CRA
CRA

Cyber Resilience Act

CE marking for software — because IoT toasters shouldn't be hackable

The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements — from smart home devices to enterprise software. For the first time, the EU requires that digital products are designed securely, maintained throughout their lifecycle, and come with a Software Bill of Materials (SBOM). Think of it as the CE marking for software: if it connects to a network, it needs to be secure.

Scope

All products with digital elements placed on the EU market — hardware and software that can connect to a device or network, directly or indirectly. This includes IoT devices, operating systems, mobile apps, firmware, and even components like libraries and SDKs.

Geographic reach

EU-wide regulation with direct effect. Applies to any product placed on the EU market, regardless of where the manufacturer is established.

In effect since

10 December 2024 (reporting obligations from Sep 2026, full application from Dec 2027)

Purpose

To ensure that products with digital elements are placed on the EU market with fewer vulnerabilities and that manufacturers take security seriously throughout the product lifecycle. Because shipping a connected device with default password 'admin' should not be a business model.

Jump to your role:

Manufacturer

You develop or have developed a product with digital elements and market it under your own name or trademark. Whether you wrote every line of code or outsourced development, if your name is on the product, you're the manufacturer. This includes both hardware makers (IoT devices, routers) and software publishers.

Your obligations

  • Design products with security by default — no known exploitable vulnerabilities at time of release (Art. 13)
  • Conduct a cybersecurity risk assessment and document it in technical documentation (Art. 13.2)
  • Provide a Software Bill of Materials (SBOM) documenting at minimum the top-level dependencies (Art. 13.5, Annex I.2)
  • Handle vulnerabilities effectively throughout the product's expected lifetime (min. 5 years) (Art. 13.6)
  • Report actively exploited vulnerabilities to ENISA within 24 hours (Art. 14)
  • Ensure the product has a conformity assessment and CE marking before placing it on the market (Art. 24–28)
  • Provide security updates for the product's supported period — free of charge (Annex I, Part II)
  • Inform users about security properties and provide instructions for secure use (Annex I, Part II)

Key articles

Art. 13 — Manufacturer obligationsArt. 14 — Vulnerability reportingArt. 24 — Conformity assessmentAnnex I — Essential requirementsAnnex III — Critical products
Pro tip

Start your SBOM practice now. Even a basic dependency inventory using standard tools (CycloneDX, SPDX) is better than scrambling in 2027. And while you're at it, review your default configurations — 'secure by default' means the user shouldn't need a PhD to be safe.

Importer

You place products from non-EU manufacturers on the EU market. You're the compliance gatekeeper — if the manufacturer hasn't met CRA requirements, the product shouldn't cross the border with your name on the import documentation.

Your obligations

  • Only place products on the market that meet essential cybersecurity requirements (Art. 15.1)
  • Verify the manufacturer has conducted the conformity assessment (Art. 15.2)
  • Ensure the product bears the CE marking and is accompanied by required documentation (Art. 15.3)
  • Ensure the manufacturer has a vulnerability handling process in place (Art. 15.4)
  • Keep a copy of the EU declaration of conformity for 10 years (Art. 15.7)
  • Inform the manufacturer and market surveillance authority of any compliance issues (Art. 15.5)

Key articles

Art. 15 — Importer obligationsArt. 24 — Conformity assessmentArt. 28 — CE marking
Pro tip

Create a supplier qualification questionnaire that covers CRA essentials: conformity assessment status, SBOM availability, vulnerability handling process, and planned support period. Better to reject a non-compliant product early than to recall it later.

Distributor

You make products with digital elements available on the market without being the manufacturer or importer. You're in the supply chain — a reseller, marketplace, or retail partner. The CRA expects you to do basic due diligence before putting a product on the shelf (physical or digital).

Your obligations

  • Verify that the product bears the CE marking and has the required documentation (Art. 16.1)
  • Do not make available a product you know or should know is non-compliant (Art. 16.2)
  • Ensure storage and transport don't compromise the product's compliance (Art. 16.3)
  • Inform the manufacturer and market surveillance authority of any compliance issues (Art. 16.4)
  • Cooperate with market surveillance authorities when requested (Art. 16.5)

Key articles

Art. 16 — Distributor obligationsArt. 28 — CE marking
Pro tip

If you're a software marketplace, integrate compliance checks into your listing process. A simple 'Does this product have CRA documentation?' filter saves everyone time.

How Euregas can help

Available tools

  • Product register — catalogue products with digital elements, track compliance status
  • SBOM management — upload, parse, and track software bills of materials
  • Vulnerability tracking — monitor and manage reported vulnerabilities per product
  • Compliance scoring — automated compliance readiness score based on CRA requirements

AI-assisted features

  • Semantic search across CRA articles and annexes
  • AI-prefilled case steps for CRA-related compliance cases
Note

The CRA module is in an early stage. Core tools are available for product cataloguing and SBOM management. AI integration (e.g., automated vulnerability analysis, SBOM dependency risk scoring) is planned for future releases.

All examples are fictional and for illustrative purposes only.