EU Regulation | Product Security

Cyber Resilience Act:
Obligations for Manufacturers
of Digital Products.

The CRA (Regulation (EU) 2024/2847) is the first binding EU regulation on the cybersecurity of digital products. Manufacturers across Europe must ensure SBOM obligations, vulnerability management and 5-year security updates by December 2027. Non-EU manufacturers exporting to the EU are equally affected.

Schedule CRA Readiness Check SBOM & Supply Chain Security

Last updated: March 2026 - reviewed by certified experts

In force since

10 Dec 2024

Regulation (EU) 2024/2847

Transition period

36 months

Full application from 11 Dec 2027

Maximum fine

EUR 15 M

or 2.5% of global annual turnover

Product classes

4 tiers

Default, Class I, Class II, Critical

Affected manufacturers in the EU: 7,000+; Affected manufacturers in the EU
Full application: Dec. 2027; Full application
Maximum fine: EUR 15 M; Maximum fine
Mandatory security updates: 5 years; Mandatory security updates

Overview

What is the Cyber Resilience Act?

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the first binding EU regulation that attaches cybersecurity requirements directly to products with digital elements. It was published in the Official Journal of the EU on 14 December 2024 and entered into force on 12 December 2024.

The CRA closes a critical gap: while NIS-2 obliges service operators, the CRA governs the security of the products themselves - from development through market launch to end of lifecycle. Every connected product sold must in future be demonstrably built securely and maintained permanently.

The most important paradigm shift: security becomes a legal product property - no longer an optional add-on. Products without evidence of compliance may no longer be placed on the EU market. This applies equally to non-EU manufacturers who export products to the EU.

CRA at a Glance

EU Regulation: Regulation (EU) 2024/2847
Published: 14 December 2024 (Official Journal of the EU)
In force: 12 December 2024
Full application: 12 December 2027 (reporting obligations from Sept. 2026)
Authority (DE): Federal Office for Information Security (BSI)
Max. fine: EUR 15 M / 2.5% global turnover

Reporting obligations from September 2026

The reporting obligation for actively exploited vulnerabilities applies from September 2026. Manufacturers must have established the necessary processes and BSI contacts by then.

Scope

Which Products Are Affected by the CRA?

The CRA distinguishes three criticality classes with different conformity assessment requirements. The classification determines whether self-assessment is sufficient or an independent notified body is required.

Class I - Normal

Self-Assessment

Conformity assessment by the manufacturer itself (EU declaration of conformity)

Class II - Increased

Third-Party Audit

Audit by a notified body (independent accredited inspection body) required

Critical - Annex III

Strictest Requirements

Smart cards, HSMs, root CA products - strictest conformity obligations and European certification schemes

Class I - Normal Criticality (Annex I Part I)

Self-assessment possible - Fine for violation up to EUR 10 M or 2% of turnover

Consumer routers and switches Home network devices with internet access
Smart home devices Smart plugs, cameras, door locks
Wearables Smartwatches, fitness trackers with network connectivity
Consumer electronics Smart TVs, connected speakers, set-top boxes
Industrial control systems (Class I) Simple PLCs and embedded components
General software Browsers, email clients, office applications
Mobile devices (non-critical) Smartphones, tablets without special function
Connected toys Interactive toys with network connectivity

Class II - Increased Criticality (Annex I Part II)

Notified body required - Fine for violation up to EUR 15 M or 2.5% of turnover

Firewalls and UTM systems Network security and packet filtering
ICS/SCADA systems Industrial control systems, operational technology
VPN gateways Virtual private network concentrators
Encryption and PKI products HSM, certificate management, cryptographic modules
Operating systems (general) Desktop and server OS with security functions
Microcontrollers with security function Trusted execution environments, secure enclaves
Industrial IoT gateways OT and IT network interconnects
Network monitoring tools IDS/IPS, SIEM sensors

Importers and distributors - indirect obligations

Importers of products from outside the EU assume the manufacturer's position if the manufacturer has no EU establishment. Distributors are obliged to check CE marking and resell only CRA-compliant products (Art. 19, 20 CRA).

Which class applies to your product?

The classification determines your compliance effort and conformity assessment requirements. In a free initial consultation we review your products and provide a definitive assessment.

Get product classified

Annex I CRA

The 8 Core Obligations of the Cyber Resilience Act

The CRA defines binding security requirements in Annex I for all phases of the product lifecycle - from conception through development to end of support. The requirements apply to all manufacturers regardless of product category.

Secure by Design & Default

Products must be designed from the ground up with security objectives (Art. 13(1) CRA). Default configurations must be secure: no preset default passwords, unnecessary services disabled, minimal attack surface. Security requirements must be considered throughout the entire product development process (Secure Development Life Cycle).

Test product security

Vulnerability Management & Disclosure

Manufacturers must establish a structured process for receiving, assessing and remedying vulnerabilities (Annex I Part II CRA). Coordinated Vulnerability Disclosure (CVD) must be enabled. Discovered vulnerabilities must be remedied and documented promptly. A contact channel for vulnerability reports must be publicly known.

Vulnerability management consulting

SBOM - Software Bill of Materials

Manufacturers must create and maintain a complete list of all software components (SBOM) (Art. 13(3) CRA). The SBOM must capture all direct and transitive dependencies, contain version information and be kept current. It must be made available to market surveillance authorities on request. Accepted formats: SPDX (ISO 5962) or CycloneDX.

SBOM & Supply Chain Security

Security Updates (minimum 5 years)

Manufacturers are obliged to provide security updates for at least 5 years or the expected product lifetime (Art. 13(8) CRA). Updates must be provided free of charge, promptly and without delay. Users must be actively informed about available updates. Transparent communication is required after the end of support.

CE Marking with Cyber Conformity

Products with digital elements may only be placed on the market after the CRA enters into force if they bear the CE marking for cybersecurity (Art. 28 CRA). The marking demonstrates conformity with CRA requirements. It must be obtained before placing on the market and includes a conformity assessment.

Conformity Assessment (Self-Assessment / Third-Party)

Class I products (normal criticality) can be declared conformant through self-assessment (Art. 32 CRA). Class II products (increased criticality) require an independent audit by an accredited conformity assessment body (notified body). Critical products (Annex III) are subject to the strictest requirements. Assessment results must be documented and retained.

Request CRA assessment

Mandatory Reporting of Exploited Vulnerabilities

Manufacturers must report actively exploited vulnerabilities to ENISA and the national authority (in Germany: BSI) within 24 hours (Art. 14 CRA). A detailed report follows within 72 hours. This reporting obligation applies regardless of whether the manufacturer discovered the vulnerability themselves or was informed by a third party. The BSI acts as the national coordination point.

Technical Documentation

Manufacturers must create comprehensive technical documentation and retain it for 10 years after placing on the market (Art. 31 CRA). This includes: product description, security concept, risk analysis, design and manufacturing documents, SBOM, test results, EU declaration of conformity. The documentation must be made available to market surveillance authorities on request at any time.

Note: The eight requirements apply to all manufacturers. For Class II products the EU Commission may issue delegated acts defining additional sector-specific requirements - comparable to the European cybersecurity certification schemes under the ENISA CSA (EU 2019/881).

„The Cyber Resilience Act fundamentally changes the rules for software development. Security is no longer a feature - it is a mandatory product property. Companies that start building compliant processes now will have a significant competitive advantage in 2027.“

Chris Wojzechowski

Auditor with §31 BSIG audit methodology competence · AWARE7 GmbH

FAQ

Frequently Asked Questions about the Cyber Resilience Act

The most important questions about the CRA - answered with practical focus.

Who is affected by the Cyber Resilience Act?

The CRA affects all manufacturers, importers and distributors who place products with digital elements on the EU market. This includes physical products with software or firmware (IoT devices, industrial controls, network components) as well as pure software products placed independently on the market. Open-source software not commercially distributed is exempt. Importers and distributors also share responsibility: if a manufacturer is based outside the EU, the importer assumes the manufacturer's position.

What is the difference between Class I and Class II products?

Class I products (normal criticality per Annex I Part I CRA) cover products with limited security risks such as consumer routers, smart home devices or simple browsers. They can receive CE marking through the manufacturer's own self-assessment (EU declaration of conformity). Class II products (increased criticality, Annex I Part II) such as firewalls, ICS/SCADA systems, VPN gateways or operating systems with security functions must be audited by an independent, notified body. Critical products under Annex III (such as certain smart cards or hardware security modules) are subject to the strictest requirements.

When does the Cyber Resilience Act fully apply?

The CRA (Regulation (EU) 2024/2847) was published on 14 December 2024 and officially entered into force on 12 December 2024. Implementation deadlines are staggered: from September 2026, reporting obligations for actively exploited vulnerabilities and the requirement to designate a central contact point apply. From December 2027, all conformity assessment requirements and CE markings must be fulfilled. Manufacturers should therefore begin implementation now, as building compliant processes requires considerable lead time.

What fines are imposed for CRA violations?

The CRA provides for three tiers of sanctions: For the most serious violations - failure to meet the essential cybersecurity requirements - fines of up to EUR 15 million or 2.5% of global annual turnover (the higher amount applies). For other violations such as failure to fulfil conformity assessment obligations: up to EUR 10 million or 2% of annual turnover. For providing false or incomplete information to authorities: up to EUR 5 million or 1% of annual turnover. In Germany, the BSI is the competent market surveillance authority.

How do the Cyber Resilience Act and NIS-2 interact?

The CRA and NIS-2 complement each other but are directed at different parties. NIS-2 obliges operators of essential services and entities to secure their own IT infrastructure. The CRA obliges manufacturers of products with digital elements to ensure product security. In practice this means: NIS-2-affected companies that also manufacture software or connected devices must comply with both frameworks. At the same time, NIS-2 operators benefit from the CRA - safer products on the market reduce risk throughout the entire supply chain.

What must a CRA-compliant SBOM contain?

The Software Bill of Materials (SBOM) under CRA Art. 13 must capture all software components of the product - direct and transitive dependencies, version numbers, licences and, where applicable, known vulnerabilities (CVE references). Recognised formats are SPDX (ISO/IEC 5962) and CycloneDX. The SBOM must be updated with each new product version. It does not need to be published by default but must be made available to market surveillance authorities on request and used internally when disclosing vulnerabilities to quickly identify affected components.

How much does CRA compliance cost?

The cost of CRA compliance depends heavily on the product and current maturity level. For simple Class I products with existing development processes, implementation can be budgeted at EUR 20,000 to EUR 80,000. For Class II products requiring independent audit by a notified body, EUR 80,000 to EUR 250,000 is typically required - depending on product complexity and documentation scope. Companies that have already implemented ISO 27001 or IEC 62443 can leverage significant synergies and reduce the effort considerably.

Does the CRA also apply to open-source software?

The CRA explicitly excludes open-source software that is not commercially distributed from its scope (Recital 18 CRA). This means: pure open-source community projects without commercial intent are not directly affected. However, as soon as a company integrates open-source components into a commercially distributed product, the end product falls under the CRA. The manufacturer must then fulfil SBOM obligations for all included open-source components. Specific exemptions apply for open-source foundations and organisations providing commercial support for software.

What role does the BSI play in the Cyber Resilience Act?

In Germany, the Federal Office for Information Security (BSI) acts as the national market surveillance authority for the CRA. The BSI can review products on the market, order recalls or market withdrawals for non-compliance, impose fines, and act as the reporting point for actively exploited vulnerabilities (from September 2026). The BSI also has the option to issue its own technical guidelines (BSI TR) that can be recognised as conformity-presuming standards.

How does AWARE7 prepare manufacturers for the CRA?

Our CRA Readiness Programme follows four phases: (1) Scope analysis - product classification (Class I / II / Critical), scope review and initial gap analysis. (2) Process implementation - introduction of a Secure Development Life Cycle (SDLC), vulnerability management processes, SBOM toolchain setup. (3) Documentation - technical documentation, risk analysis, EU declaration of conformity, internal audits. (4) Certification support - preparation for audit by notified bodies for Class II products, coordination with the BSI. Full CRA compliance can typically be achieved in 6 to 18 months.

Aus dem Blog

Alle Artikel

Compliance & Standards

BSI IT-Grundschutz für KMU: Einstieg ohne BSI-Berater

Oskar Braun9 Min.

Offensive Security

Software Supply Chain Security: Warum SolarWinds jeden betreffen kann

Jan Hörnemann9 Min.

CRA Readiness Check

In a free initial consultation, we classify your products, assess the compliance gap against CRA requirements, and develop a prioritised action plan with timeline and fixed-price proposal.