EU Cyber Resilience Act
The EU Cyber Resilience Act sets mandatory cybersecurity requirements for products with digital elements, covering secure design, vulnerability handling, and updates across the lifecycle. Serious breaches can incur fines up to 15 million euros or 2.5 percent of global turnover.
What the Cyber Resilience Act Is and Why It Exists
The EU Cyber Resilience Act (CRA) is a regulation that introduces mandatory cybersecurity requirements for "products with digital elements" sold in the European Union. It entered into force in December 2024, with the main obligations applying after a transition period. The CRA treats software and connected hardware like other regulated products: before they can carry the CE mark and be placed on the market, they must meet essential cybersecurity requirements and remain secure throughout their supported lifetime.
The law responds to a market where insecure devices and software were sold freely, with vulnerabilities patched late or never, leaving consumers and businesses exposed.
Who It Applies To
The CRA covers manufacturers, importers, and distributors of products with digital elements, including IoT devices, operating systems, applications, and many software libraries placed on the EU market. It distinguishes ordinary products from "important" and "critical" categories, which face stricter conformity assessment. Pure software-as-a-service is largely out of scope, though embedded and downloadable software is covered.
Key Requirements
- Secure by design and default: products must ship without known exploitable vulnerabilities and with secure default configurations.
- Vulnerability handling: manufacturers must identify, document, and remediate vulnerabilities and provide free security updates for a defined support period.
- Coordinated disclosure: actively exploited vulnerabilities and severe incidents must be reported to ENISA and relevant authorities, with early warnings within 24 hours.
- Documentation: a Software Bill of Materials, risk assessment, and technical file must be maintained.
- Conformity assessment and CE marking are required before market placement.
Penalties for Non-Compliance
The CRA carries significant fines. The most serious breaches of the essential requirements and vulnerability-handling obligations can reach up to 15 million euros or 2.5 percent of global annual turnover, whichever is higher. Lesser violations and supplying incorrect information to authorities carry lower but still substantial caps. Authorities can also order products withdrawn or recalled from the market.
How to Comply
- Inventory the digital products you place on the EU market and classify them by CRA category.
- Adopt a secure development lifecycle aligned with practices such as the NIST Secure Software Development Framework.
- Maintain a Software Bill of Materials and a vulnerability-handling process with defined update timelines.
- Establish coordinated vulnerability disclosure and incident-reporting paths to ENISA.
- Prepare technical documentation and complete the appropriate conformity assessment for CE marking.
Because obligations span the full support lifetime, compliance is an ongoing program, not a one-time certification.
Open Source and the Software Supply Chain
The CRA includes carefully limited treatment of open-source software, distinguishing non-commercial development from commercial supply. Manufacturers that incorporate open-source components into commercial products remain responsible for the security of what they ship, which makes a Software Bill of Materials and dependency monitoring essential. The regulation effectively pushes vendors toward continuous tracking of upstream vulnerabilities and disciplined update pipelines. For engineering organizations, the most durable response is to integrate supply-chain practices, such as dependency scanning, signed artifacts, and reproducible builds, into the development lifecycle, so that vulnerability handling and timely updates are routine rather than reactive emergencies near a reporting deadline.