EU Cyber Resilience Act (CRA)
If you make or sell digital products in Europe (software, IoT devices, smart appliances, apps), the CRA requires you to build in cybersecurity from day one. Products without proper security can't enter the EU market after October 2027.
The CRA in Plain English
The Cyber Resilience Act is the EU's new law that says any product with software sold in Europe must be secure by design. Think of it as a safety requirement for digital products - just like cars need seatbelts, digital products need cybersecurity.
Sponsored Content
Start Here - Pick What Fits You Best
Choose your path based on your situation and timeline
Quick Assessment
Find out if CRA applies to your products in 5 minutes
Browse CRA Articles
Read all 113 CRA articles with highlights and notes
Product Check
Check specific products against CRA requirements
Download Checklist
Get a complete CRA compliance checklist to work offline
Step-by-Step Guide
Follow our detailed implementation roadmap
Get Expert Help
Work with our compliance specialists
Learn the Timeline
Understand key dates and deadlines
Your 6-Step Path to CRA Compliance
Follow these steps to achieve full compliance. Each step builds on the previous one, creating a comprehensive compliance program.
1. Figure Out What You Need to Do
Check which of your products need to follow CRA rules and how strict they need to be
Key Actions
- List all your products that have software or connect to internet
- Check if they're "normal", "important", or "critical" risk level
- See what security features you already have
- Make a list of what's missing
Available Tools
Real Examples
2. Build Security Into Your Product
Make your products secure from the beginning, not as an afterthought
Key Actions
- Think about what could go wrong (threats)
- Set security rules for your development team
- Plan how to make your product hard to hack
- Write down your security requirements
Available Tools
Real Examples
3. Set Up Your Security Processes
Create systems to handle security problems when they happen
Key Actions
- Make a way for people to report security bugs
- Set up a system to push security fixes to products
- Plan what to do when something goes wrong
- Create automatic update systems
Available Tools
Real Examples
4. Create the Required Paperwork
Write the official documents that prove your product follows CRA rules
Key Actions
- Write technical docs showing how your product is secure
- Create the official EU declaration paper
- Write easy-to-read security guides for users
- List all the software components in your product
Available Tools
Real Examples
5. Test That Everything Works
Prove your product actually meets all the security requirements
Key Actions
- Run security tests on your product
- Check that you've followed all the rules
- Get an outside expert to verify (if required)
- Have someone try to hack your product (safely)
Available Tools
Real Examples
6. Keep It Secure Forever
Monitor and maintain your product's security for years after you sell it
Key Actions
- Watch for new security threats that affect your product
- Fix security problems quickly when they're found
- Keep your customers updated about security
- Plan how long you'll support each product version
Available Tools
Real Examples
What CRA Actually Requires You to Do
Security by Design
Build security into products from the start
- • Threat modeling
- • Secure coding
- • Security testing
Vulnerability Handling
Handle security issues throughout product lifecycle
- • Bug reporting
- • Coordinated disclosure
- • Security updates
Documentation
Provide clear security information to users
- • Technical documentation
- • EU declaration
- • User guidance
Risk Assessment
Classify products by cybersecurity risk level
- • Risk classification
- • Impact analysis
- • Mitigation measures
Supply Chain Security
Ensure third-party components are secure
- • Component inventory
- • Supplier assessment
- • SBOM generation
CE Marking
Affix CE marking and provide conformity declarations
- • Conformity assessment
- • CE marking placement
- • Declaration of conformity
Sponsored Content
Free CRA Compliance Tools
Gap Analysis Tool
Find out exactly what you need for CRA compliance
Product Checker
Check if your products are covered by CRA
Compliance Checklist
Step-by-step CRA requirements checklist
Documentation Templates
EU declaration and technical documentation templates
Risk Classifier
Determine your product's risk class (normal/important/critical)
SBOM Generator
Create software bill of materials for your products
Sponsored Content
Common CRA Questions
What products are covered by CRA?
CRA covers any product with digital elements sold in the EU:
- Software products (apps, operating systems, etc.)
- Hardware with embedded software (IoT devices, smart appliances)
- Connected products (anything that connects to a network)
- Digital services that are part of a physical product
What's the difference between risk classes?
CRA classifies products into three risk levels:
- Normal risk: Basic security requirements, self-assessment
- Important risk: Enhanced requirements, third-party assessment
- Critical risk: Strictest requirements, notified body assessment
What if my product is already CE marked?
Existing CE marking doesn't cover CRA requirements. You'll need to:
- Add cybersecurity requirements to your conformity assessment
- Update your EU declaration of conformity
- Ensure your technical documentation covers CRA requirements
- You may be able to use existing quality management processes
What about open source components?
CRA applies to manufacturers who place products on the EU market:
- If you sell a product using open source, you're responsible for CRA compliance
- Open source developers are generally not liable unless they commercialize
- You must identify and track all open source components (SBOM)
- Consider the security posture of your open source dependencies
When do I need to start preparing?
Start now, even though CRA takes effect in October 2027:
- Product development cycles can take 1-3 years
- Security-by-design requires early planning
- Documentation and processes take time to implement
- Third-party assessments may have long lead times
Ready to Get CRA Compliant?
You have 3 years to prepare. Start with our free Gap Analysis to understand exactly what you need to do.