Large B2B organizations face mounting pressure as the Cyber Resilience Act sets enforceable, product-centric security obligations for any company placing products with digital elements on the EU market. Unlike organization-level frameworks, the EU Cyber Resilience Act requires continuous practices – secure-by-design engineering, vulnerability handling, post‑market monitoring, and Software Bill of Materials (SBOM) transparency – supported by technical documentation and audit-ready evidence. This creates a sustained operational demand that spans development, release, and support. To simplify compliance at scale, teams should centralize evidence, automate SBOM generation, and coordinate remediation across engineering and supply chain partners.
Key highlights
- The Cyber Resilience Act (CRA) introduces mandatory, lifecycle-wide cybersecurity practices for products with digital elements, aligning CE marking with security assurance and making “secure by design and by default” a legal baseline
- Compliance elevates continuous risk management, SBOM creation, coordinated vulnerability disclosure, and incident reporting as core engineering responsibilities for all in-scope products
- Organizations must govern third parties, consolidate technical evidence, and maintain market‑surveillance‑ready records to satisfy conformity assessments and sustain EU market access
- Cycode’s platform operationalizes SBOMs, vulnerability management, and documentation so teams can demonstrate the Cyber Resilience Act EU requirements confidently and at speed
What Is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) is an EU regulation that sets mandatory cybersecurity requirements for hardware and software with digital elements throughout their lifecycle, from design to end-of-life. If you’re asking what is the Cyber Resilience Act, it is a product-centric law that makes secure‑by‑design and secure‑by‑default engineering a legal duty for manufacturers and publishers placing products on the EU market. Put simply, what is Cyber Resilience Act compliance? It is the ongoing capacity to build, ship, and support products with documented controls that defend confidentiality, integrity, and availability across intended use. The EU CRA regulation was adopted in 2024 as Regulation (EU) 2024/2847 and published in the EU’s Official Journal, establishing harmonized rules, CE marking, and post-market obligations for digital products placed in the EU single market Regulation (EU) 2024/2847.
Why Was the EU Cyber Resilience Act Introduced?
The EU Cyber Resilience Act was introduced to reduce systemic risk from insecure digital products and to harmonize product security rules across Member States. As software supply chains expand and connectivity becomes ubiquitous, fragmented guidance and voluntary practices fail to deliver consistent outcomes at scale. The CRA creates a single, enforceable baseline for product security that manufacturers can plan for and auditors can verify.
For example, the 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, highlighting the need for built-in safeguards 2025 Data Breach Investigations Report.
Addressing the Rise in Cyber Threats
A steady increase in attacks exploiting software flaws and weak defaults has shown that voluntary controls are insufficient. Industry data underscores that people, misconfigurations, and software defects remain key breach vectors; for example, the 2024 Data Breach Investigations Report found that 68% of breaches involved a human element, reinforcing the need for built-in safeguards that reduce user error and misconfiguration risk 2025 Data Breach Investigations Report. The Cyber Resilience Act response emphasizes prevention, faster detection, and documented remediation.
Closing Gaps in Existing Cybersecurity Frameworks
Prior frameworks such as the General Data Protection Regulation (GDPR) and NIS addressed data protection and essential services, but they did not mandate end‑to‑end product security. The EU CRA closes these gaps by requiring lifecycle practices—development controls, vulnerability handling, incident reporting, support periods, and transparent documentation—explicitly tied to product conformity EU Cyber Resilience Act policy page.
Enhancing Digital Trust Across the EU
By linking CE marking to product security, the CRA raises confidence in connected technologies and strengthens the EU’s digital single market. Consistent Cyber Resilience Act requirements create predictable expectations for buyers and partners, while giving manufacturers a clear path to demonstrate assurance Regulation (EU) 2024/2847.
Which Products Are Covered by the EU CRA?
Under the EU CRA, a product with digital elements is any software or hardware that directly or indirectly connects to a device or network and can process, transmit, or store digital data. The scope is intentionally broad to reflect modern, connected product realities and to capture supply chain risk.
Definition of Products With Digital Elements (PDEs)
Under the EU CRA, a product with digital elements is any software or hardware that directly or indirectly connects to a device or network and can process, transmit, or store digital data. The definition centers on connectivity and the potential for cybersecurity impact across a product’s lifecycle EU Cyber Resilience Act policy page.
Examples of In-Scope Hardware and Software
In-scope examples include network equipment, smart home devices, laptops and smartphones, industrial control systems, and general-purpose or embedded software. Both on‑premises and cloud-delivered software qualify when they meet PDE criteria, ensuring emerging service models remain accountable Regulation (EU) 2024/2847.
Exemptions and Special Cases
Some sectors are covered by specialized legislation; for instance, certain medical devices follow dedicated EU rules. Open-source software developed or supplied outside a commercial activity is generally exempt, but obligations attach when open source software is integrated into commercial products or monetized services OpenSSF: EU Cyber Resilience Act.
Which Organizations Are Affected by the EU CRA?
The CRA applies to manufacturers, importers, and distributors that place or make available products with digital elements on the EU market, regardless of where those organizations are based. Responsibilities extend along the supply chain, recognizing that security and documentation are shared obligations.
Criteria for Organizational Scope
Manufacturers that design, build, or brand products must meet the CRA’s essential requirements and perform a conformity assessment. Importers and distributors must verify that products are compliant, technically documented, and CE‑marked before they enter circulation. Obligations scale based on each party’s role across the lifecycle Regulation (EU) 2024/2847.
Impact on EU-Based and Non-EU Entities
Non-EU companies are in scope if they sell or distribute applicable products in the EU. This extraterritorial reach mirrors other EU product and digital rules, making CRA conformity a prerequisite for market access in the bloc EU Cyber Resilience Act policy page.
Who Must Meet Cyber Resilience Act Compliance Requirements?
Cyber Resilience Act compliance spans the product supply chain. Manufacturers, importers, distributors, integrators, retailers, and relevant third parties all contribute to user protection and market integrity. Clear allocation of responsibilities reduces ambiguity and accelerates response when vulnerabilities emerge.
Roles and Responsibilities Across the Supply Chain
The following roles outline primary responsibilities across the product lifecycle:
- Manufacturer: Design and maintain products in line with Cyber Resilience Act requirements; conduct conformity assessments; keep technical documentation; deliver security updates; and handle vulnerabilities post-market Regulation (EU) 2024/2847
- Importer: Verify CE marking and Declaration of Conformity; retain documentation; cooperate with authorities; ensure only compliant products are placed on the EU market EU Cyber Resilience Act policy page
- Distributor: Check CE marking and required instructions; avoid placing non-compliant products on the market; cooperate with surveillance authorities Regulation (EU) 2024/2847
- Integrator/Retailer: Ensure integrated systems remain compliant and only conforming products reach end users; support recall or corrective actions when needed Regulation (EU) 2024/2847
Third-Party Vendors and Partners
Organizations should govern third parties with clear terms — SBOM obligations, coordinated vulnerability disclosure, and incident reporting protocols — to preserve end‑to‑end compliance under the EU CRA regulation EU Cyber Resilience Act policy page.
Key Cyber Resilience Act Requirements for Organizations
The CRA details essential requirements across the product lifecycle: security by design and by default, continuous vulnerability handling, incident detection and response, and software transparency via SBOMs. These obligations demand both technical controls and repeatable evidence.
Security by Design and by Default
Manufacturers must minimize attack surface through design choices and ship products with secure defaults (least privilege, no default credentials, and hardening aligned to intended use). Threat modeling, secure coding, and verification before release underpin defensible conformity assessments EU Cyber Resilience Act policy page.
Vulnerability Management and Patching
Organizations must monitor for vulnerabilities, assess severity, and deliver remediations within a reasonable time, including end‑of‑life notices where fixes are not feasible. Coordinated disclosure and timely updates are core post-market duties under the EU CRA Regulation (EU) 2024/2847.
Incident Detection and Response
Teams must detect, triage, and respond to incidents affecting product confidentiality, integrity, or availability. Documented escalation, rehearsed response plans, and preserved evidence demonstrate due care during audits and investigations EU Cyber Resilience Act policy page.
Software Bill of Materials (SBOM) Requirements
Manufacturers must maintain a transparent inventory of software components to support risk assessment and patching velocity. Common exchange formats include SPDX (Software Package Data Exchange) and CycloneDX.
| SBOM Elements to Include | Data Format | Update Frequency | Responsible Team |
|---|---|---|---|
| Component Name | Standardized (e.g., SPDX, CycloneDX) | With each release and update | Product Security/Engineering |
| Version Information | Standardized | With each release and update | Product Security/Engineering |
| Supplier/Origin | Standardized | With each release and update | Product Security/Engineering |
| License Details | Standardized | With each release and update | Legal/Compliance |
| Known Vulnerabilities | Standardized | Ongoing, as vulnerabilities are discovered | Security Operations |
| Dependency Relationships | Standardized | With each release and update | Product Security/Engineering |
SPDX and CycloneDX are widely used SBOM standards that support automation and tooling across development and operations SPDX specification and CycloneDX project.
EU CRA Obligations for Manufacturers
Manufacturers bear the primary duty for conformity. They must embed security in engineering processes, manage vulnerabilities after release, and maintain a complete technical file to demonstrate compliance on request. Centralized evidence and clear ownership accelerate audits and enable consistent updates during the support period.
Secure Product Development Lifecycle
Security must be integrated from design onward: risk assessments, secure coding, code review, dependency hygiene, and pre‑release security testing. These practices support the security-by-design principle and yield testable artifacts for conformity assessments EU Cyber Resilience Act policy page.
Ongoing Vulnerability Handling
After market placement, manufacturers must monitor for new vulnerabilities, prioritize remediation based on risk, and communicate relevant information to users and partners. Post‑market support is central to the CRA’s lifecycle model and to sustained Cyber Resilience Act compliance Regulation (EU) 2024/2847.
Documentation and Technical File Requirements
Manufacturers must maintain a technical file with product descriptions, risk assessments, test results, proof of conformity, and records of updates and vulnerability handling. Authorities may request this information during market surveillance or incident investigations Regulation (EU) 2024/2847.
EU CRA Obligations for Importers
Importers serve as gatekeepers to the EU market. They verify that products from outside the EU meet CRA requirements, bear the CE mark, and include proper documentation. Effective gatekeeping protects customers and reduces downstream corrective actions.
Verification of Manufacturer Compliance
Before placing a product on the EU market, importers must verify CE marking, the EU Declaration of Conformity, and the presence of required instructions and safety information. They must also ensure that the manufacturer has a vulnerability handling process in place EU Cyber Resilience Act policy page.
Record-Keeping and Information Duties
Importers must retain the Declaration of Conformity and technical documentation for a defined period and present them to market surveillance authorities upon request. They must also cooperate during investigations and take corrective action if a product presents a cybersecurity risk Regulation (EU) 2024/2847.
EU CRA Obligations for Distributors
Distributors ensure that only conforming products progress through the supply chain. Basic checks, clear instructions, and cooperation with authorities help prevent non‑compliant goods from reaching users.
Ensuring Product Conformity Before Distribution
Distributors must ensure that products display CE marking, include required documentation, and have been subject to appropriate conformity assessment. They must not distribute products they know to be non-compliant EU Cyber Resilience Act policy page.
Cooperation With Market Surveillance Authorities
Distributors must provide access to documentation and information during inspections and notify authorities if they suspect a product presents a cybersecurity risk or fails to meet requirements Regulation (EU) 2024/2847.
How Does the EU CRA Address Open Source Software?
The CRA recognizes the unique nature of open source while ensuring that commercial uses remain accountable. When open source software becomes part of a commercial product or service, it is in scope for vulnerability handling, updates, and documentation just like first‑party code.
Open Source Exemptions and Limitations
Open-source software developed or supplied outside commercial activity is generally exempt from CRA obligations. However, once open source is integrated into a commercial product or value‑added service, the provider inherits duties for vulnerability handling, updates, and documentation OpenSSF: EU Cyber Resilience Act.
Obligations for Open Source Stewards
Entities that steward or commercially distribute open source may have obligations if they enable monetized or enterprise use within the EU, including transparent disclosure of known risks and support for remediation workflows OpenSSF: EU Cyber Resilience Act.
Managing Open Source Components in Commercial Products
Organizations should inventory open source components, maintain an SBOM, monitor for vulnerabilities, and align license compliance and security updates as part of conformity. OWASP projects and SBOM standards such as CycloneDX help operationalize these practices in CI/CD pipelines CycloneDX project.
What Is the EU CRA Regulation Conformity Assessment Process?
The CRA requires a structured conformity assessment before CE marking. Depending on risk, manufacturers either self‑assess or engage a notified body, documenting evidence that their product meets essential cybersecurity requirements and intended‑use constraints.
Self-Assessment vs Third-Party Assessment
Lower-risk products may follow internal control procedures for self‑assessment. Products presenting higher cybersecurity risk (including categories listed in Annex III) require third‑party assessment by a notified body prior to CE marking, providing independent verification of compliance Regulation (EU) 2024/2847.
Steps to Achieve CE Marking
| Step in CE Marking Process | Description | Responsible Party | Key Considerations |
|---|---|---|---|
| Product Classification | Determine if the product is subject to the CRA and its risk level | Manufacturer | Correct classification drives the right assessment route |
| Identify Applicable Requirements | Map essential cybersecurity requirements to the product | Manufacturer | Consider intended use and threat context |
| Select Conformity Assessment Procedure | Choose self-assessment or notified body assessment | Manufacturer | Annex III categories trigger third-party assessment |
| Conduct Assessment (Testing/Documentation) | Test, verify, and collect evidence of compliance | Manufacturer/Notified Body | Align tests to technical specifications and standards |
| Compile Technical Documentation | Assemble records and the technical file | Manufacturer | Keep current across product updates |
| Draft and Sign EU Declaration of Conformity | Declare conformity with CRA requirements | Manufacturer | Legal attestation retained for market surveillance |
| Affix CE Marking to Product | Apply CE marking to enable EU market access | Manufacturer | Ensure marking and documentation accompany the product |
The CE marking links cybersecurity assurance to market access; the Commission outlines how CE marking communicates EU conformity across product rules CE marking overview.
Preparing Technical Documentation
The technical file should describe the product, its security architecture, risk assessment results, test reports, SBOM and update policy, and the EU Declaration of Conformity, and it must be retained for authorities for a defined period after market placement Regulation (EU) 2024/2847.
How Does Incident Reporting Work Under the Cyber Resilience Act Timeline?
The Cyber Resilience Act timeline introduces rapid incident reporting to EU authorities when security issues with products are actively exploited or pose significant risk. Early warning enables coordinated action to protect users and the single market while reinforcing accountability across suppliers.
Reporting Thresholds and Criteria
Manufacturers must report incidents and actively exploited vulnerabilities that materially affect product confidentiality, integrity, or availability, including issues with cross‑border impact or substantial service disruption. Reporting pathways align with obligations to notify national computer security incident response teams (CSIRTs) and the European Union Agency for Cybersecurity (ENISA) for product‑related incidents Regulation (EU) 2024/2847.
Required Timelines for Notification
Early warning is time‑bound. The regulation requires rapid initial notification for qualifying events, with follow‑up updates as investigations progress. These timelines drive faster risk assessment, coordinated disclosure, and remediation across the EU market EU Cyber Resilience Act policy page.
Coordinating With EU Authorities
After the initial alert, organizations must cooperate with authorities and share technical details, impact assessments, and mitigation steps. Clear communication and evidence of action help demonstrate Cyber Resilience Act compliance during and after an incident Regulation (EU) 2024/2847.
Penalties for CRA Cyber Resilience Act Non-Compliance
The CRA includes enforcement mechanisms to deter negligent practices and to keep unsafe products off the market. Consequences range from administrative fines to product withdrawal, depending on severity and the obligations breached.
Fines and Sanctions Overview
Authorities may impose administrative fines and order corrective actions, including recalls or withdrawal. Non‑compliance with essential requirements or reporting duties can trigger sanctions defined in the regulation and national enforcement frameworks Regulation (EU) 2024/2847.
Impact on Market Access and Reputation
Non‑compliance jeopardizes CE marking, interrupts EU market access, and damages trust. Buyers increasingly evaluate product security posture and regulatory alignment in procurement, making conformity a commercial imperative EU Cyber Resilience Act policy page.
Why Cyber Resilience Act EU Compliance Is Critical
Cyber Resilience Act EU compliance reduces legal exposure, fortifies product security, and protects EU revenue streams. It aligns engineering, product, and operations around measurable controls and documented outcomes that withstand audit scrutiny.
Meeting obligations lowers the risk of fines, forced recalls, market withdrawal, and litigation after security incidents. Proactive conformity keeps products available and services reliable across Member States Regulation (EU) 2024/2847. [citation needed — add source]
If a regulator or buyer asked for proof of conformity tomorrow, could you deliver it for every product and release?
Customers value transparent, verifiable security. CE‑marked, conformant products signal commitment to secure‑by‑design principles and lifecycle support—key differentiators in enterprise tenders and strategic partnerships EU Cyber Resilience Act policy page.
Avoiding Legal and Financial Risks
Meeting obligations lowers the risk of fines, forced recalls, market withdrawal, and litigation after security incidents. Proactive conformity keeps products available and services reliable across Member States Regulation (EU) 2024/2847.
Building Customer Confidence
Customers value transparent, verifiable security. CE‑marked, conformant products signal commitment to secure‑by‑design principles and lifecycle support—key differentiators in enterprise tenders and strategic partnerships EU Cyber Resilience Act policy page.
Strengthening Supply Chain Resilience
SBOMs, coordinated disclosure, and incident coordination extend security hygiene to third‑party dependencies and vendors. This reduces the blast radius of supply chain issues and raises the security floor across ecosystems. The 2024 Data Breach Investigations Report highlights how partner and human factors contribute materially to incidents, underscoring the value of these controls 2025 Data Breach Investigations Report.
How the EU CRA Compares to Other Cybersecurity Regulations
The CRA is product‑centric, while many recognized frameworks are organization‑centric. Understanding differences helps teams reuse existing investments without duplicating effort, while keeping focus on product‑level assurance tied to CE marking.
CRA vs NIS2 and DORA
NIS2 (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA) emphasize organizational risk management, incident reporting, and resilience for essential and financial entities, respectively. The CRA, by contrast, mandates security requirements for each product with digital elements and links conformity to CE marking. For primary texts, see NIS2 Directive (EU) 2022/2555 and DORA Regulation (EU) 2022/2554.
CRA vs ISO/IEC 27001
ISO/IEC 27001 defines a voluntary information security management system at the organizational level, while the CRA imposes mandatory, product‑level obligations. The CRA requires technical documentation and post‑market security support for each product placed on the EU market ISO/IEC 27001 overview.
Unique Aspects of the CRA’s Product-Focused Approach
- Lifecycle scope covers design, development, distribution, and post‑market support with explicit vulnerability handling Regulation (EU) 2024/2847
- Conformity assessment and CE marking link security assurance directly to market access CE marking overview
- Transparency via SBOMs improves response speed and supply chain risk management CycloneDX project
The Cyber Resilience Act sets a clear baseline for products with digital elements, raising security expectations across the EU market. For teams planning their compliance roadmap, map scope, operationalize SBOM‑driven visibility, and align secure‑by‑design practices with the CRA’s conformity pathways, keeping a close eye on when will the Cyber Resilience Act be implemented milestones and when will the Cyber Resilience Act come into force updates as guidance evolves.
Accelerate Your CRA Compliance Journey With Cycode
Meeting the Cyber Resilience Act’s requirements demands unified security, continuous vulnerability management, and transparent SBOMs across your software supply chain. Cycode Application Security Platform brings together proprietary static application security testing (SAST), software composition analysis (SCA), and advanced SBOM management to help you detect risks early, document compliance, and respond rapidly to evolving threats—all from a single, developer-friendly platform.
Cycode centralizes SBOMs and audit-ready evidence so teams can demonstrate conformity across products and releases.
Can your team prove conformity across every product and release when auditors ask for evidence? Book a demo today to see how Cycode accelerates Cyber Resilience Act compliance
Before the bullets:
Cycode helps teams by
- Streamline CRA conformity with automated SBOM generation, vulnerability tracking, and evidence collection for technical files and CE marking
- Gain real-time visibility into open source, supply chain, and code risks with prioritized remediation and audit-ready reporting
- Integrate seamlessly with your existing tools and workflows, ensuring compliance does not disrupt development velocity or operational efficiency
Cycode centralizes SBOMs and audit-ready evidence so compliance scales without slowing engineering. Can your team prove conformity across every product and release when auditors ask for evidence? Book a demo today
Frequently Asked Questions
How Should Organizations Handle Legacy Products in Relation to CRA Requirements?
What Support or Guidance Is Available for SMEs Seeking CRA Compliance?
Are There Transitional Periods or Grace Periods Before Full CRA Enforcement Begins?
- 11 June 2026: Member States stand up notified bodies and related oversight (Chapter IV), reducing certification bottlenecks before full application. Reference: Article 71
- 11 September 2026: Article 14 reporting starts for all in-scope products (including those placed earlier). Reference: Article 69(3)
How Does the CRA Impact Organizations Operating in Multiple EU Member States?
Can Organizations Leverage Existing Cybersecurity Certifications to Simplify CRA Compliance?
- EUCC (Common Criteria-based) became the first EU-wide scheme in January 2024; the Commission states it is available to vendors as of EU cybersecurity certification framework. Manufacturers of ICT products (e.g., routers, OSs, secure elements) that achieve EUCC certification at “substantial” or “high” gain strong evidence for CRA assessments when their product category is mapped
- Organizations with mature control systems aligned to NIST SP 800‑53 Rev. 5 (National Institute of Standards and Technology Special Publication 800‑53 Revision 5) or sector standards (e.g., ISA/IEC 62443 updates announced in Update to ISA/IEC 62443 Standards Addresses Organization‑Wide Cybersecurity) reduce effort when drafting CRA technical documentation and proving vulnerability handling, but such certifications do not replace CRA obligations unless referenced by harmonised standards or an EU scheme designated for the category Bottom line: existing certifications and security attestations can accelerate Cyber Resilience Act EU alignment, but the decisive test remains meeting Annex I Cyber Resilience Act requirements and following the appropriate conformity route under the EU CRA.
