When does the CRA become mandatory?

The CRA entered into force on December 10, 2024 with a phased implementation: vulnerability reporting obligations apply from September 11, 2026, and full compliance is required by December 11, 2027. Manufacturers should begin preparation immediately.

Who must comply with CRA?

Any manufacturer, importer, or distributor that places products with digital elements on the EU market must comply. This includes software vendors, hardware manufacturers, IoT device makers, and even SaaS providers whose products have downloadable components. The obligations vary based on the product's risk category.

Do open source projects fall under CRA?

Non-commercial open source software developed outside a commercial context is generally exempt from CRA. However, if open source software is used in a commercial product, the commercial entity placing it on the market bears CRA obligations. Open source stewards have lighter, separate obligations around vulnerability handling.

What are the penalties for CRA violations?

Non-compliance with essential cybersecurity requirements can result in fines up to €15 million or 2.5% of the company's global annual turnover (whichever is higher). Lesser violations carry fines up to €10 million or 2% of turnover. Member states may also order product withdrawals from the EU market.

What SBOM format does CRA require?

The CRA requires manufacturers to provide a Software Bill of Materials (SBOM) identifying at minimum the top-level dependencies of the product. While the regulation doesn't mandate a specific format, CycloneDX and SPDX are the widely accepted machine-readable standards. Implementing acts may further specify technical requirements.

How does CRA relate to NIS2 and the EU Cybersecurity Act?

CRA complements NIS2 (which covers essential services operators) and the EU Cybersecurity Act (which establishes the ENISA agency and certification schemes). Together they form a comprehensive EU cybersecurity framework. CRA specifically targets product security, while NIS2 addresses organizational security obligations.

EU Cyber Resilience Act (CRA) Compliance Guide, Regulation 2024/2847 Explained

What is the EU Cyber Resilience Act

The EU Cyber Resilience Act (CRA), formally Regulation (EU) 2024/2847, is the European Union's landmark cybersecurity legislation targeting products with digital elements. Published in the Official Journal on November 20, 2024, it establishes mandatory cybersecurity requirements for all hardware and software products placed on the EU market.

Unlike previous EU cybersecurity directives that focused on network and organizational security (such as NIS2), the CRA specifically addresses product security throughout the entire lifecycle from design and development through deployment, maintenance, and end-of-life. It shifts the burden of cybersecurity from end users to manufacturers and importers.

The regulation applies to all "products with digital elements" meaning any software or hardware product that can connect to a device or network, including standalone software applications, embedded firmware, operating systems, and even cloud-based processing components that are integral to a product's function.

Compliance Disclaimer

The current landscape of EU CRA compliance is evolving, with implementing acts and delegated regulations still being finalized. This guide is purely based on Prismor's interpretation of the official sources available at the time of publication, including the CRA text (Regulation EU 2024/2847) and publicly available guidance documents. Prismor will not be responsible for any losses, damages, or compliance failures arising from the use of this information. Organizations should consult with qualified legal counsel and monitor official EU regulatory updates to ensure full compliance with all applicable requirements.

Why the EU Introduced CRA

The European Commission identified a critical gap in the EU's cybersecurity framework: while directives like NIS2 address organizational security, no horizontal regulation existed for the security of products themselves. The 2020 EU Cybersecurity Strategy and the 2022 proposal that led to CRA were driven by several factors:

Rapid increase in software supply chain attacks (SolarWinds, Log4Shell, and others)
Over 60% of security breaches linked to unpatched known vulnerabilities in software dependencies
Lack of transparency: users had no way to evaluate the security of products before purchase
Growing IoT ecosystem with billions of connected devices and minimal security standards
Economic cost of cyberattacks estimated at €5.5 trillion globally by 2025

By establishing a uniform regulatory framework, the CRA creates a level playing field for all manufacturers while giving European consumers and businesses confidence in the cybersecurity properties of digital products.

Who Needs to Comply

The CRA creates obligations for three categories of economic operators:

Manufacturers

Companies that design and develop products with digital elements, whether hardware or software. This includes software vendors, SaaS companies (for downloadable components), and hardware manufacturers.

Importers

Entities that place products from non-EU manufacturers on the EU market. Importers must verify that foreign manufacturers have conducted conformity assessments and that products bear the CE marking.

Distributors

Companies that make products available on the EU market without modifying them. Distributors must verify CE marking and report known vulnerabilities to authorities.

Notable exemptions: Medical devices (covered by MDR/IVDR), automotive products (covered by UNECE regulations), aviation products (covered by EASA regulations), and non-commercial open source software are generally outside CRA scope. However, commercial use of open source components brings the commercial entity's product into scope.

Software Categories under CRA

The CRA classifies products into three risk tiers, each with different conformity assessment requirements:

Default Category (Self-Assessment)

Estimated ~90% of products. Manufacturers perform self-assessment against essential requirements.

Examples: note-taking apps, photo editors, standard business software, simple smart devices.

Important Class I (Self-Assessment or Third-Party)

Products with core security functions. Can self-assess if applying harmonised standards, otherwise require third-party audit.

Examples: password managers, VPNs, operating systems, routers, smart home devices, SIEM tools.

Important Class II / Critical (Mandatory Third-Party)

Highest-risk products. Mandatory third-party conformity assessment by a notified body.

Examples: firewalls, intrusion detection systems, secure elements/TPMs, smartcard readers, hardware security modules, smart meters.

CRA Security Requirements

Annex I of the CRA defines essential cybersecurity requirements that all products with digital elements must meet. These are organized into security properties and vulnerability handling processes:

Security by Design

Products must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on risk assessment
Products must be delivered with a secure-by-default configuration, including the possibility to reset to the original state
Protection against unauthorized access through appropriate control mechanisms (authentication, identity management)
Protection of confidentiality and integrity of stored, transmitted, and processed data (encryption at rest and in transit)
Minimization of data collection and processing to what is necessary for the intended purpose (data minimization)
Protection of availability, including resilience against denial-of-service attacks
Minimization of the product's own attack surface, including external interfaces
Ability to record and monitor relevant internal activity (logging and audit trails)
Ability to apply security updates, including automatic update mechanisms

Vulnerability Handling Requirements

Identify and document vulnerabilities and components contained in the product, including an SBOM
Apply effective and regular tests and reviews of the product's security
Address vulnerabilities without delay through security updates free of charge
Publicly disclose information about fixed vulnerabilities including severity and remediation guidance
Establish and enforce a coordinated vulnerability disclosure policy
Facilitate information sharing about vulnerabilities in the product and third-party components
Provide mechanisms for secure distribution and verification of security updates
Ensure security updates are available for at least 5 years (or the product support period, whichever is longer)

SBOM Requirements under CRA

The CRA makes Software Bill of Materials (SBOM) a legal requirement for the first time in EU legislation. Article 11 and Annex I require manufacturers to:

Generate and maintain an SBOM listing at minimum the top-level dependencies of the product
Make the SBOM available to market surveillance authorities upon request
Document all components using a machine-readable format
Include component names, versions, and unique identifiers
Keep SBOMs updated as the product evolves

While the CRA does not mandate a specific SBOM format, the industry-standard formats CycloneDX and SPDX are widely accepted. Implementing acts and harmonised standards may further specify technical requirements.

Deep dive: SBOM for CRA: Practical Guide

CRA Vulnerability Disclosure Rules

Article 14 of the CRA establishes mandatory vulnerability reporting obligations and is one of the most significant operational requirements. These take effect from September 11, 2026, earlier than the full compliance date.

Actively Exploited Vulnerabilities: 24-Hour Reporting

Manufacturers must notify ENISA (EU cybersecurity agency) within 24 hours of becoming aware that a vulnerability in their product is being actively exploited. An early warning must be submitted, followed by a detailed notification within 72 hours.

Severe Incidents: 24-Hour Notification

Security incidents that impact the product's security must also be reported within 24 hours. This includes supply chain compromises and attacks on the manufacturer's infrastructure affecting the product.

Coordinated Disclosure Policy

Manufacturers must establish and publish a coordinated vulnerability disclosure (CVD) policy with a clear contact point for security researchers. This includes maintaining a vulnerability handling process and issuing advisories with CSAF (Common Security Advisory Framework) machine-readable format.

Learn more: Full CRA Compliance Guide

CRA Compliance Checklist

A high-level overview of what your organization needs to address. See our dedicated checklist for the full breakdown.

Classify your product(s) under the CRA risk categories (default, Important I, Important II/Critical)

Conduct cybersecurity risk assessment for each product

Implement security-by-design and secure-by-default principles

Generate and maintain SBOMs for all products with digital elements

Establish vulnerability handling and coordinated disclosure processes

Set up 24-hour incident and vulnerability notification capability to ENISA

Create patch management and secure update distribution mechanisms

Prepare technical documentation and EU Declaration of Conformity

Undergo conformity assessment (self-assessment or third-party depending on category)

Affix CE marking to compliant products

Full guide: CRA Compliance Guide with Checklist

CRA Implementation Timeline

December 10, 2024

CRA entered into force.

September 11, 2026

Vulnerability reporting obligations become enforceable (Article 14).

December 11, 2027

Full compliance required: all essential requirements, conformity assessments, and CE marking.

More details: Complete CRA Implementation Timeline & Key Dates

Penalties for Non-Compliance

The CRA introduces significant financial penalties, following the precedent set by GDPR:

€15M / 2.5%

For non-compliance with essential cybersecurity requirements (Annex I) up to €15 million or 2.5% of global annual turnover.

€10M / 2%

For non-compliance with other CRA obligations (notification, documentation, etc.) up to €10 million or 2% of turnover.

€5M / 1%

For providing incorrect, incomplete, or misleading information to authorities up to €5 million or 1% of turnover.

Beyond fines, market surveillance authorities can order product withdrawal or recall from the EU market, which can be far more damaging to businesses than financial penalties alone.

Take action: Automate Your CRA Compliance with Prismor

How Prismor Helps with CRA Compliance

Prismor is the only platform that combines deep regulatory expertise with automated security tooling, so your team can meet EU CRA requirements without manual overhead.

Vulnerability Fixes

Automatically detect and fix known CVEs across your entire dependency tree, no manual patching required.

SBOM & VEX Generation with Compliance Reporting

Produce CycloneDX and SPDX-compliant SBOMs and VEX documents automatically on every build, with audit-ready reports aligned to EU CRA.

Software Supply Chain Monitoring

Continuous monitoring of your software supply chain with real-time alerts on new vulnerabilities and dependency changes.

Try Prismor for CRA Compliance See Interactive Demo

Frequently Asked Questions

The EU Cyber Resilience Act (CRA) is a European Union regulation (EU 2024/2847) that establishes mandatory cybersecurity requirements for products with digital elements sold in the EU market. It requires manufacturers to ensure security throughout the entire product lifecycle, including secure design, vulnerability handling, and transparency through SBOMs.

EU Cyber Resilience Act (CRA) Compliance Guide