NEW: CRA vulnerability reporting begins 11 September 2026 — is your product ready? Check now →

Understanding the regulation

What is the EU Cyber Resilience Act?

Regulation 2024/2847 is the first horizontal EU law setting binding cybersecurity rules for any product sold with digital elements. Here's the regulation, decoded.

What are "products with digital elements"?

The CRA defines a product with digital elements as any software or hardware product, plus its remote data-processing solutions, whose intended purpose includes a direct or indirect logical or physical data connection to a device or network.

That definition is intentionally broad. It captures essentially the entire commercial digital ecosystem sold into the EU — from a free Android app to an industrial PLC.

Examples in scope

  • Mobile applications (Android, iOS) sold or distributed in the EU
  • Web-based SaaS that ships a downloadable client or browser extension
  • Smart-home and consumer IoT (cameras, locks, thermostats, smart speakers)
  • Industrial control systems and operational-technology software
  • Operating systems, firmware, microcontrollers, and embedded software
  • Open-source software with commercial intent (see the OSS section)

Examples out of scope

  • Pure-cloud SaaS that doesn't ship any client component (covered by NIS2 instead)
  • Products already regulated by sector-specific EU rules (medical devices, aviation, cars)
  • Non-commercial open source — hobbyist projects without a commercial revenue stream
  • Products covered by the General Product Safety Regulation only

Risk-based categorisation

The Three Product Categories

Annex III lists products that are "important" (Class I) or "critical" (Class II). Everything not on those lists is a default product. Your category determines the conformity assessment route.

Default

~90%

The vast majority of products with digital elements. Manufacturer self-assesses against the essential requirements, draws up a Declaration of Conformity, and applies CE marking.

Examples
  • Most mobile apps
  • Most SaaS
  • Smart home gadgets
  • Productivity software
Conformity

Internal production control (Module A) — no notified body required.

Class I — Important

~9%

Products that perform a function critical to cybersecurity or whose failure may lead to risk. Self-assessment is allowed only when fully harmonised standards are applied; otherwise a notified body is required.

Examples
  • Password managers
  • VPN clients
  • Identity management
  • Network management
  • Microcontrollers
Conformity

Module A (with full harmonised standards) or Module B + C / Module H — third-party assessment.

Class II — Critical

~1%

Products with the highest cybersecurity risk profile. Mandatory third-party conformity assessment by a notified body — self-assessment is not permitted.

Examples
  • HSMs and smart cards
  • Smart-meter gateways
  • Industrial firewalls
  • Critical infrastructure components
Conformity

Module B + C or Module H — full third-party certification.

Annex I, Part I

The 21 Essential Requirements

Every product with digital elements must meet these requirements. The list comes directly from Annex I of Regulation 2024/2847 — paraphrased here for readability.

  1. 01 Designed and developed to ensure an appropriate level of cybersecurity for the intended use.
  2. 02 Delivered without any known exploitable vulnerabilities.
  3. 03 Delivered with a secure-by-default configuration, including the option to reset to factory state.
  4. 04 Protect from unauthorised access via authentication, identity, or access management.
  5. 05 Protect the confidentiality of data (encryption at rest and in transit where appropriate).
  6. 06 Protect the integrity of stored, transmitted, and processed data.
  7. 07 Process only data that is adequate, relevant, and limited (data minimisation).
  8. 08 Protect the availability of essential and basic functions, including resilience to DoS attacks.
  9. 09 Minimise their negative impact on the availability of services provided by other devices or networks.
  10. 10 Limit attack surfaces, including external interfaces.
  11. 11 Reduce the impact of incidents using appropriate exploitation-mitigation mechanisms.
  12. 12 Provide security-related information by recording and monitoring relevant activity.
  13. 13 Make it possible for users to remove all data and settings securely.
  14. 14 Identify and document vulnerabilities and components, including by producing an SBOM.
  15. 15 Address and remediate vulnerabilities without delay, including by providing security updates.
  16. 16 Apply effective and regular tests and reviews of the security of the product.
  17. 17 Once a security update is available, share information about fixed vulnerabilities.
  18. 18 Enforce a coordinated vulnerability disclosure policy.
  19. 19 Provide mechanisms to securely distribute security updates.
  20. 20 Ensure that updates can be disseminated in a timely manner, free of charge, and with clear advisory messages.
  21. 21 Provide a contact address for the reporting of vulnerabilities discovered in the product.

Conformity assessment

From compliance to CE marking

Conformity assessment is the structured process of demonstrating that your product meets the essential requirements. The CRA permits four modules:

  • Module A — Internal production control (self-assessment).
  • Module B + C — EU type-examination plus conformity to type.
  • Module H — Full quality assurance with notified body oversight.
  • European cybersecurity certification scheme — where one exists.

Default products can use Module A. Class I needs Module A only when fully harmonised standards are applied. Class II always needs a notified body.

CE marking & DoC

Declaration of Conformity & CE

Once conformity is established, the manufacturer:

  • Draws up an EU Declaration of Conformity (DoC) per Annex V.
  • Affixes the CE marking visibly to the product, packaging, or accompanying documents.
  • Keeps the technical documentation for 10 years after placing the product on the market.
  • Maintains a coordinated vulnerability disclosure policy and the SBOM internally.

The DoC must be machine-readable for products placed on the EU market — typically published as a downloadable PDF on the product page.

Free Compliance Assessment

Is Your Product CRA Ready?

Get a free personalised CRA compliance briefing for your specific product type — delivered to your inbox. No spam, no sales calls.

  • Understand your exact product category (default, Class I, or Class II)
  • Get a checklist of your specific obligations and deadlines
  • Receive guidance on SBOM, vulnerability management, and reporting
  • Early access to our CRA Compliance Manager tool (launching 2026)
  • Weekly CRA news digest — ENISA updates, regulatory guidance

Get Your Free CRA Brief

Takes 60 seconds · Completely free

🔒 No spam. Unsubscribe anytime. Processed in accordance with GDPR.