Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
Digital Markets

Cyber Resilience Act (CRA) — Regulation (EU) 2024/2847

The Cyber Resilience Act (EU 2024/2847) introduces mandatory cybersecurity requirements for hardware and software throughout their lifecycle.

LinkedIn X WhatsApp

Summary

The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, is the first EU-wide horizontal regulation establishing mandatory cybersecurity requirements for products with digital elements — both hardware and software — throughout their entire lifecycle. It closes a significant regulatory gap, as most such products were previously not subject to EU-wide cybersecurity obligations.

The regulation takes a risk-based approach and classifies products into three categories: default products (self-assessment), important products (e.g. password managers, VPN software, routers), and critical products (e.g. hardware security modules, smart meter gateways), each subject to different conformity assessment procedures.

Manufacturers are required to integrate cybersecurity from the design phase (security by design), remediate known vulnerabilities, provide security updates for at least five years, and report actively exploited vulnerabilities to ENISA and the relevant national authority within 24 hours. Full applicability begins on 11 December 2027.

History

Commission President Ursula von der Leyen first announced the Cyber Resilience Act in her State of the Union address in September 2021. The Council called on the Commission to submit its proposal by the end of 2022 in its conclusions of 23 May 2022. On 15 September 2022, the Commission published the CRA proposal.

After intensive debate — particularly regarding the impact on open-source software — the Committee of Permanent Representatives (COREPER) reached a common position in July 2023. On 1 December 2023, Parliament and Council reached a political agreement that includes an exception for open-source software. The European Parliament voted in favour on 12 March 2024, and the Council adopted the regulation on 10 October 2024. The CRA was signed on 23 October 2024, published in the Official Journal on 20 November 2024, and entered into force on 10 December 2024.

Scope

The CRA applies to all products with digital elements placed on the EU internal market:

  • Default products (default class): The majority of products with digital elements — from toys and smart home devices to word processing software — are subject to self-assessment of conformity by the manufacturer.
  • Important products (Class I and II): Class I covers identity management software, VPN software, password managers, firewalls, routers, and operating systems. Class II covers hypervisors, container runtimes, public key infrastructure, and intrusion detection systems — these require the involvement of a notified body.
  • Critical products: Hardware security modules, smart meter gateways, and smartcard readers with the highest security requirements and mandatory third-party assessment.
  • Manufacturers: Any natural or legal person that develops or manufactures products with digital elements and places them on the EU market under their own name.
  • Importers and distributors: Must ensure that only compliant products enter the market and retain documentation for ten years.
  • Exemptions: Open-source software (without commercial activity), medical devices, aviation products, and automotive systems already subject to sector-specific cybersecurity rules.

Key Requirements

  • Security by design (Annex I, Part I): Products must be designed and developed to ensure an appropriate level of cybersecurity — including secure default configurations, access control, and protection of the confidentiality and integrity of data.
  • Vulnerability management (Annex I, Part II): Manufacturers must maintain a documented process for identifying, reporting, and remediating vulnerabilities, including coordinated vulnerability disclosure (CVD).
  • Security updates (Art. 13): Manufacturers must provide free security updates for a support period of at least five years; where the expected product lifetime is longer, that longer period applies.
  • Reporting obligations (Art. 14): Manufacturers must report both actively exploited vulnerabilities and severe security incidents to the coordinating CSIRT and ENISA in a three-stage process: an early warning within 24 hours, a vulnerability or incident notification within 72 hours, and a final report within 14 days (for vulnerabilities) or within one month (for incidents) of the notification.
  • Conformity assessment (Art. 24-30): Default products require self-assessment (Module A); important Class II products and critical products require the involvement of a notified body.
  • Software Bill of Materials (SBOM): Manufacturers must produce and maintain a machine-readable inventory of software components contained in their products.
  • CE marking (Art. 22): Compliant products bear the CE marking as evidence of conformity with CRA requirements.

Related Frameworks

NIS2DORAPCI DSS

Corrections & Errata

2026-QA-266 Correction 29 May 2026
Verify phased application dates: reporting from 11 Sep 2026, main obligations from 11 Dec 2027

The reporting obligations for actively exploited vulnerabilities and severe incidents (Art. 14) apply from 11 September 2026; most other obligations from 11 December 2027. If the entry states different dates, correct them.

Full details on the errata page →

Content last reviewed: 29 May 2026. Found an error or need an update? [email protected]