update page now

New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!

Home>

Cyber Resilience Act

Compliance lettering

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is an EU regulation that defines binding cybersecurity requirements for the entire life cycle of hardware and software products for the first time. This is intended to make it easier for companies and consumers in the EU to consider cybersecurity as a criterion when selecting and using products.

 

Similar to the NIS 2 Directive, which regulates information security on the operator side, the CRA is intended to improve the security of digital products and services as a complementary regulation.

Secure yourself now with Myra DDoS protection

At a
Glance

  1. 01. Cyber Resilience Act: a Definition
    1. 02. Scope: Which products are affected?
      1. 03. Which risk classes and conformity assessments does the CRA cover?
        1. 04. When does the CRA take effect?
          1. 05. What are the CRA's reporting deadlines?
            1. 06. Cyber Resilience Act: What you need to know

              01

              Cyber Resilience Act: a Definition

              The Cyber Resilience Act came into force on December 10, 2024, creating a horizontal legal framework for the security of network-connected hardware and software products. This is the EU's response to the growing dependence on networked systems and the fact that many products have been launched on the market with inadequate basic security, a lack of updates, or non-transparent vulnerability management.

               

              The core idea of the CRA is to make security by design and security by default a legally enforceable obligation rather than best practice. Manufacturers must demonstrate that they have considered, implemented, and operationally implemented appropriate technical and organizational measures for cybersecurity throughout the entire product life cycle—from the initial design and development to production and maintenance throughout the entire service life.

              CRA: Objectives and duties

              The CRA pursues the following goals:

              • Ensuring that manufacturers improve the security of products with digital elements from the design and development phase onwards and throughout their entire life cycle.

              • Ensuring a coherent cybersecurity framework that makes it easier for hardware and software manufacturers to comply with regulations.

              • Increasing the transparency of the security features of products with digital elements.

              • Empowering businesses and consumers to use products with digital elements safely.

              What does the CRA mean for manufacturers?

              • Commitment to security by design: Cybersecurity must be considered and implemented throughout the entire planning, design, development, production, delivery, and maintenance phases of products.

              • Extensive documentation and reporting requirements for vulnerabilities and security incidents to corporate customers, consumers, and the relevant supervisory authorities.

              02

              Scope: Which products are affected?

              The regulation primarily affects all products with digital elements. These are classified into three categories by the CRA. The standard category is expected to cover around 90% of all products and comprises commercially available devices and programs with low criticality, such as photo editing software, video games, and smart speakers.

              The remaining 10% are products in critical classes I and II, which pose a higher cybersecurity risk. Therefore, special conformity assessment procedures must be applied here, including external assessment by third parties.

              Pure software-as-a-service (SaaS) solutions that operate as standalone cloud services are exempt from the CRA. However, “remote processing solutions” fall under the CRA if they are essential to the functionality of a product with digital elements. Non-commercial open-source software is also exempt; commercial FOSS products, on the other hand, are regulated.

              Overall, the scope is deliberately broad and includes:

              • Traditional IT and consumer products such as routers, smart home devices, cameras, wearables, and connected household appliances.

              • Software products such as operating systems, applications, browsers, VPN clients, security solutions, or cloud software.

              • Industrial and KRITIS-related systems, such as control systems, network components, OT/ICS solutions, and embedded systems in machines.

              Exceptions include certain medical devices, vehicles, aviation products, and open-source software provided free of charge without commercial use.

              Laptop

              03

              Which risk classes and conformity assessments does the CRA cover?

              In order to accommodate the wide range of risk profiles, the Cyber Resilience Act uses a risk-based classification system.

              • Standard products can generally be placed on the market following an internal conformity assessment by the manufacturer. This assessment confirms that the cybersecurity requirements set out in the CRA are met.

              • Important products (Class I) include web browsers, password managers, antivirus programs, and VPN software. To prove CRA compliance, the application of a harmonized standard or, alternatively, an external audit by a testing body is required.

              • Important products (Class II) cover container runtime systems and hypervisors, for example. External conformity testing is mandatory in this case.

              • Critical products are used in critical infrastructures, such as smart meter gateways or smart cards. The application of a certification system is required as proof of conformity in this case.

              The following applies to all classes: Without proven conformity with the CRA requirements, placing products on the EU internal market will not be permitted in the future.

              04

              When does the CRA come into effect?

              The schedule is key to ensuring CRA compliance, as the obligations derived from the regulation are phased in gradually.

              • June 11, 2026: The rules for notification and the work of conformity assessment bodies (Chapter IV) become applicable. Manufacturers can then have products with digital elements tested by notified bodies.

              • September 11, 2026: Article 14 (reporting obligations) comes into force; from this date, the 24-hour/72-hour deadlines for reporting actively exploited vulnerabilities and serious incidents apply.

              • December 11, 2027: The CRA becomes fully applicable; from this date onwards, new products may only be placed on the EU market if they are CRA-compliant. This also applies to newly delivered batches or newly released versions of existing product lines.

              For manufacturers, this means that the period until the end of 2027 is effectively a migration period during which development and security processes, product portfolios, and supplier landscapes must be gradually aligned with CRA compliance.

              Code on a screen

              05

              What are the CRA's reporting deadlines?

              • Early warning within 24 hours: As soon as a manufacturer becomes aware of an actively exploited vulnerability or a serious security incident, it must submit an “early warning” to the responsible CSIRT via the CRA Single Reporting Platform (SRP). This report must include the affected product families and the member states in which the product is available.

              • Detailed notification within 72 hours: Within 72 hours, a more detailed notification must be submitted, containing general information about the product, the type of exploit, the vulnerability, and any mitigation measures already taken or recommended.

              • Final report after 14 days at the latest (for actively exploited vulnerabilities) or within one month for incidents: The final report documents, among other things, the severity and impact, root cause, known attacker information, and available patches or workarounds.

               

              The report is submitted once via the SRP to the CSIRT of the member state of the main establishment; ENISA and other affected CSIRTs receive the information via coordinated processes.

              Cell phone with a security lock on the screen

              06

              Cyber Resilience Act: What you need to know

              The CRA does not stand alone, but is embedded in a broader regulatory and risk management context (including NIS-2, DORA, and the AI Act) that aims to strengthen cyber resilience. Research shows that smaller organizations in particular increasingly consider their own cyber resilience to be inadequate, while larger players are making progress thanks to higher investments and specialized teams. In Germany, 6 out of 10 companies see cyber attacks as an existential threat (Bitkom 2025).

              A holistic approach to cybersecurity and cyber resilience across the entire value chain helps smaller organizations in particular, as well as end customers, to significantly increase their defenses against cyber risks, as the overall level of security is raised across all solutions in use.

              What are the most important CRA requirements for manufacturers, importers, and distributors?

              Products with digital elements (products) will only be allowed on the market if they meet the “essential cybersecurity requirements” listed in Section 1 of Annex I of the CRA. These requirements are designed to ensure the security, confidentiality, and integrity of digital products. In doing so, the EU Commission relies on best practices such as encryption, data minimization, and preventive protection against attacks. Example: Products must “ensure the availability of essential functions, including the ability to defend against and mitigate denial-of-service attacks on servers.” 

              © Myra Security GmbH 2026, all rights reserved

              Made in Germany.

              Responsible DisclosureLegal noticePrivacy policyPrivacy SettingsTerms and Conditions