EU CRA Explained: Requirements, Timeline & Compliance

40 billion, that’s the total number of IoT devices expected to be functional worldwide by 2030; 4.3 billion are estimated to be functional in the EU by the end of December. Add to these, hardware, software, connected devices, embedded components, third-party libraries, and more: all shipped with weak security, inconsistent patching & little (if any) long-term support.

The EU Cyber Resilience Act (CRA) is Europe’s attempt to set up mandatory, market-wide cybersecurity requirements and keep manufacturers accountable for security throughout a product’s entire lifecycle. Adopted in 2024 (and entering into force gradually until 2027), this regulation creates compulsory cybersecurity requirements for all products containing digital elements sold in the European Union.

The CRA is notable for being the first EU regulation on product cybersecurity to be enacted across member states. Rather than regulations limited to certain sectors (such as critical infrastructure or specific industries), the CRA establishes consistent cybersecurity requirements for the full range of products that include embedded digital components. 

What is the Cyber Resilience Act?

The EU Cyber Resilience Act is the first horizontal European regulatory framework that establishes 21 mandatory cybersecurity requirements for manufacturers and importers of products with digital features, including hardware components, software components, and remote data-processing solutions, across its lifecycle. 

It intends to ensure a secure by design approach that can be maintained through their lifecycle, whereby security properties are transparent to stakeholders when they are placed on the EU market.

Why was CRA Proposed in the EU?

The regulation was developed in light of the growing number of cyber incidents exploiting issues with connected devices and software, with a slew of poorly secured products and often no visibility into what went into them. This resulted in an uneven cybersecurity landscape across EU member states, characterized by patchy security measures and enforcement. 

To resolve this problem, the Cyber Resilience Act summary sets out a set of 21 harmonised rules which provide uniform application across all 27 member states.

Not fully confident your products meet the CRA’s requirements?

Let’s Talk

Who Does the EU CRA Apply To?

Economic operators in the supply chain of products containing digital elements fall under the Cyber Resilience Act’s scope. It will mainly be up to manufacturers to certify that their products comply with the cybersecurity requirements, even if they are based outside the EU. This includes businesses that design and develop new products or have existing products manufactured and/or marketed under their brand or trademark.

For new products that are intended to be released on the European market by non-EU manufacturers, the importers are accountable for verifying if the products conform to the CRA requirements and conformity assessment procedures prior to being made available for distribution. Distributors must ensure that the products they make available have the appropriate CE mark and documentation.

Does CRA apply to Open-Source Software?

The EU Cyber Resilience Act, or EU CRA requirements, do not apply to open-source software that is developed or supplied outside of commercial activities; however, when open-source components are used in commercial products, manufacturers and open-source software stewards with even such components. 

Manufacturers still own full compliance at the product level. Still, the regulation adds a tailored regime for open-source stewards—legal entities that provide ongoing support for specific open-source projects used in commercial settings—whose duties are limited to keeping a basic cybersecurity policy and reporting actively exploited vulnerabilities. They are not subject to financial penalties.

The goal of the EU cybersecurity legislation is simple: protect the open-source ecosystem while making sure commercial products built on it still meet the CRA’s security baseline.

What is the Cyber Resilience Act (CRA) timeline?

The regulation was adopted in 2024 and will be implemented gradually over the next few years. Here’s what the rollout looks like:

The Planning Phase (2021 – 2024)

First announced in 2021 and formally proposed in September, the EU Cyber Resilience Act worked its way through trilogue negotiations in late 2023, such that a provisional agreement landed on November 30, 2023, which parliament signed off on in March 2024, and the Council followed in October.

The final text was published on November 20, and the CRA officially entered into force on December of 2024.

The Implementation Phase (2024-2027)

Rather than enforcing everything at once, the CRA takes a phased approach, with a three-year transition period that gives businesses time to adapt their products and processes to meet the new cybersecurity requirements.

Key implementation milestones & Cyber Resilience Act effective dates

• Dec 10, 2024: The CRA enters into force, starting the clock on phased obligations.
• Jun 11, 2026: Conformity assessment bodies begin notifying under CRA rules.
• Sept 11, 2026: Mandatory vulnerability reporting and serious incident notifications begin.

Full Enforcement (2027)

By 2027, specifically, Dec 11, 2027, which is the final Cyber Resilience Act enforcement date, all CRA requirements will be fully enforceable across all 27 EU member states. After this date, non-compliant products could face serious penalties.

What are EU CRA Product Categories and Risk Classifications

The CRA divides products with digital elements into four separate risk classes, each with its own requirements for compliance.

Default Category

It covers about 90% of products within the CRA and is referred to as the default category. Such products come with generic cybersecurity risks and comprise standard software applications, consumer electronics, and lower-risk IoT devices, among others. Manufacturers can self-assess product conformity. 

They can judge their own products against key requirements for cybersecurity, with no need for third-party verification. Manufacturers must keep a detailed record of this self-evaluation, and technical documentation must prove adherence.

Important Products – Class I

Products that might be used to manage identities, network management tools, or those intended to be integrated into critical infrastructure are all considered important Class I products. If manufacturers develop products that follow harmonized European standards, they can still self-assess. If harmonized standards are not applied or do not exist for certain requirements, then third-party conformity assessment becomes compulsory. 

Such a classification applies to products including but not limited to password management tools, VPN software, and some enterprise security tools.

Important Products – Class II

Regardless of following harmonized standards, compulsory third-party conformity assessment applies to Class II high-risk products. It includes operating systems, microprocessors, hypervisors, smart meters, and industrial automation systems. 

The higher classification here considers the widespread usage of such products and the higher impact they can have when they are hacked. Manufacturers cannot put these products on the market without verification of compliance by notified bodies.

Critical Products

Under the EU Cybersecurity Act, critical products are subject to European cybersecurity certification schemes. This top category encompasses smartcards for strong authentication and products for critical infrastructure protection. 

These are the products that are subject to the strictest assessment processes because they play a crucial role in securing sensitive national-level operations and data throughout the EU.

Confused about which category your products fall into or what assessment you’ll need?

Let’s Talk

What are the Penalties for Non-Compliance with EU CRA

The CRA sets hefty financial penalties for non-compliance to hold manufacturers accountable for their cybersecurity obligations, such that market surveillance entities may levy administrative fines of up to €15 million or 2.5% of the total worldwide annual turnover of the company in the preceding financial year, whichever is higher. 

The structure of this penalty is consistent with other EU regulatory penalties, keeping the fines proportionate and a deterrent to companies of all sizes.

In addition to fines, authorities may issue immediate withdrawal orders against non-compliant products, mandating manufacturers to withdraw products from distribution channels. In extreme cases, regulators can order product recalls, requiring manufacturers to recover products already sold to end users, at enormous expense and reputational damage.

The prohibition of market access is the heaviest penalty, practically prohibiting non-compliant products from being placed or made available on the EU market. This can lead to massive revenue losses and permanent business damage, which go well beyond a monetary fine for manufacturers that rely on European markets.

Vulnerability Management and Reporting Obligations

A coordinated vulnerability disclosure policy is one of the core CRA requirements and establishes a clear, public channel for third parties (such as security researchers and users) to report vulnerabilities confidentially. 

Your policy should outline how, absent unusual circumstances, to connect to a security@ email address for general inquiries, or to a dedicated/secure vulnerability reporting portal; expected response times; what is in scope; safe harbor language that protects good-faith researchers from litigation; and responsible disclosure expectations.

One of the highest operational burdens on CRA is the 24-hour notification requirement for actively exploited vulnerabilities and critical incidents. If attackers are already exploiting a vulnerability in your product, you need to send an early warning notification to your national CSIRT coordinator and ENISA within 24 hours.

Within 72 hours, a technical notification listing technical details, impact & affected product ID should be sent. Final reports close the loop within 14 days after remediation (for actively exploited vulnerabilities) or within one month for the final incident report on particularly severe incidents.

Free Security Updates and Support Periods

Under the CRA, manufacturers must offer free security updates during the support period. But you cannot charge for patches, which help fix vulnerabilities, while you are free to charge for feature updates or better support.

Under the regulation, “where technically feasible,” security updates must be separated from updates that improve or add features, ensuring users can install critical patches while deferring new features.

The product itself, packaging, or even digital methods must explain clear-cut support periods at the point of purchase to the user. Unless the product can clearly demonstrate an expected lifetime of less than 5 years, the CRA includes a minimum support period of 5 years but does not preclude support periods of 10 to 15 years for industrial equipment or specialized systems with expected lifecycles.

How to Prepare for EU CRA Compliance

CRA compliance can be approached in a structured way by investing time in the technical, procedural, and organizational aspects of product security. 

As such, to comply, manufacturers should start taking proactive measures long before the CRA enforcement deadlines for the regulation. Here’s a simple checklist to get you started:

Product Inventory and Risk Assessment

• Start by making a detailed list of all products with digital components that will be marketed within the EU
• Detail the function of each product, its digital assets, and the use cases it supports
• Assign each product to CRA risk categories to identify any relevant compliance obligations
• Perform a gap analysis on current security practices regarding CRA essential requirements

Security Testing and Validation

• Conduct regular penetration testing to expose vulnerabilities in products that a malicious user can find and exploit before the product goes to market
• Run automated security scanning tools at several points during the development process to identify common vulnerabilities sooner

Pro Tip: For Class I and Class II devices, use Cyber Resilience Act European Commission-approved third-party assessment bodies to confirm compliance with cybersecurity requirements. 

Documentation and Process Implementation

• Create and retain SBOMs for every product containing details of all software used, including open-source libraries and third-party dependencies
• Build a secure development lifecycle that includes checkpoints throughout the development cycle (design, development, deployment, etc.)
• Design incident response procedures that provide the ability to quickly detect, assess, and patch a vulnerability

Supply Chain Management

• Check all third-party components and dependencies for known vulnerabilities and enforce the EU Cyber Resilience Act 2025 standards 
• Mandate security updates and vulnerability disclosures from suppliers through contractual obligations
• Continuously monitor how your suppliers are securing their practice and maintain an up-to-date inventory of external components that may require ongoing security maintenance for the course of the product lifecycle.

Download the EU CRA Requirement Checklist

How Astra Security Can Help

Astra Security provides complete solutions to implement and make the CRA compliance journey easier. Our compliance-first approach blends continuous vulnerability scanning with penetration testing services and the power of AI to help your team discover, understand, recreate, and patch security gaps before the products make it to the market.

With sandbox testing for staging and production environments, autonomous pentesting spanning 15000+ test cases, an Attack AI that is trained on 5500+ daily detections, vulnerabilities classified per compliance, impact, and business considerations, all packed in an intuitive CXO-friendly dashboard, Astra Security simplifies pentesting for CXOs and engineers alike.

Our security experts evaluate solutions (web, app, API, cloud, IoT, network, and more) based on CRA critical requirements, offering comprehensive documentation required for conformity assessments, while our automated monitoring finds vulnerabilities in real-time, allowing rapid incident response, which meets the CRA’s mandate of notifying customers within 24 hours.

Ready to strengthen your product security and accelerate CRA readiness?

Book a Demo

Final Thoughts

The EU Cyber Resilience Act 2024 is a landmark piece of legislation that will transform how digital products are created, secured, and sustained across European markets. The risk-based classification system in the regulation is easing compliance routes by either carrying out self-assessment for default category products or requiring compliance via third-party evaluation for higher-risk classifications.

Succeeding under the CRA requires both technical know-how and systemic processes, in addition to continuous diligence. Astra Security empowers faster, better CRA compliance with the right tools, expertise, and support. Call Astra Security now for a consultation on the accessibility of EU cybersecurity standards your products need to comply with before they come into force.

FAQs