Who must comply with the CRA?

Manufacturers that place products with digital elements on the EU market bear the core duties (security by design, SBOM, reporting, CE marking). Importers and distributors have lighter obligations - mainly checking that the manufacturer has complied. Open-source software stewards have tailored, lighter duties and cannot be fined. Pure SaaS that does not incorporate a tangible component is generally out of scope.

What products are in scope?

Products with digital elements: any software or hardware product that can connect - directly or indirectly - to a network or another device. This covers consumer IoT, industrial control software, security tools, operating systems, and more. Pure SaaS (remote data processing, cloud services with no downloadable element) is generally excluded. Medical devices and civil aviation products have separate sectoral rules and are excluded from the CRA.

What are the product tiers?

Most products (~90%) are "Default" - they self-assess against the essential requirements. "Important Class I" (Annex III: browsers, password managers, VPNs, operating systems, IAM, smart-home security devices, connected toys) can self-assess only if they fully apply harmonised standards; otherwise a notified body must certify them. "Important Class II" (Annex III: firewalls, IDS/IPS, tamper-resistant microcontrollers) always requires a notified-body assessment. "Critical" (Annex IV: HSMs, smartcards, smart meter gateways) faces the strictest route, potentially requiring a European cybersecurity certificate.

What are the essential requirements?

Annex I, Part I covers product properties: security by design, secure by default, minimal attack surface, data protection, resilience, and updatability. Part II covers vulnerability handling: maintain an SBOM, monitor and fix vulnerabilities, provide free security updates across the support period (presumed at least 5 years), publish a coordinated vulnerability disclosure policy, and maintain a contact point for security reports.

What are the CRA reporting obligations?

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents via ENISA's Single Reporting Platform: a 24-hour early warning, a 72-hour notification, and a final report within 14 days (for vulnerabilities) or 1 month (for severe incidents). Micro and small enterprises may not be fined for missing the 24-hour deadline.

When does the CRA apply?

10 December 2024: the regulation entered into force. 11 June 2026: rules on notified bodies (conformity assessment bodies) apply. 11 September 2026: reporting obligations and the ENISA Single Reporting Platform go live. 11 December 2027: full application - essential requirements, SBOM, CE marking, technical documentation, all mandatory.

What are the CRA penalties?

Fines of up to €15 million or 2.5% of worldwide annual turnover (whichever is higher) for breaching the essential requirements or Arts. 13-14. Up to €10 million / 2% for other obligations. Up to €5 million / 1% for providing incorrect information. Micro and small enterprises are not fined for missing the 24-hour reporting deadline. Open-source stewards are not fined.

Does the CRA apply to SaaS?

Pure SaaS - remote data processing where the end user never downloads or installs a product component - is generally outside the CRA's scope. The CRA targets products with digital elements, which must have some tangible software or hardware component placed on the market. If your SaaS includes a downloadable agent, SDK, or hardware device, that component is likely in scope.

The plain-English explainer

What is the EU Cyber Resilience Act (CRA)?

Last updated · 8 Jun 2026

The CRA is an EU law that sets mandatory cybersecurity requirements for products with digital elements - from connected toys to industrial control systems. Manufacturers must design products to be secure, keep them updated, and report serious vulnerabilities to authorities. Regulation (EU) 2024/2847 sets all of this out; this page explains it in plain English.

TL;DR

What: the EU Cyber Resilience Act, Regulation (EU) 2024/2847. Mandatory cybersecurity rules for products with digital elements sold in the EU.
Who: manufacturers, importers and distributors of products with digital elements (hardware and software). Pure SaaS is generally out of scope.
Key deadlines: 11 Sep 2026 - reporting obligations and ENISA Single Reporting Platform live; 11 Dec 2027 - full application (essential requirements, SBOM, CE marking).
Core duties: security by design, secure by default, SBOM, vulnerability handling, CVD policy, CE marking, EU Declaration of Conformity.
Stakes: fines up to €15 million or 2.5% of worldwide annual turnover for breaching the essential requirements.

Check if you are in scope Find your product tier

Key dates

11 Sep 2026

Reporting obligations apply. ENISA Single Reporting Platform goes live.

11 Dec 2027

Full application: essential requirements, SBOM, CE marking.

€15M / 2.5%

Maximum fine (whichever is higher) for breaching the essential requirements.

Regulation in force 10 December 2024. Reg. (EU) 2024/2847. See the full deadline tracker.

What the CRA is, and what it is for

The EU Cyber Resilience Act, or CRA, is Regulation (EU) 2024/2847, adopted in October 2024 and in force from 10 December 2024. Its goal is to ensure that products with digital elements sold in the EU - from smart home devices to industrial software - meet a minimum bar of cybersecurity throughout their lifecycle. European Commission

Before the CRA, there was no single EU law requiring connected products to be cyber-secure. Manufacturers had wide discretion, and insecure defaults were common. The CRA changes this: it creates binding essential requirements, a conformity assessment regime (CE marking for cybersecurity), and a mandatory incident-reporting system. European Commission

Who must comply

The CRA places obligations on three types of economic operator, with manufacturers carrying the heaviest load.

Manufacturer

Designs, develops or produces a product with digital elements and places it on the EU market under their own name. Bears the full set of essential requirements, conformity assessment, CE marking, SBOM and reporting duties.

Importer

Places a product from outside the EU on the EU market. Must check the manufacturer has met the CRA requirements and that the product carries a CE mark before it can be sold.

Distributor

Makes a product available on the EU market without placing it there themselves. Lightest obligations: verify the CE mark is present and do not supply products known to be non-compliant.

Open-source software stewards - organisations that systematically support open-source code used in commercial products - have tailored, lighter duties under Art. 24 (a cybersecurity policy and cooperation with authorities) and cannot be fined. European Commission

Not sure which role applies to you? Use the scope checker for a plain-English steer.

Scope: products with digital elements - what is in, what is out

The CRA applies to products with digital elements (PDEs): any hardware or software product that can connect, directly or indirectly, to a device or a network. This is deliberately broad. Art. 3 and Recital 10

In scope: consumer IoT devices, industrial control and automation software, operating systems, web browsers, VPNs, password managers, firewalls, smart home products, connected medical devices (unless covered by the Medical Devices Regulation), hardware security modules, embedded software, SDKs used in commercial products.
Generally out of scope: pure SaaS / cloud services where no product component is placed on the market (only remote data processing). Medical devices and in vitro diagnostics regulated under EU Regulation 2017/745 / 2017/746. Civil aviation products regulated under EU Regulation 2018/1139. Motor vehicles. National-security products.

SaaS and the CRA

Pure SaaS - where users access a service remotely and nothing is installed or downloaded - is generally outside the CRA. But if your SaaS includes a downloadable client, agent, SDK or hardware component, that element is likely in scope. When in doubt, check against Art. 2 of the regulation. Art. 2

Product tiers: default, important, critical

The CRA splits in-scope products into four tiers based on risk. Your tier determines how you must assess conformity. See the full product classes page for the complete Annex III / IV lists. Annexes III and IV

Default (~90%)

Default

Anything not listed in Annex III or IV. Self-assessment (internal control) is the usual conformity route - you still meet all essential requirements, but you sign off yourself without a third-party audit.

Examples: photo editing software, smart speakers (without security functions), productivity apps, connected white goods.

Important - Class I

Important I

Annex III, Class I. Self-assessment is allowed only if you fully apply all relevant harmonised standards or common specifications. Otherwise, a notified body must certify.

Examples: web browsers, password managers, VPN software, operating systems, IAM systems, smart-home security devices, connected toys.

Important - Class II

Important II

Annex III, Class II. A notified-body (third-party) conformity assessment is always required - self-assessment alone is not sufficient.

Examples: firewalls, intrusion detection / prevention systems, tamper-resistant microcontrollers.

Critical (Annex IV)

Critical

The highest-risk categories. Subject to the strictest conformity route; the Commission can require a European cybersecurity certificate before they may be sold.

Examples: hardware security modules (HSMs), smartcards, smart meter gateways.

Notified-body rules apply from 11 June 2026

The rules governing notified bodies (conformity assessment bodies) - the third-party auditors required for Important Class I (where standards not yet applied) and Class II products - became applicable on 11 June 2026. Art. 71

Essential requirements (Annex I)

Annex I is the technical heart of the CRA. It is split into two parts: product properties (Part I) and vulnerability-handling duties (Part II). Every in-scope product must meet both. Annex I

Part I: Product properties

Security by design

Designed and produced to ensure an appropriate level of cybersecurity based on the risks. Includes a documented cybersecurity risk assessment (Art. 13).

Secure by default

Shipped in a safe configuration. No weak or shared default passwords. Unnecessary services disabled. Users must be able to reset to a secure state.

Minimal attack surface

Interfaces and services minimised by default. Resilient against denial-of-service attacks. External interfaces protected and authenticated.

Data protection

Confidentiality and integrity of data in transit and at rest. Unauthorised access prevented. Personal data minimised.

Updatability & resilience

Must be updatable, ideally with automatic security updates enabled by default. Free security updates provided across the support period (presumed at least 5 years).

Part II: Vulnerability handling

SBOM (Software Bill of Materials) - a machine-readable inventory of components and top-level dependencies. Annex I, Part II(1)
Identify and document vulnerabilities without undue delay; remediate promptly.
Provide free security updates throughout the support period, separately from feature updates where feasible.
Coordinated vulnerability disclosure (CVD) policy - a published, private channel for security researchers to report flaws. Annex I, Part II(5)
A publicly available contact point for receiving vulnerability reports.
Software supply chain security - due diligence on integrated third-party and open-source components. Art. 13

Conformity assessment, CE marking and technical documentation

Once a manufacturer has met the essential requirements, they must demonstrate conformity, affix a CE mark, and draw up an EU Declaration of Conformity. These are all mandatory before a product can be placed on the EU market. Arts. 28-32 and Annex VII

CE marking - the visible declaration that the product meets the CRA essential requirements. Placed on the product itself or its packaging.
EU Declaration of Conformity - the formal written declaration by the manufacturer that the product meets Annex I. Must reference the regulation and the conformity assessment module used.
Technical documentation (Annex VII) - a comprehensive file covering the product description, cybersecurity risk assessment, design and development records, the SBOM, test reports, and the CVD policy. Must be kept for 10 years and provided to market surveillance authorities on request.

Reporting obligations: 24h / 72h / 14 days (from 11 Sep 2026)

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents via ENISA's Single Reporting Platform (SRP). A single report routes to the relevant national CSIRT and ENISA. European Commission ENISA SRP

24 hours

Early warning

Notify the SRP that an actively exploited vulnerability or severe incident has been identified. Minimal detail required at this stage.

72 hours

Notification

A fuller incident notification: initial assessment, severity, indicators of compromise. Via the SRP.

14 days / 1 month

Final report

Final report within 14 days for actively exploited vulnerabilities; within 1 month for severe incidents. Includes root cause, mitigation and remediation.

Micro/small carve-out

Micro and small enterprises may not be fined for missing the 24-hour early-warning deadline, though the obligation to act responsibly still applies. Open-source software stewards are not subject to fines at all. Art. 64

The CRA timeline

10 December 2024 - Regulation (EU) 2024/2847 enters into force. EUR-Lex
11 June 2026 - Rules governing notified bodies (conformity assessment bodies) apply. Art. 71
11 September 2026 - Reporting obligations apply (Art. 14). ENISA Single Reporting Platform goes live. European Commission
11 December 2027 - Full application: essential requirements (Annex I), SBOM, CE marking, EU Declaration of Conformity, technical documentation. Art. 71

See the full deadline tracker for a live status board including harmonised standards development and SRP readiness.

Penalties

Enforcement is by national market surveillance authorities. The CRA sets three penalty tiers, each expressed as a fixed maximum or a percentage of worldwide annual turnover - whichever is higher applies. Art. 64

Up to €15 million or 2.5% of worldwide turnover for breaching the essential requirements or the manufacturer obligations in Arts. 13-14.
Up to €10 million or 2% for breaching other CRA obligations (importers, distributors, notified bodies).
Up to €5 million or 1% for supplying incorrect, incomplete or misleading information to authorities.

See the full penalties breakdown for what triggers each tier, the carve-outs, and how to reduce risk.

By the numbers

The CRA in a few figures

11 Dec 2027

Full application date for essential requirements, SBOM and CE marking.

24h

Early-warning deadline for reporting actively exploited vulnerabilities via the SRP.

€15M / 2.5%

Maximum fine for breaching essential requirements - whichever is higher.

≥5 yrs

Presumed minimum support period for security updates.

Sources: Regulation (EU) 2024/2847, European Commission CRA summary

FAQ

Subscribe to The CRA Brief

We watch Brussels so you don't. Plain-English CRA updates, free.

No spam. Unsubscribe anytime.

This is guidance, not legal advice

This page explains the CRA to help you understand your obligations. It is not legal advice. For decisions specific to your business or product, confirm with the official sources we link or a qualified legal adviser. We cannot guarantee compliance, and you should be wary of anyone who says they can.

Sources

[1]Regulation (EU) 2024/2847 - full text (EUR-Lex)retrieved 8 Jun 2026
[2]European Commission - CRA legislative summaryretrieved 8 Jun 2026
[3]European Commission - Cyber Resilience Act policy pageretrieved 8 Jun 2026
[4]European Commission - CRA reporting obligationsretrieved 8 Jun 2026
[5]ENISA - Single Reporting Platform (SRP)retrieved 8 Jun 2026

shieldWhat the CRA is, and what it is for

groupsWho must comply