EU Cyber Resilience Act
Cyber Resilience Act Consulting
The Cyber Resilience Act sets new cybersecurity requirements for manufacturers of products with digital elements in the EU. We guide you through complete CRA implementation.
The Cyber Resilience Act: Scope and Who It Affects
The Cyber Resilience Act (CRA, EU 2024/2847) is the first EU-wide product safety regulation to set explicit cybersecurity requirements for hardware and software with network functionality. Affected parties include manufacturers, importers, and distributors of products with digital elements: connected devices, software, IoT products, industrial control systems, routers, smart home devices, and – with specific limitations – software-as-a-service components integrated directly into products.
The CRA categorises products by risk level. Standard products (Class I) are subject to a simplified conformity assessment. Critical products (Class II) – including network devices, firewalls, industrial routers, and certain operating systems – require assessment by a notified body. Highly critical products require the most stringent evaluation. Correctly classifying your products is the first and most important step.
The transition deadlines are clear: from September 2026, manufacturers must implement the vulnerability reporting obligations; from December 2027, the full requirements apply. Organisations that ignore these deadlines risk losing market access in the EU single market, recalls, and significant fines. For export-oriented manufacturers, CRA compliance is not a regulatory option but a business prerequisite.
Secure Development Lifecycle: What the CRA Requires from Development
The CRA enshrines security-by-design as a binding principle. Manufacturers must consider security from the first design decision – not as an afterthought at patch level, but as an integral part of the development process. This includes structured threat modelling, secure coding practices, code reviews, and automated security tests as part of the CI/CD pipeline.
One of the concrete CRA requirements is vulnerability management across the entire product lifecycle. Manufacturers must actively report actively exploited vulnerabilities in their products to ENISA (EU Agency for Cybersecurity) within 24 hours of becoming aware of them – and begin remediation immediately. This requires manufacturers to systematically monitor which vulnerabilities arise in their products and their dependencies.
Security updates must be provided free of charge for the entire expected product lifespan. The CRA defines minimum support periods depending on product category – a significant challenge for many IoT manufacturers whose existing business models relied on end-of-support as a driver for new device purchases.
SBOM: Software Transparency as a CRA Requirement
A Software Bill of Materials (SBOM) is a machine-readable inventory of all software components in a product – libraries, frameworks, runtime environments, dependencies. The CRA requires manufacturers to create and maintain an SBOM for their products to enable identification of known vulnerabilities in the components used.
The relevant SBOM formats are SPDX (ISO/IEC 5962:2021) and CycloneDX – both open standards supported by common build systems and CI/CD platforms. The real challenge is not generating an SBOM but continuously matching it against public vulnerability databases (NVD, OSV, GHSA) and integrating the results into an actionable vulnerability management process.
We integrate SBOM generation and vulnerability monitoring into your existing development pipeline: automated SBOM creation as a build step, continuous matching against current vulnerability data, alerting on new CVEs with CVSS prioritisation, and a documented process for risk decisions and remediation. This creates not only CRA compliance but real security value.
What We Deliver
- CRA scope analysis and product classification
- Secure development lifecycle assessment
- SBOM implementation in CI/CD pipelines
- Vulnerability management and disclosure processes
- ENISA reporting coordination
- CE conformity assessment and technical documentation
Key Outcomes
- EU market access secured from December 2027
- Product liability risk management
- Early detection of critical dependency vulnerabilities
- Trust with B2B customers and public procurers
Related Service
SBOM & Dependency Management
SBOM is a core CRA requirement. Automate SBOM generation and continuous CVE monitoring.
SBOM ServiceFrequently Asked Questions
Does the Cyber Resilience Act apply to software products?
Yes, with some nuances. The CRA applies to "products with digital elements" – hardware and software intended for end users or other manufacturers. Pure SaaS products are generally out of scope, but software that is a component of a hardware product, or software sold separately that interfaces with hardware, may be in scope. The key question is whether the product contains network connectivity and whether it processes data in a way that could affect security. A product classification analysis is the correct starting point.
What are the CRA vulnerability reporting obligations?
Manufacturers must report actively exploited vulnerabilities in their products to ENISA (EU Agency for Cybersecurity) and to the relevant national authority within 24 hours of becoming aware of them. An early warning report is required within 72 hours, and a final report within 14 days. This requires manufacturers to have effective vulnerability discovery and triage processes, and to monitor public vulnerability databases for their software components. The SBOM is the enabling tool for this monitoring.
What is the CRA product classification, and how is it determined?
The CRA classifies products into three categories. Default products (no special class) cover the majority of connected products and require a self-assessment by the manufacturer. Class I critical products – such as identity management software, browsers, password managers, network switches, and operating systems – require a third-party audit or an approved EU cybersecurity certification scheme. Class II highly critical products require mandatory third-party assessment. Classification is based on Annexes III and IV of the CRA regulation and should be determined with legal and technical advice.
What is the CRA implementation timeline?
The CRA entered into force in December 2024. The key deadlines: manufacturers must comply with vulnerability and incident reporting obligations from September 2026; the full product requirements (secure by design, SBOM, update obligations, conformity assessment) apply from December 2027. Products already on the market before December 2027 have a transitional period. Manufacturers who begin CRA preparation now will have a significant compliance advantage when the deadlines arrive.
How does the CRA interact with other regulations?
The CRA interacts with several parallel regulatory frameworks. The Radio Equipment Directive (RED) already contains cybersecurity requirements for wireless devices; CRA requirements will eventually supersede these. NIS2 applies to manufacturers of certain products as essential or important entities – the supply chain security requirements overlap. The EU AI Act applies to AI components within CRA-covered products. We map these overlaps explicitly in our CRA implementation projects to avoid duplicated compliance effort.
Related Services
Kontakt aufnehmen
Cyber Resilience Act Compliance
Secure EU market access for your connected products – from product classification through SBOM integration to conformity assessment.