A clear overview of what CRA means for manufacturers, importers and distributors of products with digital elements.
The Cyber Resilience Act (Regulation of the European Parliament and of the Council EU 2024/2847) is the first European law to set mandatory cybersecurity requirements for products with digital elements across their entire lifecycle.
The aim is for both hardware and software placed on the EU market to be more secure by design, to receive security updates, and for customers to have enough information to use the product safely.
CRA affects almost all products with digital elements – physical devices that can connect to a network, IoT and standalone software. Areas covered by other sector-specific law remain outside its scope, for example certain medical devices, aviation or cars.
Obligations fall on manufacturers, but importers and distributors have their roles too. An importer must verify that the manufacturer has met its obligations; a distributor must act with due care. Whoever substantially modifies a product or places it on the market under their own brand may take on the manufacturer's obligations.
CRA compliance is not a one-off task. It requires security built into the design, a risk assessment, vulnerability management throughout the support period and complete documentation. That cannot be done at the last minute.
On top of that, reporting obligations start before full compliance – already from 11 September 2026. Preparation should therefore be ongoing, not a final sprint before the deadline.
Design, develop and manufacture products so they ensure an appropriate level of cybersecurity relative to the risks.
Carry out and document a risk assessment and reflect its results across all phases of the product lifecycle.
Effectively address vulnerabilities during the support period, provide security updates and maintain an SBOM.
Report actively exploited vulnerabilities and severe incidents to ENISA within set deadlines (from 11 Sep 2026).
Prepare and maintain technical documentation demonstrating compliance with CRA requirements.
Carry out conformity assessment, issue the EU declaration of conformity and affix the CE marking.
Provide users with clear information and instructions for using the product securely.
Define and maintain a product support period – generally at least five years, depending on the expected product lifetime.
CRA classifies products by level of risk. The category determines whether an internal self-assessment is sufficient or a notified body must be involved.
Most products. Conformity assessment can usually be done internally as a self-assessment.
Higher risk (e.g. password managers, VPNs, network elements). Requires applying harmonised standards or involving a notified body.
Even higher risk (e.g. firewalls, intrusion detection systems). Assessment by a notified body is generally required.
The most sensitive category with the strictest requirements, where European certification may also be required.
A free consultation will quickly show you where you stand and the shortest path to compliance.
Book a consultation