-
Notifications
You must be signed in to change notification settings - Fork 0
CRA Overview
GitHub Action edited this page Jul 24, 2025
·
2 revisions
The EU Cyber Resilience Act (CRA) is landmark European legislation designed to establish mandatory cybersecurity requirements for digital products throughout their lifecycle. It represents the EU's most comprehensive approach to cybersecurity regulation for connected products.
- Harmonize cybersecurity requirements across the EU single market
- Enhance cybersecurity of digital products and services
- Create legal certainty for manufacturers and users
- Improve incident response and vulnerability management
- Strengthen market surveillance and enforcement
- Consumer IoT devices (smart home, wearables, connected appliances)
- Industrial IoT systems and operational technology
- Software products with digital elements
- Network equipment and telecommunications devices
- Cybersecurity products and services
- Products already covered by specific EU legislation
- Open-source software (with conditions)
- Products for research and development only
- Custom products for a single customer
All covered products must meet:
- Secure by Design: Built-in security from conception
- Secure by Default: Safe default configurations
- Vulnerability Management: Coordinated disclosure and patching
- Incident Response: Prompt notification and remediation
- Documentation: Comprehensive security documentation
- Basic cybersecurity requirements
- Self-assessment allowed
- CE marking required
- Enhanced security requirements
- Third-party assessment required
- Additional documentation
- Implement essential cybersecurity requirements
- Conduct conformity assessments
- Maintain technical documentation
- Report cybersecurity incidents
- Provide security updates
- Ensure manufacturer compliance
- Verify CE marking and documentation
- Report non-compliant products
- Cooperate with market surveillance
- Apply security updates promptly
- Report cybersecurity incidents (for important products)
- Use products according to instructions
- 2024: Regulation enters into force
- 2027: Full application begins
- 2028: Enhanced requirements for Class II products
- 36 months: General implementation period
- 42 months: Class II product requirements
- Legacy products: Grandfathering provisions apply
- National authorities monitor compliance
- Product testing and documentation review
- Non-compliance penalties up to 2.5% of global turnover
- Product withdrawal from market possible
- Self-assessment for Class I products
- Third-party assessment for Class II products
- Notified bodies conduct evaluations
- CE marking indicates compliance
- Market access across the EU
- Competitive advantage through security
- Reduced cyber risks and incidents
- Customer trust and confidence
- Legal protection and certainty
- Enhanced security of digital products
- Transparency about cybersecurity features
- Coordinated vulnerability management
- Incident response and support
- Long-term security updates
- Assess applicability to your products
- Review requirements for your product category
- Identify gaps in current security practices
- Develop implementation plan with timelines
- Engage stakeholders across the organization
- Technical Implementation - Security controls and processes
- Documentation - Required technical files and declarations
- Testing & Validation - Security assessment and verification
- Conformity Assessment - Formal compliance evaluation
For detailed legal analysis, see Legal Requirements. For technical implementation guidance, visit Technical Implementation.