A plain-English guide to the CRA, built to stay accurate.

How we keep this accurate

The CRA is a regulation that is still rolling out - the reporting obligations applied in September 2026, and full application lands in December 2027, with delegated acts and secondary legislation continuing to emerge in between. Accuracy is the whole job. Here's how we approach it.

No software to sell, no consulting upsell

We don't sell compliance software and we don't run a consultancy. Nobody pays us to point you at a product. That's deliberate: it means our answers can stay neutral and our only goal is to explain the regulation clearly.

Where our facts come from

Every factual claim traces back to an official source. Our primary references are:

• EUR-Lex - the consolidated text of Regulation (EU) 2024/2847 (the Cyber Resilience Act). EUR-Lex: Reg. (EU) 2024/2847
• European Commission - the CRA summary page and the full policy page on the EC digital strategy site. EC CRA policy page
• ENISA - the European Union Agency for Cybersecurity, which operates the Single Reporting Platform (SRP) for vulnerability and incident notifications. ENISA SRP

We link the source behind every claim so you can check our work directly.

How we keep it current

Key pages carry a visible “Last updated” date. When something material changes - a date clarification, a delegated act, a new ENISA SRP guidance, or a product-class decision - we revise the affected pages and push it to subscribers of The CRA Brief.

When the rules aren't settled

Some areas of the CRA are still being worked out through delegated acts and secondary legislation. When that is the case, we say so plainly and mark it, rather than guess. We'd rather tell you “this is not yet decided” than sound more certain than the facts allow.