CRA Compliance

Mandatory cybersecurity for every digital product in the EU

The Cyber Resilience Act introduces mandatory security requirements for all products with digital elements. Manufacturers, importers, and distributors - you have until December 2027.

EU Regulation Product Security

Quick Facts

Phased

Type EU Regulation

Reporting Obligations 11 Sep 2026

Full Application 11 Dec 2027

Scope Digital Products

Max Fine EUR 15M / 2.5%

What is the CRA?

The Cyber Resilience Act (EU 2024/2847) is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements throughout their entire lifecycle - from design to end of support.

Security by Design

Products must be designed with security built-in from the start, not bolted on as an afterthought. Default configurations must be secure.

Full Lifecycle Coverage

Security updates must be provided throughout the product's expected lifetime. Vulnerabilities must be handled and disclosed responsibly.

CE Marking Required

Products must carry the CE marking to demonstrate conformity with CRA cybersecurity requirements before entering the EU market.

The Stakes are High

€15M

Maximum fines for essential requirements

2.5%

of global annual turnover

Market Ban

Non-compliant products can be withdrawn from the EU market

Product withdrawal - market surveillance authorities can order products removed from the EU market.

Misleading information - providing false or incomplete documentation carries fines up to EUR 5M or 1% of turnover.

Who Must Comply?

The CRA applies to all economic operators placing products with digital elements on the EU market.

Manufacturers

Primary obligation holders

• Perform risk assessment of each product
• Implement security by design principles
• Provide security updates for the product lifetime
• Report actively exploited vulnerabilities to ENISA
• Prepare technical documentation and CE marking
• Maintain a software bill of materials (SBOM)

Importers & Distributors

Verification obligations

• Verify manufacturer has performed conformity assessment
• Ensure CE marking and documentation are present
• Verify product meets essential cybersecurity requirements
• Take corrective actions for non-compliant products
• Cooperate with market surveillance authorities

Products with Digital Elements

The CRA covers a wide range of hardware and software products connected to networks or other devices.

Connected Devices & IoT smart home, wearables, industrial sensors

Software Applications desktop, mobile, web-based applications

Operating Systems embedded, mobile, desktop, server

Network Equipment routers, switches, firewalls, access points

Industrial Control Systems PLCs, SCADA, DCS

Smart Home Products thermostats, cameras, locks, assistants

Key CRA Requirements

Risk Assessment

Perform a cybersecurity risk assessment for each product and document residual risks in technical documentation.

Secure Development

Implement security-by-design principles throughout the product development lifecycle.

Vulnerability Handling

Establish a coordinated vulnerability disclosure policy and provide security patches throughout the product lifetime.

Technical Documentation

Maintain detailed technical files demonstrating CRA conformity, including risk assessments and security testing results.

Incident Reporting

Report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours of becoming aware.

Supply Chain Security

Ensure third-party components are secure. Maintain a software bill of materials (SBOM) for each product.

What You Get

Our CRA compliance program delivers the documentation and processes needed for CE marking and market access.

Product Risk Assessment

Cybersecurity risk evaluation for each product with residual risk documentation

Security-by-Design Implementation

Product development lifecycle integration with security checkpoints

Technical Documentation Package

CRA conformity files including security testing results and SBOM

Vulnerability Disclosure Policy

Coordinated disclosure process and security update procedures

CE Marking Preparation

Conformity assessment support and Declaration of Conformity

How D3 Cyber Helps

We help manufacturers and importers prepare for CRA obligations. Our services address specific needs, while our solutions deliver complete compliance journeys.

Service

Compliance Gap Assessment

Evaluate your products against CRA essential requirements and identify gaps before enforcement begins.

Learn more →

Service

Security Testing

Penetration testing and vulnerability assessments for your products to satisfy CRA testing requirements.

Learn more →

Service

Managed Compliance

Structured path to achieve CRA conformity with documentation, CE marking preparation, and SBOM management.

Learn more →

Solution

Regulatory Services

End-to-end compliance journey covering gap analysis, remediation, documentation, and audit readiness.

Learn more →

Solution

Cyber Defense & Operations

Implement the security testing and vulnerability management capabilities the CRA demands.

Learn more →

Solution

vCISO (Fractional CISO)

Strategic guidance for integrating CRA requirements into your product development lifecycle and governance.

Learn more →

CRA Compliance FAQ

Who is affected by the Cyber Resilience Act?

The CRA applies to any manufacturer, importer, or distributor placing a product with digital elements on the EU market - regardless of where they are based. This includes hardware products with network connectivity, software products sold separately, and remote data processing solutions. If your product connects to a network or processes data, the CRA likely applies to you.

What are the key CRA compliance deadlines?

The CRA entered into force in December 2024. The vulnerability handling and reporting obligations (Articles 14 and 22) apply from September 2026. Full compliance with all product security requirements is required by December 2027. Organizations must begin assessing their product portfolios and implementing security processes now to meet these deadlines comfortably.

What must products include to comply with the CRA?

CRA-compliant products must be delivered without known exploitable vulnerabilities, with secure default configurations, and with the ability to receive security updates. Manufacturers must maintain a Software Bill of Materials (SBOM), implement vulnerability disclosure procedures, report actively exploited vulnerabilities to ENISA within 24 hours, and provide security updates for the product's expected lifetime.

What are the penalties for CRA non-compliance?

Non-compliance with essential cybersecurity requirements carries fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. Violations of reporting obligations carry fines up to €10 million or 2% of turnover. Beyond fines, market surveillance authorities can order products to be withdrawn from the EU market, which can be catastrophic for product-led businesses.

Prepare for the CRA

The CRA will fundamentally change product security requirements across Europe. Start preparing now.

Book Discovery Call