What is the EU Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847, is European legislation that establishes mandatory cybersecurity requirements for products with digital elements sold in the EU market. It requires manufacturers to implement security by design, provide security updates throughout the product lifecycle, maintain Software Bills of Materials (SBOMs), and report actively exploited vulnerabilities to ENISA within 24 hours.

When does the CRA come into effect?

The CRA entered into force on December 10, 2024. Vulnerability reporting obligations to ENISA begin on September 11, 2026. The main obligations (security requirements, SBOM, CE marking, technical documentation) apply from December 11, 2027. After this date, non-compliant products cannot be sold in the EU market.

What are the penalties for CRA non-compliance?

CRA non-compliance penalties can reach up to €15 million or 2.5% of global annual turnover for essential requirement violations, €10 million or 2% for other obligations, and €5 million or 1% for providing misleading information. Market surveillance authorities can also order product recalls and prohibit sales in the EU.

What tools help with CRA compliance?

CRA Evidence (craevidence.com) is a compliance platform built for the EU Cyber Resilience Act. It covers SBOM management (CycloneDX/SPDX), vulnerability scanning with EPSS prioritization, technical file generation, compliance dashboards, and incident management with ENISA notification support. It supports manufacturers, importers, and distributors from SBOM to audit.

What is an SBOM and why is it required for CRA?

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of software components and dependencies in a product. Under the CRA, manufacturers must create and maintain SBOMs in standardized formats like CycloneDX or SPDX (as specified in TR-03183). SBOMs enable vulnerability tracking, license compliance, and supply chain transparency, and must be retained for at least 10 years after the product is placed on the market.

Does the CRA apply to open source software?

Non-monetized, free and open source software developed outside commercial activity is generally exempt from the CRA. However, 'open source stewards' (organizations that systematically support commercial use of open source products) have lighter obligations including security policies and vulnerability handling. Commercial products that incorporate open source components must fully comply with CRA requirements.

What products are excluded from the CRA?

The CRA excludes: pure SaaS (Software-as-a-Service) with no physical or downloadable component, medical devices (covered by MDR), motor vehicles (covered by type-approval regulations), aviation products, marine equipment, and products developed exclusively for national security or defense purposes.

What documentation is required for CRA compliance?

CRA requires manufacturers to maintain: Software Bills of Materials (SBOM) in CycloneDX or SPDX format, cybersecurity risk assessments, EU Declaration of Conformity, user documentation for secure installation and operation, vulnerability handling policy with coordinated disclosure procedures, test reports (penetration tests, code reviews), and evidence of conformity assessment. Documentation must be retained for at least 10 years.

What is the difference between CRA and NIS2?

CRA (Cyber Resilience Act) focuses on product security and applies to manufacturers, importers, and distributors of products with digital elements. NIS2 (Network and Information Security Directive) focuses on organizational cybersecurity and applies to essential and important entities operating critical infrastructure. Many organizations may need to comply with both regulations, as CRA covers the products they sell while NIS2 covers their internal security operations.

How do I report vulnerabilities under the CRA?

From September 2026, manufacturers must report actively exploited vulnerabilities to ENISA and national CSIRTs following strict timelines: Early warning within 24 hours of becoming aware, detailed technical report within 72 hours, and final report within 14 days for vulnerabilities (or 1 month for severe incidents). CRA Evidence provides incident management tools to help meet these reporting obligations.

TL;DR - Quick Summary

The EU Cyber Resilience Act (CRA) requires all products with digital elements sold in the EU to meet cybersecurity requirements by December 2027. Key obligations include: maintaining SBOMs (Software Bills of Materials), reporting exploited vulnerabilities to ENISA within 24 hours (from September 2026), and keeping technical documentation for 10 years. Penalties can reach €15 million or 2.5% of global turnover. CRA Evidence helps manufacturers, importers, and distributors achieve compliance through SBOM management, vulnerability scanning, and technical file generation.

Enforcement begins December 2027

EU Cyber Resilience Act (CRA)

EU Regulation 2024/2847 sets cybersecurity requirements for products with digital elements. Here's what you need to know.

What is the Cyber Resilience Act?

The CRA requires companies to document their software supply chain, monitor vulnerabilities throughout a product's lifecycle, and maintain technical files for 10 years. That's a lot of paperwork.

Published as Regulation (EU) 2024/2847, it covers hardware and software products sold in the EU: IoT devices, industrial control systems, standalone software, and more.

The regulation mandates Software Bills of Materials (SBOMs), vulnerability handling processes, risk assessments, and technical documentation. For hardware products, HBOMs are also required. VEX documents communicate vulnerability status to downstream users.

Official EU CRA Page

European Commission

Full Regulation Text

EUR-Lex Official Journal

Key Compliance Deadlines

11 September 2026

Vulnerability Reporting Begins

Manufacturers must report actively exploited vulnerabilities to ENISA and national authorities within 24 hours of becoming aware. Detailed reports due within 72 hours.

11 December 2027

Full CRA Enforcement

All products with digital elements must comply with essential cybersecurity requirements. Non-compliant products cannot be sold in the EU market.

Penalties for Non-Compliance

The CRA introduces significant financial penalties for non-compliance. Market surveillance authorities can also order product recalls and prohibit sales in the EU market.

€15M

or 2.5% global turnover

Essential requirements

€10M

or 2% global turnover

Other obligations

€5M

or 1% global turnover

Misleading information

Product Classification

The CRA categorises products based on their cybersecurity risk level. Higher-risk products face stricter conformity assessment requirements.

Category	Examples	Conformity Assessment
Default	Most software applications, IoT devices, consumer electronics	Self-assessment allowed
Important Class I	Identity management, browsers, password managers, VPNs, network management	Self-assessment if using harmonised standards; otherwise third-party assessment
Important Class II	Hypervisors, container runtimes, firewalls, intrusion detection, secure elements	Third-party conformity assessment required
Critical	Hardware security modules, smartcard readers, secure boot systems	Strictest requirements (Annex IV)

Documentation Requirements (Annex VII)

Manufacturers must compile and maintain technical documentation that demonstrates compliance with essential requirements. This documentation must be retained for at least 10 years after the product is placed on the market.

Bills of Materials (SBOM/HBOM)

SBOMs listing all software components and dependencies. For hardware products, HBOMs list hardware components. VEX documents communicate vulnerability status. Must follow CycloneDX or SPDX standards per TR-03183.

Risk Assessment

Cybersecurity risk assessment covering potential threats, vulnerabilities, and the measures taken to address them.

EU Declaration of Conformity

A formal declaration that the product meets all applicable CRA requirements, signed by an authorised representative.

User Documentation

Instructions for secure installation, operation, and maintenance. Must include information about the support period and security updates.

Vulnerability Handling Policy

Documented process for identifying, tracking, and remediating vulnerabilities. Must include coordinated disclosure procedures.

Test Reports

Evidence of security testing, including penetration tests, code reviews, and verification of essential requirements.

ENISA Vulnerability Reporting

From September 2026, manufacturers must report actively exploited vulnerabilities to ENISA (European Union Agency for Cybersecurity) and their national CSIRT following strict timelines.

Failure to report within the required timeframes can result in significant penalties and reputational damage.

Within 24 Hours

Early Warning - Initial notification of an actively exploited vulnerability or severe incident. Basic information about the threat.

Within 72 Hours

Detailed Report - Technical details, affected products, severity assessment, and initial remediation steps.

Within 14 Days

Final Report (Vulnerabilities) - Complete analysis, root cause, full remediation, and lessons learned.

Within 1 Month

Final Report (Incidents) - For severe security incidents, a final report is due within one month.

How CRA Evidence Helps

The CRA applies differently depending on your role in the supply chain. CRA Evidence adapts to each.

CRA supply chain diagram showing Manufacturer, Importer, and Distributor roles

CRA obligations vary by role in the supply chain

Manufacturers

Article 13 puts the heaviest obligations on you: SBOMs, vulnerability handling, security updates, technical documentation.

SBOM validation (TR-03183)
Vulnerability monitoring
Technical file export
Declaration of Conformity

Importers

Article 19 makes you responsible for verifying manufacturer compliance before you sell in the EU.

Verification checklists
Manufacturer tracking
Evidence storage
Audit trail

Distributors

Article 20 obligations are lighter: verify CE marking and handle non-compliant products correctly.

Due care checklists
Supplier tracking
CE verification
Incident escalation

Start preparing now

December 2027 is closer than it looks. Get your products and documentation ready.

Start 14-Day Free Trial See Features

See how CRA Evidence helps with compliance Read the latest CRA compliance articles