What is the EU Cyber Resilience Act?
The EU Cyber Resilience Act introduces a harmonized cybersecurity framework across Europe for products with digital elements. It shifts the burden of security away from the end-user and places it squarely on the manufacturers and developers.
The regulation mandates that digital products undergo conformity assessments, carry the CE mark to signify cybersecurity compliance, and receive free security updates throughout their expected product lifetime.
Scope: Which Products are Covered?
The CRA applies to almost any hardware or software product connected to a network or device. This includes smart home devices, routers, firmware, desktop software, and even video games.
It categorizes products by risk. 'Default' products can rely on self-assessment, while 'Important' and 'Critical' products (like firewalls, smart meters, or operating systems) require third-party conformity assessments by notified bodies.
- Hardware devices (IoT, smart appliances)
- Software applications and operating systems
- Network infrastructure equipment
Essential Cybersecurity Requirements (Annex I)
Annex I of the CRA dictates the core security requirements. Products must be delivered with a secure default configuration, protect against unauthorized access, and minimize the attack surface.
Manufacturers must ensure data confidentiality and integrity, providing encryption and secure update mechanisms. The product must not contain known exploitable vulnerabilities upon release.
Vulnerability Handling and Reporting Obligations
Security does not stop at the release date. The CRA requires manufacturers to implement robust vulnerability handling processes for the expected lifetime of the product (or at least 5 years).
If an actively exploited vulnerability or a severe incident is discovered, manufacturers are legally obligated to report it to the European Union Agency for Cybersecurity (ENISA) and the relevant national authorities within strict timeframes—often within 24 hours of awareness.
Preparing Your CRA Technical Documentation
To demonstrate compliance, manufacturers must compile detailed technical documentation before placing the product on the market. This includes a cybersecurity risk assessment, architectural diagrams, and a Software Bill of Materials (SBOM).
The documentation must detail how the essential requirements from Annex I were met and outline the ongoing vulnerability management policy. A formal Declaration of Conformity must then be issued.
Frequently asked questions
Does the CRA apply to open-source software?
It applies to open-source software provided in the context of commercial activity. Purely non-commercial open-source projects managed by non-profits or volunteers generally fall outside the scope unless monetized.
How long must manufacturers provide security updates?
Manufacturers must provide free security updates for the expected lifetime of the product or for a minimum of five years, whichever is shorter. The exact support period must be clearly communicated to users.
What happens if a product does not comply with the CRA?
Non-compliant products can be recalled or barred from the EU market. Fines for severe infractions can reach up to €15 million or 2.5% of the company's total worldwide annual turnover, whichever is higher.
Do I need a third-party audit for my software?
Most consumer and general-purpose software falls into the default category, allowing for self-assessment. Only 'Important' and 'Critical' class products require mandatory third-party audits from a Notified Body.
Is an SBOM mandatory under the Cyber Resilience Act?
Yes, maintaining a Software Bill of Materials (SBOM) is a mandatory requirement. It helps track dependencies and manage vulnerabilities throughout the product's lifecycle.