CRA Compliance Resource Hub
The EU Cyber Resilience Act affects every product with digital elements sold in the EU — from consumer IoT devices to industrial software. This hub organises our guides by compliance domain to help you navigate the regulation systematically.
Understanding the CRA
The CRA (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements. It defines product categories, compliance timelines, and the costs involved. Start here to understand what applies to you.
Technical Compliance Requirements
The CRA mandates specific technical documentation for every product. At the core are Software Bills of Materials (SBOMs) and the Annex VII Technical File — machine-readable inventories of every component in your product, paired with vulnerability tracking.
Conformity Assessment & Declaration
How to prove compliance depends on your product category. Default products can self-assess (Module A), while important products and critical products need third-party evaluation. Both paths end with an EU Declaration of Conformity and CE marking.
Vulnerability Management
Active vulnerability handling is a CRA first — manufacturers must implement coordinated vulnerability disclosure, report to ENISA within 24 hours, and maintain security updates for the entire support period.
Role-Specific Obligations
Your CRA obligations depend on your role in the supply chain. Manufacturers bear the heaviest burden, but importers and distributors have their own verification and due diligence requirements — and roles can escalate.
Standards & Regulatory Alignment
The CRA doesn't exist in isolation — it interacts with existing standards (ISO 27001, IEC 62443, EN 303 645) and other EU regulations (NIS2, MDR). Understanding these overlaps helps you leverage existing compliance work.
Country-Specific Guides
Each EU member state has its own CSIRT and national coordination body. These guides cover country-specific CRA implementation, local reporting channels, and national cybersecurity agencies.
Industry-Specific Guidance
Some sectors have unique CRA considerations — from automotive supply chains to startup resource constraints. These guides address industry-specific challenges and enforcement risks.
Does the CRA apply to your product?
Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.
Ready to achieve CRA compliance?
Start managing your SBOMs and compliance documentation with CRA Evidence.