The EU Cyber Resilience Act mandates cybersecurity for all digital products sold in the EU. Comply before the 2027 deadline with secure-by-design, vulnerability disclosure, and CE marking.
The Cyber Resilience Act (CRA) is the EU's landmark product security regulation, entering into force in December 2024 with a phased timeline culminating in full compliance requirements by December 2027. Any manufacturer, importer, or distributor placing products with digital elements on the EU market must meet cybersecurity-by-design requirements, maintain vulnerability handling processes, and ensure products receive security updates throughout their lifecycle.
Classify products as default, Class I, or Class II per Article 7. Assess security practices against Annex I essential requirements and produce a risk-prioritised remediation roadmap.
Classify all products with digital elements per Article 7 and Annex II. Define compliance scope and map applicable requirements per product class.
Assess product security controls against Annex I Part I and Part II. Identify gaps in secure-by-design, vulnerability handling per Article 10, and update mechanisms.
Audit third-party and open source components per Article 13. Check for known vulnerabilities, licence compliance, and supply chain risk across all products with digital elements.
Evaluate supply chain security practices per Article 13. Assess component provenance and vendor risk management to meet CRA supply chain transparency obligations.
Establish a baseline of product security practices and tooling. Track progress against CRA compliance milestones and the December 2027 enforcement deadline.
Embed security into the product development lifecycle per Annex I Part I. Implement threat modelling, SAST/DAST integration, dependency management, and security testing.
Design a coordinated vulnerability disclosure programme per Article 11. Implement SBOM generation, patch management, and ENISA reporting processes per Article 14.
Implement SBOM generation tooling per Article 13. Manage third-party component risk and licence compliance as a mandatory requirement for all products with digital elements.
Prepare Annex VII technical documentation per Article 31. Compile risk assessment, security architecture, test reports, and Declaration of Conformity for CE marking.
Establish security update distribution per Article 10. Set patch management SLAs and version management to meet CRA obligations for security support throughout the product lifecycle.
Review and harden default configurations per Annex I Part I Section 1. Ensure products ship with secure settings and no unnecessary attack surface.
Establish post-market monitoring per Article 10. Manage security updates and end-of-life policy to provide security support throughout the product's expected lifecycle.
Implement Article 14 vulnerability reporting to ENISA within the 24-hour window. Coordinate with national CSIRTs for actively exploited vulnerabilities as mandated by the CRA.
Define end-of-life and end-of-support policies per Article 10. Include disclosure timelines, transition support, and security patch commitments for all products with digital elements.
Support engagement with market surveillance authorities per Article 38. Coordinate with notified bodies during conformity assessment audits and regulatory enquiries across EU member states.
Deliver role-based training on CRA obligations per Article 23. Cover secure-by-design, vulnerability handling, and documentation obligations for product, engineering, and security teams.
Maintain compliance documentation and evidence per Annex VII. Schedule internal audits and ensure readiness for notified body and market surveillance authority reviews per Article 38.
Smart home devices, industrial IoT, medical devices, and consumer electronics sold in the EU must meet essential cybersecurity requirements under the CRA, including secure default configurations and update mechanisms.
Software products, including operating systems, applications, and development tools, placed on the EU market are subject to CRA requirements. Open source software used commercially also faces disclosure obligations.
Industrial control systems, SCADA components, and operational technology products classified as Class I or Class II critical products face stricter conformity assessment requirements including third-party audits.
A structured six-phase process from product classification and scoping through to post-market monitoring and regulatory engagement.
Classify products under the CRA (default, Class I, Class II), define compliance scope, and map applicable Annex I requirements per product category.
Assess current security posture against CRA essential requirements, audit third-party components, and produce a risk-prioritised remediation roadmap with timeline.
Embed security into the product development lifecycle with threat modelling, SAST/DAST, secure configurations, and dependency management aligned to Annex I.
Implement coordinated vulnerability disclosure, SBOM generation tooling, patch management, and ENISA reporting processes as mandated by the CRA.
Prepare Annex VII technical documentation, conformity assessment evidence, and Declaration of Conformity for CE marking across all in-scope products.
Establish ongoing security monitoring, ENISA vulnerability reporting, end-of-life policy management, and audit readiness for continuous CRA compliance.