Accueil de l'Académie
Blogs
What is CRA? Introduction to Cyber Resilience Act requirements
Fait partie de la collection ISO 27001
Fait partie de la collection NIS2

What is CRA? Introduction to Cyber Resilience Act requirements

Collection ISO 27001
What is CRA? Introduction to Cyber Resilience Act requirements
Collection NIS2
What is CRA? Introduction to Cyber Resilience Act requirements
Cyberday blog
What is CRA? Introduction to Cyber Resilience Act requirements

The Cyber Resilience Act (CRA) is an EU regulation setting mandatory cybersecurity requirements for digital products and connected devices placed on the EU market. Its aim is to close the gap where many products are shipped with little or no built-in security, leaving users exposed to exploitation.

CRA applies across the entire product lifecycle, from development and design to post-market monitoring, maintenance, and updates. It directly targets manufacturers, importers, and distributors, shifting cybersecurity responsibility to those placing digital products on the market. This makes CRA different from regulations like GDPR or NIS2, which focus on data protection and service-level security.

What does CRA stand for?

CRA stands for Cyber Resilience Act, a binding EU regulation adopted in 2024. Its purpose is to ensure that all hardware and software with digital elements come with built-in cybersecurity, and that vendors remain responsible for product security over time. It establishes a harmonized set of rules across the EU, replacing fragmented national approaches.

What does CRA require?

CRA introduces cybersecurity obligations across the full product lifecycle, with a mix of pre-market and post-market controls. Key CRA requirements include:

  • Secure-by-design and default: Products must minimize vulnerabilities and be secure out of the box, with strong default configurations.
  • Vulnerability handling: Manufacturers must set up clear processes to receive, assess, and fix vulnerabilities, including coordination with security researchers.
  • Security updates: Ongoing support is required for the product’s expected lifecycle, including timely delivery of patches.
  • Incident reporting: Exploited vulnerabilities and security incidents must be reported to ENISA within 24 hours.
  • Technical documentation: Includes a risk assessment, conformity assessment, and a declaration of compliance.
  • Post-market monitoring: Vendors must track emerging threats and product behavior after sale and take action as needed.
  • CE marking for cybersecurity: Products must carry a CE marking that confirms they meet CRA cybersecurity standards.
  • Conformity assessments:
    • Class I (standard products): Self-assessment allowed.
    • Class II (critical products): Third-party audits are required (e.g. operating systems, password managers, firewalls).

CRA product classification examples

The CRA introduces two product classes based on cybersecurity risk:

  • Class I (standard products): Lower criticality. Self-assessment allowed.
  • Class II (critical products): Higher risk. Third-party conformity assessment required.

Below are example classifications to help organizations understand where their products may fall:

Product type Example Likely CRA class Notes
Consumer IoT Smart light bulb Class I Low impact if compromised, unless part of critical systems
Wearables Fitness tracker Class I Usually not critical, but check if health-related
Industrial PLC (programmable logic controller) Class II Direct control over critical infrastructure
Operating systems Embedded Linux for routers Class II High exploitation risk, part of network core
Developer tools CI/CD pipeline tools Class II If exploited, may affect multiple systems
Productivity apps Note-taking or calendar apps Class I Low criticality, but must still meet all baseline CRA requirements
Security software Password manager, firewall, antivirus Class II Specifically listed as critical by the CRA
Communication tools Video conferencing app Class I or II Depends on encryption, data sensitivity, and use cases
Connected vehicles Vehicle software Excluded Covered under separate EU automotive regulation
Health devices Smart insulin pump Excluded Covered under Medical Device Regulation (MDR)

Tip: Even Class I products still need to meet all baseline CRA requirements, just with a simpler assessment process. Critical Class II products require more rigorous compliance steps.

Start your 14-day free trial

Start your free trial today. No credit card required. Full access, zero risk. Cancel anytime.

Commencer un essai gratuit

How CRA improves product security and why it matters

The Cyber Resilience Act improves product security by making cybersecurity a built-in responsibility throughout the product lifecycle. It requires manufacturers to adopt secure-by-design and default practices, manage vulnerabilities systematically, and respond quickly to security incidents. These obligations reduce the chances of insecure products reaching users and help prevent isolated flaws from becoming large-scale exploitation risks.

By shifting accountability to manufacturers, importers, and distributors, CRA ensures that security is no longer optional or deferred—it becomes part of product quality and legal compliance.

Organizations that comply with CRA benefit from:

  • Fewer vulnerabilities through structured development and testing practices
  • Faster incident response via mandatory vulnerability handling and reporting
  • Stronger vendor and supply chain trust, especially in regulated industries
  • Regulatory clarity thanks to a unified EU-wide compliance standard
  • Market advantage, as secure, CRA-compliant products become more desirable to B2B buyers and public sector customers

Overall, CRA raises the cybersecurity baseline for digital products and creates both legal accountability and competitive opportunity.

Global comparisons

CRA shares goals with other global frameworks but differs in scope and enforcement:

Region Law Focus CRA Comparison
USA IoT Cybersecurity Improvement Act Public-sector procurement only CRA is broader, mandatory for all digital products
UK Product Security and Telecommunications Infrastructure Act (PSTI) Focused on consumer IoT CRA includes industrial and software products
Global ISO/IEC 27001 / 62443 / 30111 Voluntary or sector-specific CRA mandates lifecycle controls for all

CRA best practices and common challenges

Best practices from early adopters:

  • Integrating secure coding into SDLC
  • Automating vulnerability scanning and triage
  • Building Product Security Incident Response Teams (PSIRTs)
  • Creating reusable technical documentation templates
  • Using platforms like Cyberday to assign responsibilities and collect evidence

Common challenges:

  • Retrofitting older products with no security baseline
  • Budgeting for long-term patching and support
  • Understanding overlap with CE marking and Radio Equipment Directive
  • Managing multiple conformity assessment processes
CRA in action

FAQs

Is CRA mandatory?

Yes. CRA is a binding EU regulation. Once enforcement begins, compliance is mandatory for all applicable products placed on the EU market.

Why is CRA important?

CRA brings legal accountability to product vendors and closes the long-standing gap in cybersecurity regulation for connected devices and software. It helps reduce EU-wide risk from insecure products and ensures vendors build security from the start.

Who needs to comply with CRA?

CRA applies to:

  • Manufacturers, importers, and distributors of digital products
  • Products with digital elements, including:
    • IoT devices
    • Mobile and desktop apps
    • Embedded systems
    • Operating systems
    • Industrial control software

Excluded: Products already covered by specific EU sectoral laws (e.g., medical devices, automotive, aviation).

When is CRA in effect?

CRA entered into force on December 10, 2024. Key deadlines:

  • September 2025: ENISA receives national implementation plans.
  • September 2026: Incident reporting obligations become enforceable.
  • December 2027: Full obligations apply. After this, all in-scope products must be CRA-compliant.

Is CRA supported in Cyberday?

Yes. CRA is available to work in Cyberday. The platform includes:

  • CRA-specific tasks and controls
  • Secure development and update support
  • Technical documentation templates
  • Vulnerability and incident response workflows
  • Continuous updates as guidance evolves

Contenu de l'article

Partager l'article