The EU Cyber Resilience Act (CRA) – Purpose, Scope and Compliance

Published On: Jul 16, 2025
Copy Link
The EU Cyber Resilience Act (CRA) – Purpose, Scope and Compliance

The European Union’s Cyber Resilience Act (CRA), officially adopted as Regulation (EU) 2024/2847, has been in effect since December 10, 2024. As of July 2025, the CRA is actively shaping the cybersecurity landscape for products with digital elements (PDEs) across the EU market. Published in the Official Journal of the EU on November 20, 2024, the CRA is the first global legislation to impose mandatory cybersecurity standards for hardware and software products with digital components. This article provides an updated overview of the CRA, incorporating the latest developments, stakeholder responses, and compliance efforts as of 2025, based on recent initiatives and resources.

EU Cyber Resilience Act – The Purpose

The rapid proliferation of connected devices, from Internet of Things (IoT) products like smart home appliances to complex software systems, has significantly increased cybersecurity risks. High-profile incidents, such as the 2020 SolarWinds supply chain attack affecting over 18,000 organizations and vulnerabilities in software components like Apache Log4j, have underscored the need for robust cybersecurity standards. The CRA addresses two primary issues:

  • The low level of cybersecurity in many digital products, characterized by widespread vulnerabilities and inconsistent security updates.
  • The lack of transparency that prevents users from making informed decisions about product security.

The CRA aims to:

  1. Ensure that PDEs placed on the EU market have fewer vulnerabilities and that manufacturers maintain cybersecurity throughout the product lifecycle.
  2. Enhance transparency regarding the security properties of hardware and software products.
  3. Protect consumers and businesses from cyber threats by fostering a harmonized cybersecurity framework across the EU.

By 2025, the CRA has begun to influence how manufacturers and developers approach cybersecurity, with a growing emphasis on secure-by-design principles and proactive vulnerability management. It complements existing EU legislation, such as the Network and Information Systems Security Directive (NIS2), the Digital Operational Resilience Act (DORA), and the AI Act, while addressing gaps in the regulation of non-embedded software and IoT devices.

Scope of the EU Cyber Resilience Act

The CRA applies to “products with digital elements” (PDEs), defined as any hardware or software product whose intended or reasonably foreseeable use includes a direct or indirect connection to a device or network. This broad definition encompasses:

  • Hardware: Smartphones, laptops, smart home devices (e.g., routers, smart thermostats, baby monitors), microprocessors, firewalls, and smart meters.
  • Software: Device firmware, operating systems, mobile and desktop applications, software libraries, app stores, and computer games.
  • Remote Data Processing Solutions: Data processing critical to a product’s core functionality, developed by the manufacturer.

Exclusions

The CRA does not apply to certain products already covered by sector-specific EU legislation, including:

  • Medical devices and in-vitro diagnostic devices.
  • Automotive and civil aviation products.
  • Products developed exclusively for national security or defense purposes.
  • Products designed to process classified information.
  • Spare parts supplied by the original manufacturer.

Cloud solutions like Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) may fall under the CRA only if they meet the definition of remote data processing solutions; otherwise, they are typically covered by the NIS2 Directive.

Territorial Scope

The CRA applies to PDEs “made available on the market,” meaning they are supplied for distribution or use in the EU during commercial activities, whether paid or free. This applies to economic operators (manufacturers, importers, distributors) regardless of their location, as long as their products are sold in the EU.

Key Requirements of the CRA

The CRA establishes a comprehensive framework of cybersecurity obligations for economic operators, categorized by product risk levels: non-critical, important (Class I and II), and critical. Approximately 90% of PDEs are expected to fall into the non-critical category. The requirements are divided into cybersecurity standards and vulnerability handling processes, as outlined in Annex I and II of the regulation.

1. Cybersecurity Requirements

PDEs must be designed, developed, and produced to ensure an appropriate level of cybersecurity based on their risk profile. Key requirements include:

  • Risk Assessments: Manufacturers must conduct cybersecurity risk assessments during the planning, design, development, production, delivery, and maintenance phases to minimize risks and prevent incidents.
  • Secure by Design: Products must incorporate secure default configurations, access controls, data minimization policies, and resilience features to protect against unauthorized access and ensure data confidentiality and integrity.
  • Component Due Diligence: Manufacturers must exercise due diligence when integrating third-party components to ensure they do not compromise product security.
  • Regular Testing: Ongoing security testing and review of PDEs are required to maintain compliance throughout their lifecycle.

2. Vulnerability Handling

Manufacturers must establish robust vulnerability handling processes, including:

  • Documentation: Identify and document all components, vulnerabilities, and relevant third-party information, updating risk assessments as needed.
  • Security Updates: Provide security updates for a minimum support period (typically five years) to address vulnerabilities promptly.
  • Vulnerability Disclosure: Implement policies for coordinated vulnerability disclosure to encourage responsible reporting.
  • Incident Reporting: Notify the designated Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA) within 24 hours of becoming aware of actively exploited vulnerabilities or severe incidents impacting product security. Detailed reports are required within 72 hours, with final reports within 14 days (for vulnerabilities) or one month (for incidents). Users must also be informed of incidents and corrective measures.

3. Conformity Assessments

The CRA mandates conformity assessments to verify compliance, with processes varying by product classification:

  • Default (Non-Critical) Category: Manufacturers can conduct self-assessments, producing technical documentation to demonstrate compliance.
  • Important (Class I and II) and Critical Categories: These higher-risk products require third-party assessments by authorized Conformity Assessment Bodies (CABs, or Notified Bodies). Critical products face the most stringent evaluations, including frequent reassessments.
  • CE Marking: Compliant PDEs must bear the CE mark, recognized across the European Economic Area (EEA) and Türkiye, to indicate adherence to CRA standards.

4. Obligations for Economic Operators

  • Manufacturers: Bear the primary responsibility for ensuring PDE compliance, conducting risk assessments, maintaining documentation, and reporting vulnerabilities and incidents.
  • Importers and Distributors: Must verify that products bear the CE mark, comply with cybersecurity requirements, and are accompanied by required documentation. They must report vulnerabilities to manufacturers and, if significant risks are identified, to market surveillance authorities.
  • Open-Source Stewards: A new category introduced by the CRA, these entities support the development of free and open-source software (FOSS) for commercial use. They are subject to obligations like establishing cybersecurity policies and encouraging vulnerability disclosure.

Compliance Timeline

The CRA’s implementation is phased to allow stakeholders time to adapt. The following table outlines the key dates:

Date Milestone
December 10, 2024 CRA entered into force, 20 days after publication in the EU Official Journal.
June 11, 2026 Conformity Assessment Bodies authorized to assess product compliance.
September 11, 2026 Mandatory reporting of vulnerabilities and incidents begins.
December 11, 2027 Full CRA requirements, including compliance with essential cybersecurity standards, apply to all PDEs placed on the market.

As of July 2025, stakeholders are in the preparation phase, with many organizations working to align their processes with CRA requirements before the key deadlines. The European Commission continues to develop harmonized standards and guidelines, including technical specifications for Software Bills of Materials (SBOMs) and vulnerability reporting.

Implications for Stakeholders

Manufacturers and Developers

Manufacturers are integrating cybersecurity into their product development lifecycles, adopting secure-by-design practices and enhancing vulnerability management processes. The introduction of the “open-source steward” concept has provided clarity for open-source software developers, although challenges remain for smaller entities due to resource constraints. The extended three-year transition period provides time to adapt processes and tools.

Open-Source Community

The open-source community has seen significant engagement with the CRA in 2025. Organizations like the Eclipse Foundation and the Open Source Security Foundation (OpenSSF) have launched initiatives to support compliance, including:

  • Free Courses: On April 16 and April 29, 2025, OpenSSF and Linux Foundation Education launched LFEL1001, a free online course to help developers understand CRA requirements.
  • Guides and Workshops: On July 15, 2025, OpenSSF released a guide for open-source software (OSS) developers, and on December 23, 2024, a workshop in Amsterdam provided key takeaways for stewards and manufacturers.
  • Working Groups: On September 24, 2024, the Eclipse Foundation launched the Open Regulatory Compliance working group to assist with CRA navigation.

These efforts reflect the community’s proactive approach, though some concerns persist about the compliance burden on small businesses and redistributors, as noted by Debian.

Consumers and Businesses

Consumers benefit from enhanced cybersecurity standards, reducing the risk of data breaches, fraud, and privacy violations. Businesses gain from a harmonized regulatory framework, avoiding overlapping requirements and fostering a more resilient digital ecosystem. The CE mark provides a clear indicator of compliance, enabling informed purchasing decisions.

Cybersecurity Professionals

For cybersecurity professionals, the CRA introduces new responsibilities, particularly in ensuring compliance within organizations producing or selling PDEs. It emphasizes proactive risk management and may drive demand for expertise in secure development practices, vulnerability management, and incident response.

Global Impact

The CRA’s marketplace principle means it applies to any entity placing PDEs on the EU market, regardless of location. This has implications for global manufacturers, including those in the UK and US, who must comply to access the EU market. The CRA’s influence may extend further, as other regions adopt similar standards, such as the UK’s Product Security and Telecommunications Infrastructure Act (PSTI).

Challenges and Criticisms

Despite its benefits, the CRA has faced scrutiny:

  • Compliance Burden: Smaller organizations and open-source developers may struggle with the administrative and financial costs of compliance, potentially stifling innovation. Amendments in December 2023 addressed some concerns by excluding certain open-source projects and introducing the “open-source steward” concept, earning praise from advocates like the Open Source Initiative.
  • Regulatory Overlap: The interplay between the CRA and other EU regulations, such as NIS2 and DORA, may create confusion, particularly for financial entities or high-risk AI systems. The European Commission is expected to clarify these overlaps through delegated acts.
  • Implementation Timeline: While the three-year transition period is generous, the complexity of integrating cybersecurity into product lifecycles may challenge manufacturers, especially for critical products requiring third-party assessments.

Enforcement and Penalties

EU Member States have designated market surveillance authorities to enforce the CRA, with a dedicated cooperation group ensuring uniform application. Non-compliance can result in significant penalties:

  • Up to €15 million or 2.5% of global annual turnover (whichever is higher) for violations of essential cybersecurity requirements.
  • Market bans for non-compliant products.
  • Reputational damage and potential legal liability for damages caused by insecure products.

As of July 2025, these enforcement mechanisms are in place, and authorities are preparing for increased regulatory activity as compliance deadlines approach.

Steps for Compliance

To prepare for the CRA, organizations should:

  1. Conduct Gap Analysis: Assess current cybersecurity practices against CRA requirements, focusing on risk assessments, secure design, and vulnerability handling.
  2. Implement Secure Development Practices: Adopt secure-by-design principles and integrate third-party component due diligence.
  3. Develop Documentation: Create and maintain technical documentation, including SBOMs and risk assessments.
  4. Establish Reporting Mechanisms: Set up processes for vulnerability and incident reporting to CSIRT and ENISA.
  5. Leverage Automation Tools: Use tools for SBOM generation, vulnerability scanning, and compliance tracking to reduce administrative burdens.
  6. Engage with Standards Bodies: Participate in consultations, such as those by the Czech National Office for Cyber and Information Security (NÚKIB), and utilize resources like OpenSSF’s free courses and guides.

In 2025, resources like the OpenSSF’s LFEL1001 course and guides for OSS developers are helping organizations achieve compliance.

Conclusion

The EU Cyber Resilience Act is transforming the cybersecurity landscape, setting new standards for digital products in the EU. As of July 2025, stakeholders are actively preparing for upcoming compliance deadlines, supported by educational initiatives. The CRA’s impact is expected to extend beyond the EU, influencing global cybersecurity practices and regulations. By fostering a more secure and resilient digital ecosystem, the CRA protects consumers and businesses while encouraging innovation in cybersecurity.

For further information, you can refer to the official CRA text on the European Commission’s website.

CATEGORIES : Compliance and RegulationsCyber SecurityGovernment
Monika Verma
Media Manager

YOU MUST ALSO READ

EU AI Act in 2025: How Europe’s AI Regulation Shapes Generative AI for Creators and Businesses

EU AI Act in 2025: How Europe’s AI Regulation Shapes Generative AI for Creators and Businesses

How To Start A Cyber Security Career As a College Student

How To Start A Cyber Security Career As a College Student

Cyber Protect LLC Offers Computer Security Consulting and Managed IT services in Detroit, Michigan

Cyber Protect LLC Offers Computer Security Consulting and Managed IT services in Detroit, Michigan

DHS Cyber Chief Chris Krebs and New NSA Cybersecurity Director Anne Neuberger Join Israel and UK Cyber Leaders at 10th Annual Billington CyberSecurity Summit

The Original Grilled Cheese Truck Executes Joint Venture Agreement to Launch Brand in the UK and EU

The Original Grilled Cheese Truck Executes Joint Venture Agreement to Launch Brand in the UK and EU

Highest Paying CompTIA Certifications

Highest Paying CompTIA Certifications