Your CRA resource hub
Make sense of the EU Cyber Resilience Act, fast.
Plain-English answers, free tools, and updates you can trust, for any company that makes or sells products with digital elements. We read the regulation so you don't have to.
Find your way through the EU Cyber Resilience Act.
Confirmed deadlines
Reporting obligations live.
Manufacturers must notify ENISA of actively exploited vulnerabilities and severe incidents via the Single Reporting Platform - 24-hour early warning, 72-hour notification, 14-day final report.
Full compliance required.
All essential cybersecurity requirements, SBOM, CE marking, EU Declaration of Conformity and technical documentation must be in place for every product with digital elements placed on the EU market.
These dates are set in Regulation (EU) 2024/2847, in force since 10 December 2024. They are not moving unless Brussels amends the text, and if that happens, we'll tell you.
What applies to me? →Got a customer questionnaire asking if your product is CRA-compliant? Start here.
A procurement team, a security assessor, or your biggest EU customer just asked whether your product meets the Cyber Resilience Act, whether you have an SBOM, or what class your software falls under - and you have no idea where to begin. You don't have a dedicated compliance function, and the regulation runs to hundreds of pages.
Take a breath. Most of this is more manageable than it looks once someone explains it plainly. The CRA sets baseline cybersecurity requirements for products with digital elements sold in the EU. Whether you're a manufacturer, importer or distributor, the duties differ. We'll help you work out whether you're in scope, which class applies, and what you actually have to do. No jargon, no sales pitch.
Not sure if any of this is even your problem yet? Check in two minutes →
Start here
Start where you are
Four routes through the CRA, depending on what you need right now.
Free tools
Free tools, no email wall
Use them on the page. We'll only ask for your email if you want your result or a PDF sent to you.
Why use this hub
Why use this hub
Independent
We're not selling you compliance software, and there's no demo to book. That means no pressure to "request a quote" at the bottom of every answer. We just explain the rules.
Always current
The CRA is still being implemented: notified-body rules, ENISA reporting guidance and product-class clarifications are all in motion. Every page carries the sources we used and the date we last checked them, and we update when things change.
Plain English, free tools
A scope and class checker, an obligations checker, an SBOM tool, a glossary and a product-class browser - written for people without a legal team. Terms are explained the first time we use them, then linked to the glossary.
The CRA Brief
We watch Brussels so you don't.
The CRA implementation keeps moving. One email, plain English, tells you what changed, what it means for your product, and what to do about it. So you can stop refreshing EUR-Lex and get back to building.
- A monthly issue rounding up what moved in Brussels and what's coming next.
- Breaking-change alerts the moment something material lands: a deadline update, new ENISA guidance, a product-class clarification or a delegated act.
- Plain-English summaries with a link to the official source, every time.
The CRA Brief
Enter your email to subscribe
Free, and you can unsubscribe in one click. No spam, no selling your address.
No spam. Unsubscribe anytime.
By the numbers
The CRA by the numbers
The figures worth keeping in your head. Each one is set in Regulation (EU) 2024/2847 or in official ENISA guidance.
Maximum fine for breaching essential cybersecurity requirements - €15 million or 2.5% of global annual turnover, whichever is higher.
Reporting obligations go live: manufacturers must notify ENISA of actively exploited vulnerabilities via the Single Reporting Platform.
Early-warning window. Manufacturers have 24 hours to send an initial notification to ENISA after discovering an actively exploited vulnerability.
Share of in-scope products that fall into the Default class and can self-assess conformity without a notified body.
Full compliance deadline: all essential requirements, SBOM, CE marking and technical documentation must be in place.
Software Bill of Materials - mandatory for every product with digital elements, listing all software components and dependencies.
Sources: Regulation (EU) 2024/2847 (EUR-Lex) and the European Commission CRA policy page. Fines are the higher of the fixed amount or the percentage of global annual turnover.
From the Brief
From the CRA Brief
The latest updates and explainers. New entries land here as the implementation moves.
First briefings coming soon - subscribe to The CRA Brief and you'll get them in your inbox before they reach this page.
Stay ahead of the next CRA change.
Free, plain-English updates. We watch Brussels so you don't.