products the manufacturer must demonstrate conformity with basic requirements through similar procedures or, where applicable, through a European cybersecurity certification under the Cybersecurity Act. The integration of such a product into another product does not automatically subject the latter to the same procedures.
Critical products
The third category covers critical products with digital elements (Article 8). These products are defined by delegated acts of the Commission and must have core functionalities listed in Annex IIIa.
Critical products must obtain a European cybersecurity certificate under the Cybersecurity Act with an assurance level of substantial or higher. Criteria for identifying these products include critical dependency of essential entities and the potential for severe disruption of critical supply chains across the single market.
Annex III may be amended by delegated acts to add or change categories of important products based on their cybersecurity functions and risks. The impacts on the market and Member States’ readiness to introduce certification systems must be considered.
For critical products (Article 6a) the Commission may adopt delegated acts determining which products require a European cybersecurity certificate and the appropriate assurance level matching the cybersecurity risks and intended use.
Conformity assessment procedures in the CRA
The CRA provides various conformity assessment procedures to ensure products meet the essential requirements in Annex I:
Internal control
The simplest procedure where the manufacturer verifies and documents product conformity internally (Annex VIII, Module A).
EU type examination
An independent examination of the product design by a notified body followed by internal production control by the manufacturer (Annex VIII, Modules B and C). This is intended particularly for important Class I products when harmonised standards, common specifications or European cybersecurity certifications are not fully applied or absent.
Comprehensive quality assurance
Under a conformity assessment based on comprehensive quality assurance (Annex VIII, Module H) a notified body takes on comprehensive quality control of the manufacturing process.
European cybersecurity certification
For critical products listed in Annex IV, certification under the Cybersecurity Act is required to demonstrate conformity with the essential requirements where available and applicable (Article 8(1)). The certification must achieve at least a “substantial” assurance level and may involve a notified body depending on the chosen certification and protection profile.
Currently, the EUCC (EU Cybersecurity Certification Scheme on Common Criteria) is the first scheme under the Cybersecurity Act, based on ISO/IEC 15408 (Common Criteria). It is particularly suitable for security-critical products such as firewalls or cryptographic devices. Additional sector-specific certification schemes are under development.
More information on the individual conformity assessment procedures can be found in our article on CE marking.
Choosing the conformity assessment procedure
Products in all categories—noncritical, important (Class I and II) and critical—can potentially be certified under the law’s cybersecurity certification system. For important products not covered by harmonised standards and for critical products lacking an applicable certification scheme, involvement of a notified body is required (Modules B+C or H). The internal production control method (Module A) primarily applies to noncritical products and to important Class I products only where a harmonised standard has been comprehensively applied.
The following diagram illustrates the decision process for selecting the appropriate CRA procedure.
This distinction ensures the level of review and assessment is commensurate with the product category’s cybersecurity risk.
| Product type | Internal control (Module A) | EU type examination (Modules B+C) | Comprehensive quality assurance (Module H) | Cybersecurity certificate |
|---|---|---|---|---|
| Noncritical | ✓ | ✓ | ✓ | ✓ |
| Important – Class I (Annex III) | (✓)1) | ✓ | ✓ | ✓ |
| Important – Class II (Annex III) | ✓ | ✓ | ✓ | |
| Critical (Annex IV) | (✓)2) | (✓)2) | ✓ |
1) Use of a harmonised standard is required to achieve full conformity.
2) Only possible if no delegated act has been adopted that mandates a certificate for the product category.
Current status and CRA transition periods
The Cyber Resilience Act (CRA) was published in the Official Journal of the European Union on 20 November 2024. Transition periods at a glance:
- 20.11.2024: Publication of the CRA in the OJEU
- 10.12.2024: Entry into force of the CRA
- 11.06.2026: Requirements for conformity assessment bodies
- 11.09.2026: Reporting obligations for manufacturers
- 11.12.2027: Full applicability
The final text of the CRA is available in the Official Journal of the EU (eur-lex link).
Parallel to CRA implementation, harmonised standards are being developed:
- October 2025: First horizontal standards (EN 40000-1-1 and EN 40000-1-2) in the CEN enquiry procedure
- September 2025: First vertical ETSI standards (EN 304 6xx series) for public consultation
- Ongoing: Further product-specific standards under development
The final harmonised standards will be referenced in the OJEU and then provide a presumption of conformity with the Essential Cybersecurity Requirements.
Frequently asked questions about the CRA
Do you have further questions about the Cyber Resilience Act? In our detailed FAQ article (Cyber Resilience Act FAQ) we answer the most important questions about the new EU regulation. From scope and deadlines to specific requirements for updates and conformity assessment — find everything you need for practical CRA implementation, including concrete recommendations for companies preparing for the upcoming requirements.
Link to the contribution: Häufige Fragen zum Cyber Resilience Act (Cyber Resilience Act FAQ)
Support for CRA implementation
With the Cyber Resilience Act, the EU creates for the first time a unified framework for the cybersecurity of digital products — from operating systems through connected devices to industrial control systems. Manufacturers are required to systematically integrate security requirements into product development, actively manage vulnerabilities and demonstrate conformity.
Secuvi supports companies in transferring CRA requirements into existing processes and products. We assist with impact assessments, develop practical implementation strategies and accompany technical, organisational and documentation measures up to market authorisation.
We also support practical application of the harmonised standards — from implementing the risk management framework according to EN 40000-1-2 to meeting product-specific requirements of the ETSI standards and preparing technical documentation for conformity assessment.
Further information on CRA implementation can be found at: secuvi.com
