CRA Glossary

Every CRA term, in plain English

Last updated · 8 Jun 2026

The Cyber Resilience Act comes with its own vocabulary: PDE, SBOM, essential requirements, notified body, CVD, SRP. Here is each term explained simply first, then with the precise legal phrasing from the regulation, so you can read any CRA document without a law degree.

Need the bigger picture first? Read what the CRA is, or check whether you are in scope.

32 of 32 terms

  • A

    Actively exploited vulnerability#

    A security flaw that attackers are already using in the wild. If one is found in your product, the CRA requires you to report it fast - an early warning within 24 hours.

    A vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission (Art. 3(42)). Triggers the Art. 14 reporting timeline via the Single Reporting Platform.

    See also: Severe incident, Single Reporting Platform (SRP), Reporting timeline (24h / 72h / 14 days), Coordinated vulnerability disclosure (CVD)

  • C

    CE marking#

    The "CE" mark you put on a product to show it meets EU rules - including, from December 2027, the CRA. No CE mark, no legal sale in the EU.

    The marking by which the manufacturer indicates conformity with the CRA and other applicable Union harmonisation legislation (Arts. 29-30), affixed before the product is placed on the market.

    See also: EU Declaration of Conformity, Conformity assessment, Technical documentation (Annex VII)

  • Conformity assessment#

    The process of proving your product meets the CRA before you put it on the market. Most products you can self-assess; important and critical ones may need an independent body to check.

    The procedures in Art. 32 and Annex VIII (internal control / Module A, EU-type examination / Module B+C, or full quality assurance / Module H), chosen according to the product's risk category.

    See also: CE marking, Notified body, Harmonised standards, EU Declaration of Conformity

  • Coordinated vulnerability disclosure (CVD)#

    A published way for security researchers to report a flaw to you privately, so you can fix it before it becomes public. The CRA requires every manufacturer to have a CVD policy and a contact point.

    The Annex I, Part II(5) requirement to put in place and enforce a policy on coordinated vulnerability disclosure, and to provide a contact address for reporting vulnerabilities in the product.

    See also: Vulnerability handling, Actively exploited vulnerability, Single Reporting Platform (SRP)

  • CRA (Cyber Resilience Act)#

    An EU law that sets cybersecurity rules for almost any product that connects or contains software. If you make, import or sell a "product with digital elements" in the EU, the CRA tells you how secure it has to be and what you must document.

    Regulation (EU) 2024/2847 of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements. It entered into force on 10 December 2024 and applies in full from 11 December 2027.

    See also: Product with digital elements (PDE), Essential cybersecurity requirements (Annex I), CE marking, Manufacturer

  • Critical product (Annex IV)#

    The highest-risk category - products that essential services depend on, such as hardware security modules, smart meter gateways and smartcards. The Commission can require EU cybersecurity certification for these.

    Product categories listed in Annex IV. The Commission may require these to obtain a European cybersecurity certificate under a scheme adopted pursuant to the Cybersecurity Act (Art. 8).

    See also: Important product (Annex III, Class I & II), Conformity assessment, Notified body

  • CSIRT#

    A national Computer Security Incident Response Team - the country-level team that receives your incident reports through the EU platform and helps coordinate the response.

    The CSIRT designated as coordinator under the NIS2 Directive in the Member State of the manufacturer's main establishment, acting as a CRA reporting end-point.

    See also: Single Reporting Platform (SRP), ENISA, Reporting timeline (24h / 72h / 14 days)

  • D

    Distributor#

    Anyone in the supply chain (other than the manufacturer or importer) who makes a product available - typically resellers and retailers. Distributors must verify CE marking and act if they spot non-compliance.

    A natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the market (Art. 3(16), duties in Art. 20).

    See also: Manufacturer, Importer

  • E

    ENISA#

    The EU's cybersecurity agency. Under the CRA it runs the Single Reporting Platform and publishes guidance and threat information.

    The European Union Agency for Cybersecurity. Operates the SRP, may issue technical guidance, and prepares a biennial technical report on emerging trends.

    See also: Single Reporting Platform (SRP), CSIRT

  • Essential cybersecurity requirements (Annex I)#

    The actual security rules every in-scope product must meet - like shipping with a secure default configuration, protecting data, and being able to receive security updates. Annex I has two parts: how the product is built (Part I) and how you handle vulnerabilities over its life (Part II).

    The product property requirements (Annex I, Part I) and vulnerability handling requirements (Annex I, Part II) that must be met for a product to be made available on the Union market. Breaching them carries the highest penalty tier.

    See also: Security by design, Secure by default, Vulnerability handling, SBOM (Software Bill of Materials)

  • EU Declaration of Conformity#

    A signed statement from the manufacturer saying the product meets the CRA. You draw it up, keep it, and make it available to authorities.

    The declaration (Art. 28, Annex V) by which the manufacturer assumes responsibility for the product's compliance with the essential requirements, kept for 10 years after placing on the market.

    See also: CE marking, Technical documentation (Annex VII), Conformity assessment

  • H

    Harmonised standards#

    EU-recognised technical standards that, if you follow them, let you assume your product meets the CRA. They make compliance practical - instead of interpreting the law, you follow an agreed standard.

    Standards referenced in the Official Journal that confer a presumption of conformity with the essential requirements they cover (Art. 27). CEN/CENELEC are developing CRA standards under a Commission request.

    See also: Presumption of conformity, Conformity assessment, Essential cybersecurity requirements (Annex I)

  • I

    Important product (Annex III, Class I & II)#

    A product whose core job is security-sensitive - like password managers, VPNs, firewalls or smart-home security devices. These face stricter conformity checks than ordinary products. Annex III splits them into Class I and the higher-risk Class II.

    Product categories listed in Annex III. Class I may use harmonised standards or a third-party assessment; Class II requires a stricter route. Manufacturers must apply the relevant conformity assessment procedure under Art. 32.

    See also: Critical product (Annex IV), Conformity assessment, Product with digital elements (PDE), Notified body

  • Importer#

    A company in the EU that places a non-EU manufacturer's product on the market. Importers must check the product is compliant, carries CE marking and documentation, before selling it.

    A natural or legal person established in the Union that places on the market a product with digital elements bearing the name or trademark of a person established outside the Union (Art. 3(15), duties in Art. 19).

    See also: Manufacturer, Distributor

  • M

    Manufacturer#

    Whoever develops or makes a product (or has it made) and sells it under their own name or brand. Manufacturers carry the bulk of CRA duties - design, documentation, conformity, updates and reporting.

    A natural or legal person who develops or manufactures products with digital elements, or has them designed/developed/manufactured, and markets them under their name or trademark (Art. 3(13)).

    See also: Importer, Distributor, Open-source software steward, Essential cybersecurity requirements (Annex I)

  • Market surveillance authority#

    The national regulator that enforces the CRA in each EU country - it can demand your documentation, test products, order recalls and impose fines.

    The authority designated by each Member State under Art. 52 and Regulation (EU) 2019/1020 to carry out market surveillance and enforcement of the CRA.

    See also: Penalties, Notified body, Technical documentation (Annex VII)

  • N

    Notified body#

    An independent, officially-approved organisation that assesses higher-risk products against the CRA. From 11 June 2026 these bodies can be designated so they are ready to certify products.

    A conformity assessment body notified under Chapter IV (applicable from 11 June 2026) and competent to carry out third-party conformity assessment for important (Class II) and certain other products.

    See also: Conformity assessment, Important product (Annex III, Class I & II), Critical product (Annex IV)

  • O

    Open-source software steward#

    An organisation (like a foundation) that supports open-source software used in commercial products. The CRA gives them lighter, tailored duties - and they cannot be fined - recognising they are not selling a product.

    A legal person, other than a manufacturer, that systematically and sustainably supports the development of free and open-source software intended for commercial activities (Art. 3(14); tailored duties in Art. 24).

    See also: Manufacturer, Coordinated vulnerability disclosure (CVD), Penalties

  • P

    Penalties#

    Fines for breaking the CRA - up to €15 million or 2.5% of worldwide annual turnover for the worst breaches (the essential requirements), with lower caps for other duties.

    Administrative fines under Art. 64: up to €15m / 2.5% of turnover (essential requirements and Arts. 13/14), €10m / 2% (other obligations) and €5m / 1% (incorrect information), whichever is higher.

    See also: Essential cybersecurity requirements (Annex I), Market surveillance authority, Open-source software steward

  • Presumption of conformity#

    If you follow a harmonised standard (or hold a relevant EU cybersecurity certificate), authorities presume you meet the matching CRA requirements - shifting the burden away from you.

    The legal effect under Art. 27 whereby compliance with harmonised standards, common specifications or relevant European cybersecurity certification schemes is presumed to satisfy the corresponding essential requirements.

    See also: Harmonised standards, Conformity assessment

  • Product with digital elements (PDE)#

    Anything that is software, or hardware with software in it, that can connect to a device or network. Think apps, operating systems, smart devices, routers, sensors - even components sold separately. The CRA applies to PDEs.

    A software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately (Art. 3(1)). Pure SaaS/cloud is generally out of scope unless it is the remote data processing of a product.

    See also: CRA (Cyber Resilience Act), Remote data processing, Important product (Annex III, Class I & II), Critical product (Annex IV)

  • R

    Remote data processing#

    Cloud or back-end services that a product needs to do its job - for example the servers a smart doorbell talks to. These are treated as part of the product, so the CRA covers them even though general cloud services are out of scope.

    Data processing at a distance for which the software is designed and developed by the manufacturer (or under their responsibility) and the absence of which would prevent the product from performing its functions (Art. 3(2)).

    See also: Product with digital elements (PDE), CRA (Cyber Resilience Act)

  • Reporting timeline (24h / 72h / 14 days)#

    When something is actively exploited or a severe incident hits, the clock starts: an early warning within 24 hours, a fuller notification within 72 hours, and a final report once a fix is available (14 days for vulnerabilities, one month for incidents).

    Art. 14 staged notification: early warning ≤24h of becoming aware, vulnerability/incident notification ≤72h, and a final report no later than 14 days after a corrective measure is available (one month for severe incidents).

    See also: Single Reporting Platform (SRP), Actively exploited vulnerability, Severe incident

  • S

    SBOM (Software Bill of Materials)#

    A machine-readable list of all the software components and dependencies inside your product - like an ingredients label for software. The CRA makes manufacturers create and keep one so they (and authorities) know what is in the product when a vulnerability appears.

    A formal record (Annex I, Part II(1)) containing the details and supply chain relationships of components contained in the product with digital elements, in a commonly used, machine-readable format covering at least the top-level dependencies. Kept in the technical documentation; not required to be public.

    See also: , Vulnerability handling, Technical documentation (Annex VII)

  • Secure by default#

    The product is safe the moment a user turns it on - no weak default passwords, unnecessary services switched off, and security updates on by default. Users should not have to be experts to be secure.

    The Annex I Part I requirement that products be made available with a secure-by-default configuration, including the possibility to reset the product to its original state.

    See also: Security by design, Essential cybersecurity requirements (Annex I)

  • Security by design#

    Building security into a product from the start, not bolting it on later. The CRA expects products to be designed, developed and produced to limit attack surfaces and protect users by default.

    The Annex I Part I obligation to ensure products with digital elements are designed, developed and produced so that they ensure an appropriate level of cybersecurity based on the risks.

    See also: Secure by default, Essential cybersecurity requirements (Annex I)

  • Security updates#

    Free fixes you must provide to close security holes during the support period - and, where feasible, separately from feature updates so users can patch without changing how the product works.

    Updates that address vulnerabilities, provided without delay and free of charge during the support period under Annex I, Part II, with the possibility of installing them automatically where appropriate.

    See also: Support period, Vulnerability handling, Secure by default

  • Severe incident#

    A serious security event affecting your product that has, or could have, a big impact - for example a breach that hits many users. These must be reported to authorities on the same fast timeline as actively exploited vulnerabilities.

    An incident negatively affecting the development, production or maintenance of products such that it leads (or can lead) to a severe impact on users, reportable under Art. 14.

    See also: Actively exploited vulnerability, Reporting timeline (24h / 72h / 14 days), Single Reporting Platform (SRP)

  • Single Reporting Platform (SRP)#

    The one EU portal, run by ENISA, where manufacturers report actively exploited vulnerabilities and severe incidents. You report once and it routes to the right national team. It goes live on 11 September 2026.

    The reporting platform established under Art. 16 and operated by ENISA, with national end-points (CSIRTs). Notifications reach the relevant CSIRT and, simultaneously, ENISA.

    See also: ENISA, CSIRT, Reporting timeline (24h / 72h / 14 days)

  • Support period#

    The minimum time you must provide free security updates for a product - expected to reflect how long users reasonably use it, and at least five years unless the product is used for less.

    The period during which a manufacturer must handle vulnerabilities (Art. 13(8)), determined by the expected product lifetime and presumed to be at least five years where shorter use is not expected.

    See also: Vulnerability handling, Security updates

  • T

    Technical documentation (Annex VII)#

    The evidence file behind your product - your risk assessment, the SBOM, how it meets each requirement, and how you handle vulnerabilities. Authorities can ask to see it.

    The documentation required by Art. 31 and Annex VII demonstrating conformity, including the cybersecurity risk assessment, the SBOM, and how the essential requirements are met. Kept for 10 years.

    See also: SBOM (Software Bill of Materials), EU Declaration of Conformity, Essential cybersecurity requirements (Annex I)

  • V

    Vulnerability handling#

    The ongoing job of finding, fixing and disclosing security holes in your product for as long as you support it - including providing free security updates and keeping an SBOM.

    The Annex I, Part II obligations: identify and document vulnerabilities (incl. an SBOM), address them without delay via security updates, apply a coordinated vulnerability disclosure policy, and share information about fixed vulnerabilities.

    See also: SBOM (Software Bill of Materials), Coordinated vulnerability disclosure (CVD), Support period, Actively exploited vulnerability

This is guidance, not legal advice. Confirm with the official sources we link or a qualified adviser. Definitions reference Regulation (EU) 2024/2847 (in force 10 December 2024, full application 11 December 2027).

Sources

  1. [1]Regulation (EU) 2024/2847 (Cyber Resilience Act) - full text (EUR-Lex)retrieved 8 Jun 2026
  2. [2]European Commission - CRA legislative summaryretrieved 8 Jun 2026

The CRA Brief

Stay current on CRA guidance

We watch Brussels so you don't. Plain-English CRA updates, free.

No spam. Unsubscribe anytime.