CRA Compliance Resource Hub

The EU Cyber Resilience Act affects every product with digital elements sold in the EU — from consumer IoT devices to industrial software. This hub organises our guides by compliance domain to help you navigate the regulation systematically.

Understanding the CRA

The CRA (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements. It defines product categories, compliance timelines, and the costs involved. Start here to understand what applies to you.

CRA Product Classification: Is Your Product Default, Important, or Critical?

A practical guide to determining your product's CRA category. Includes decision trees, Annex...

11 분 분량

EU Cyber Resilience Act: Complete Implementation Timeline 2025-2027

A comprehensive guide to CRA enforcement deadlines, what manufacturers need to prepare at each...

10 분 분량

CRA Compliance Cost: How to Budget for Conformity Assessment and Documentation

Practical cost estimation framework for CRA compliance. Covers conformity assessment costs by...

11 분 분량

Technical Compliance Requirements

The CRA mandates specific technical documentation for every product. At the core are Software Bills of Materials (SBOMs) and the Annex VII Technical File — machine-readable inventories of every component in your product, paired with vulnerability tracking.

SBOM Requirements Under the EU Cyber Resilience Act (CRA)

EU CRA SBOM requirements explained: accepted formats, mandatory fields, BSI TR-03183 quality...

6 분 분량

The CRA Technical File: What Goes in Each Section (Annex VII Breakdown)

A section-by-section guide to CRA technical documentation requirements. Includes templates,...

17 분 분량

How to Generate a CRA-Compliant SBOM: Tools, Formats, and CI/CD Integration

A hands-on guide to generating Software Bills of Materials for CRA compliance. Covers...

10 분 분량

HBOM for CRA Compliance: Hardware Bill of Materials Guide

Understanding Hardware Bills of Materials (HBOM) for CRA compliance. Covers what to include,...

11 분 분량

VEX for CRA Compliance: Vulnerability Exploitability eXchange Guide

How to use VEX documents for CRA compliance. Covers VEX formats, status types, integration with...

11 분 분량

Conformity Assessment & Declaration

How to prove compliance depends on your product category. 기본 범주 제품 can self-assess (Module A), while important products and critical products need third-party evaluation. Both paths end with an EU Declaration of Conformity and CE marking.

CRA Conformity Assessment: Module A vs B+C vs H Decision Guide

How to choose the right conformity assessment route for your product. Covers self-assessment eligibility, Notified...

15 분 분량

CRA Declaration of Conformity: Template and Step-by-Step Writing Guide

How to write a compliant EU Declaration of Conformity for CRA. Includes ready-to-use template, required elements...

18 분 분량

Vulnerability Management

Active vulnerability handling is a CRA first — manufacturers must implement coordinated vulnerability disclosure, report to ENISA within 24 hours, and maintain security updates for the entire support period.

ENISA Vulnerability Reporting: What Triggers the 24-Hour Clock Under CRA

A practical guide to CRA vulnerability and incident reporting obligations starting September...

11 분 분량

Coordinated Vulnerability Disclosure Under CRA: Policy Template and Setup

A practical guide to establishing a CRA-compliant CVD policy. Includes ready-to-use templates,...

12 분 분량

Setting Up security.txt for CRA Compliance: A 10-Minute Guide

A quick, practical guide to implementing security.txt for your products. Includes templates,...

8 분 분량

CRA Support Period Planning: 5 Years of Security Updates (And What That Really Means)

A practical guide to CRA support period obligations. Covers minimum requirements, update...

11 분 분량

CRA End-of-Life Planning: Responsible Product Transitions

How to plan and communicate product end-of-life under CRA. Includes communication templates,...

13 분 분량

Role-Specific Obligations

Your CRA obligations depend on your role in the supply chain. Manufacturers bear the heaviest burden, but importers and distributors have their own verification and due diligence requirements — and roles can escalate.

CRA Importer Obligations: What to Verify Before Placing Products on the EU Market

A practical guide to Article 19 verification requirements for EU importers. Includes checklists,...

10 분 분량

CRA Distributor Checklist: 5 Verification Steps for Every Product

A practical guide to Article 20 obligations for EU distributors. Know what to check before every...

10 분 분량

When Importers Become Manufacturers Under CRA: Role Escalation Explained

A practical guide to CRA Article 22 role escalation. Know when rebranding or modifying products...

12 분 분량

Multi-Role CRA Compliance: When You're Manufacturer, Importer, and Distributor

How to manage CRA obligations when your organization holds multiple economic operator roles....

12 분 분량

White-Label and OEM Products Under CRA: Who's the Manufacturer?

CRA obligations for white-label, OEM, and private-label products. Understand when the brand...

12 분 분량

CRA Supplier Due Diligence: Questionnaire Template and Verification Process

A practical supplier assessment framework for CRA compliance. Includes ready-to-use...

13 분 분량

Standards & Regulatory Alignment

The CRA doesn't exist in isolation — it interacts with existing standards (ISO 27001, IEC 62443, EN 303 645) and other EU regulations (NIS2, MDR). Understanding these overlaps helps you leverage existing compliance work.

CRA vs ISO 27001: How Your ISMS Supports Product Security Compliance

Understanding the relationship between ISO 27001 certification and CRA...

12 분 분량

CRA Compliance for Industrial Automation: IEC 62443 Alignment and OT Security Guide

How the CRA applies to industrial automation and OT products. Covers IEC...

12 분 분량

CRA Compliance for Consumer IoT: EN 303 645 Alignment and Smart Home Security Guide

How the CRA applies to consumer IoT products like smart home devices,...

14 분 분량

German BSI TR-03183: How It Extends CRA SBOM Requirements

Understanding the German BSI Technical Requirement for SBOM quality. A guide...

10 분 분량

CRA and NIS2: Where Cybersecurity Regulations Overlap for Product Companies

Understanding how CRA and NIS2 interact. A practical guide for organizations...

11 분 분량

CRA vs UK PSTI: Compliance Guide for EU and UK Markets

Comparing the EU Cyber Resilience Act with the UK Product Security and...

10 분 분량

CRA vs MDR: Compliance Guide for Medical-Adjacent Products and Digital Health

Understanding where CRA and MDR/IVDR overlap for medical-adjacent products....

11 분 분량

Country-Specific Guides

Each EU member state has its own CSIRT and national coordination body. These guides cover country-specific CRA implementation, local reporting channels, and national cybersecurity agencies.

CRA Compliance for French Manufacturers: ANSSI Coordination and CE Marking Guide

A guide for French manufacturers navigating CRA compliance. Covers ANSSI coordination, French...

9 분 분량

CRA Compliance for Spanish Manufacturers: INCIBE-CERT and Regional Support

A guide for Spanish manufacturers navigating CRA compliance. Covers INCIBE-CERT resources,...

9 분 분량

CRA Compliance for Italian Manufacturers: ACN Coordination and Market Entry Guide

A guide for Italian manufacturers navigating CRA compliance. Covers ACN coordination, CSIRT...

10 분 분량

CRA Compliance for Dutch Manufacturers: NCSC-NL Coordination and Market Entry Guide

A guide for Dutch manufacturers navigating CRA compliance. Covers NCSC-NL coordination, Dutch...

11 분 분량

CRA Compliance for Polish Manufacturers: NASK Coordination and Market Entry Guide

A guide for Polish manufacturers navigating CRA compliance. Covers NASK/CERT Polska...

11 분 분량

Industry-Specific Guidance

Some sectors have unique CRA considerations — from automotive supply chains to startup resource constraints. These guides address industry-specific challenges and enforcement risks.

CRA for Machinery Manufacturers

Dual compliance with the CRA and EU Machinery Regulation for machines with digital elements.

Landing page

CRA Compliance for Automotive Suppliers: UN R155/R156 Alignment and Aftermarket Guide

How the CRA applies to automotive suppliers and aftermarket products. Covers the vehicle...

11 분 분량

CRA Compliance for Startups: Practical Guide for Resource-Constrained Teams

How startups can achieve CRA compliance without breaking the bank. Covers prioritization, lean...

12 분 분량

Are Smart Cameras Important Products Under the EU Cyber Resilience Act?

Smart security cameras are classified as Important Products (Class I) under CRA Annex III. What...

9 분 분량

EU Cybersecurity Act 2: Supply Chain Bans, Certification Overhaul, and What Product Manufacturers Should Watch

On January 20, 2026, the EU proposed replacing the Cybersecurity Act entirely. Here is what...

10 분 분량

CRA Penalties in Practice: What Market Surveillance Actually Looks Like

Understanding CRA enforcement mechanisms, penalty structures, and what to expect from market...

11 분 분량

귀사 제품에 CRA가 적용됩니까?

6가지 간단한 질문에 답하여 귀사 제품이 EU 사이버 복원력법(CRA) 적용 범위에 해당하는지 확인하십시오. 2분 이내에 결과를 확인하실 수 있습니다.

지금 확인하기

CRA 준법 달성을 준비하고 계십니까?

CRA Evidence로 SBOM과 준법 문서 관리를 시작하십시오.

14일 무료 체험 시작