Cyber Resilience Act (CRA) – Cybersecurity for Digital Products

Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)

In Force Effective: 10/12/2024 EU-wide EU Regulation

Overview

The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for all products with digital elements. Manufacturers must ensure security throughout the entire product lifecycle — from design to end-of-support.

Who Is Affected?

The CRA covers the entire digital product supply chain:

  • Manufacturers of hardware and software with digital components
  • Importers placing such products on the EU market
  • Distributors and retailers
  • Open-source software stewards (under certain conditions)

Products already covered by sectoral regulations (e.g. medical devices, aviation, automotive) are excluded.

Core Obligations

  1. Security by design: Cybersecurity must be considered from the design phase
  2. Vulnerability handling: Process for identifying and fixing vulnerabilities throughout the product’s support period
  3. Security updates: Free security updates for at least 5 years
  4. Reporting obligations: Report actively exploited vulnerabilities to ENISA within 24 hours
  5. Software Bill of Materials (SBOM): Documentation of all software components
  6. CE marking: Demonstration of conformity with cybersecurity requirements

National Transposition

As an EU regulation, the CRA applies directly and does not require national transposition:

  • Germany: BSI as the competent market surveillance authority
  • Austria: Competent authorities to be designated
  • Switzerland: Not directly affected but relevant for exports to the EU market

Legal Sources

CRA: Does it affect you?

Find out if and how this regulation affects your company – we're happy to advise you.

Frequently Asked Questions

Who is affected by the Cyber Resilience Act?

All manufacturers, importers, and distributors of products with digital elements placed on the EU market — from IoT devices and software to industrial control systems.

When does the CRA apply?

The CRA entered into force on 10 December 2024. Most obligations apply from 11 September 2026; vulnerability reporting obligations apply from 11 September 2025.

What are the core obligations under the CRA?

Security by design, vulnerability handling throughout the product lifecycle, free security updates, reporting of actively exploited vulnerabilities to ENISA within 24 hours, and CE marking for cybersecurity.