Takes Effect October 20, 2027 - Start Preparing Now

EU Cyber Resilience Act (CRA)

If you make or sell digital products in Europe (software, IoT devices, smart appliances, apps), the CRA requires you to build in cybersecurity from day one. Products without proper security can't enter the EU market after October 2027.

Take Gap Analysis Check Your Products
3 years
Time to prepare
€15M fines
Maximum penalties
3 risk levels
Normal, Important, Critical

The CRA in Plain English

The Cyber Resilience Act is the EU's new law that says any product with software sold in Europe must be secure by design. Think of it as a safety requirement for digital products - just like cars need seatbelts, digital products need cybersecurity.

This isn't just about big tech companies. If you make or sell anything with software - from a simple mobile app to a smart thermostat - the CRA applies to you. The law recognizes that cyberattacks are getting worse, and consumers deserve products that are secure from day one.

What makes this different? Unlike voluntary security guidelines, the CRA has legal teeth. You can't just add security as an afterthought. You must build it into your product from the very beginning, document what you've done, and keep your products secure for years after you sell them. It's a fundamental shift from 'security is optional' to 'security is mandatory'.

Aligned with EU Standards: The CRA builds upon established ENISA Guidelines for cybersecurity best practices, and leverages international standards including IEC 62443-4-1 and 4-2 for secure product development lifecycle, plus ISO/IEC 27001 with extensions (27034, 27036, 29147, 30111) for organizational security and vulnerability management.

Applies to hardware with software (smart devices, IoT, connected appliances)
Applies to standalone software (apps, operating systems, firmware)
Requires security throughout the entire product lifecycle (5+ years typical)
Manufacturers responsible for ongoing security updates and vulnerability fixes
CE marking required to enter EU market (same process as other safety regulations)
Penalties up to €15 million or 2.5% global revenue for non-compliance
Covers both commercial products and open source software used commercially
Includes supply chain security - you're responsible for third-party components
Aligned with ENISA Guidelines for EU-driven cybersecurity best practices
Follows IEC 62443-4-1 and 4-2 for secure development and lifecycle security
Complements ISO/IEC 27001, 27034, 29147, 30111 for vulnerability management

Start Here - Pick What Fits You Best

Choose your path based on your situation and timeline

Recommended

Standards Alignment Check

Map your ENISA, IEC 62443 & ISO 27001 compliance to CRA

Quick Assessment

Find out if CRA applies to your products in 5 minutes

Browse CRA Articles

Read all 113 CRA articles with highlights and notes

Product Check

Check specific products against CRA requirements

Download Checklist

Get a complete CRA compliance checklist to work offline

Step-by-Step Guide

Follow our detailed implementation roadmap

Get Expert Help

Work with our compliance specialists

Learn the Timeline

Understand key dates and deadlines

Why CRA Compliance Matters for Your Business

Beyond avoiding penalties, CRA compliance represents a strategic advantage. Companies that implement security by design reduce their risk of costly breaches, build customer trust, and gain competitive differentiation in an increasingly security-conscious market.

85%
reduction in security incidents with proactive compliance
3x
faster time-to-market with early security integration
67%
of customers prefer security-certified products

What CRA Actually Requires You to Do

The CRA establishes essential cybersecurity requirements that apply throughout your product's lifecycle. These aren't just theoretical guidelines—they're practical obligations with legal consequences.

Think of it this way: Just as you need safety standards for physical products (crash tests for cars, fire safety for electronics), the CRA creates mandatory security standards for digital products. Every requirement serves a specific purpose in protecting end users and the broader digital ecosystem.

Core Requirement 1

Security by Design (IEC 62443-4-1)

Build security into products from the start following IEC 62443

This means integrating security considerations from the very first design sketches. No more 'we'll add security later'—it must be part of your core product development process from day one.

Specific Requirements:

• IEC 62443-4-1 secure development
• ENISA threat modeling guidelines
• ISO/IEC 27034 application security

💡 Practical Tip:

Start by conducting threat modeling sessions during your product planning phase. Many teams find Microsoft's STRIDE methodology helpful for systematic threat identification.

Core Requirement 2

Vulnerability Handling (ISO 29147/30111)

Handle security issues per ISO/IEC 29147 and 30111 standards

You must establish a coordinated vulnerability disclosure process, maintain security throughout the product lifecycle, and respond quickly to security issues. This isn't just about fixing bugs—it's about professional incident response.

Specific Requirements:

• ISO/IEC 29147 disclosure
• ISO/IEC 30111 handling
• ENISA incident response

💡 Practical Tip:

Set up a security@yourcompany.com email address and establish SLAs for response times. Consider partnering with vulnerability disclosure platforms like HackerOne or Bugcrowd.

Core Requirement 3

Documentation

Provide clear security information to users

Clear, accessible documentation helps users understand security features and configure products safely. This reduces support calls and prevents security misconfigurations that could lead to breaches.

Specific Requirements:

• Technical documentation
• EU declaration
• User guidance

💡 Practical Tip:

Create user-friendly security guides alongside your regular documentation. Include clear setup instructions, common security mistakes to avoid, and troubleshooting guidance.

Core Requirement 4

Risk Assessment

Classify products by cybersecurity risk level

Products must be assessed for their potential impact if compromised. Critical infrastructure products face stricter requirements than consumer apps, reflecting their different risk profiles.

Specific Requirements:

• Risk classification
• Impact analysis
• Mitigation measures

💡 Practical Tip:

Use risk assessment frameworks like NIST Cybersecurity Framework to systematically evaluate your product's risk level. Document your reasoning for audit purposes.

Core Requirement 5

Supply Chain Security (ISO 27036)

Ensure third-party components meet ISO/IEC 27036 requirements

You're responsible for the security of all components in your product, including third-party libraries and dependencies. This creates accountability throughout the entire supply chain.

Specific Requirements:

• ISO/IEC 27036 supplier security
• IEC 62443-4-2 components
• ENISA SBOM guidelines

💡 Practical Tip:

Implement Software Bill of Materials (SBOM) tracking from the start. Tools like Syft, CycloneDX, or SPDX can help automate component inventory management.

Core Requirement 6

CE Marking

Affix CE marking and provide conformity declarations

CE marking for cybersecurity works like CE marking for other product safety aspects. It's your declaration that the product meets EU security requirements and is safe to place on the market.

Specific Requirements:

• Conformity assessment
• CE marking placement
• Declaration of conformity

💡 Practical Tip:

Work with a notified body early in your process to understand specific conformity assessment requirements for your product category and risk level.

The Bottom Line

CRA requirements aren't just compliance checkboxes—they represent cybersecurity best practices that protect your customers, your business, and the broader digital ecosystem. Companies that implement these requirements early often find they reduce long-term security costs while building stronger, more trustworthy products.

Free CRA Compliance Tools

Get started with our comprehensive toolkit designed to simplify your compliance journey. Each tool is built by experts and validated against official requirements.

Assessment & Planning

ENISA-Aligned Gap Analysis

Assess your compliance with CRA using ENISA Guidelines framework

Start assessment

Product Checker

Check if your products are covered by CRA

Start assessment

IEC 62443 Compliance Checklist

CRA requirements mapped to IEC 62443-4-1 and 4-2 standards

Start assessment

Implementation & Documentation

ISO 27001 Documentation Templates

CRA documentation aligned with ISO/IEC 27001 and 27034 standards

Access tool

Risk Classifier

Determine your product's risk class (normal/important/critical)

Access tool

SBOM Generator

Create software bill of materials for your products

Access tool

Common CRA Questions

How do ENISA Guidelines and ISO/IEC standards help with CRA?

These EU-aligned standards provide the practical framework for CRA compliance:

  • ENISA Guidelines offer EU-specific cybersecurity best practices
  • IEC 62443-4-1 and 4-2 define secure product development lifecycle
  • ISO/IEC 27001 with extensions (27034, 27036) covers organizational security
  • ISO/IEC 29147 and 30111 specify vulnerability disclosure and handling

What products are covered by CRA?

CRA covers any product with digital elements sold in the EU:

  • Software products (apps, operating systems, etc.)
  • Hardware with embedded software (IoT devices, smart appliances)
  • Connected products (anything that connects to a network)
  • Digital services that are part of a physical product

What's the difference between risk classes?

CRA classifies products into three risk levels:

  • Normal risk: Basic security requirements, self-assessment
  • Important risk: Enhanced requirements, third-party assessment
  • Critical risk: Strictest requirements, notified body assessment

What if my product is already CE marked?

Existing CE marking doesn't cover CRA requirements. You'll need to:

  • Add cybersecurity requirements to your conformity assessment
  • Update your EU declaration of conformity
  • Ensure your technical documentation covers CRA requirements
  • You may be able to use existing quality management processes

What about open source components?

CRA applies to manufacturers who place products on the EU market:

  • If you sell a product using open source, you're responsible for CRA compliance
  • Open source developers are generally not liable unless they commercialize
  • You must identify and track all open source components (SBOM)
  • Consider the security posture of your open source dependencies

When do I need to start preparing?

Start now, even though CRA takes effect in October 2027:

  • Product development cycles can take 1-3 years
  • Security-by-design requires early planning
  • Documentation and processes take time to implement
  • Third-party assessments may have long lead times

🤝 Still Feeling Overwhelmed?

EU cybersecurity laws can be complex. Our free tools and guides work great for most people, but if you're dealing with something particularly challenging or have tight deadlines, we're here to help.

Talk to an expert → or Browse all our free resources →