CRA

Regulation on horizontal cybersecurity requirements for products with digital elements

EU 2024/2847Active — In force since 10 December 2024

The Cyber Resilience Act introduces mandatory cybersecurity requirements for all products with digital elements placed on the EU market. It establishes obligations for manufacturers, importers, and distributors across the entire product lifecycle, with phased enforcement through December 2027.

Articles

Annexes

EUR 15M

Max Fine

Dec 2027

Full Enforcement

Implementation Timeline

10 December 2024

Regulation entered into force

11 June 2026

Conformity assessment body notification obligations apply (Chapter IV)

11 September 2026

Manufacturer reporting obligations begin - vulnerability and incident reporting to ENISA (Art. 14)

11 December 2027

Full application - all essential cybersecurity requirements and CE marking mandatory

11 June 2028

Transition period ends for existing EU type-examination certificates

Who's In Scope

Default Products (~90%)

All products with digital elements not listed in Annex III or IV
Conformity: internal control (self-assessment)

Important Products - Class I (Annex III)

Web browsers
Password managers
VPN tools
Connected toys and smart home devices (locks, cameras, baby monitors, alarm systems)
Operating systems
Routers, modems, switches
SIEM systems, identity/PAM systems
Conformity: third-party assessment required

Important Products - Class II (Annex III)

Firewalls
Intrusion detection/prevention systems
Tamper-resistant microprocessors
Conformity: mandatory third-party assessment

Critical Products (Annex IV)

Hardware devices with security boxes
Smart meter gateways
Smartcards and secure elements
Conformity: mandatory third-party assessment; EU cybersecurity certification may be required

Key Requirements

Art. 13, Annex I

Essential Cybersecurity Requirements

Products must be designed and developed with minimal vulnerabilities, include automatic security update mechanisms, and undergo risk assessments. Security by design and by default.

Art. 14

Vulnerability & Incident Reporting

Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours. Applies from 11 September 2026. Requires Software Bill of Materials (SBOM) and real-time vulnerability monitoring.

Art. 13

Software Bill of Materials (SBOM)

Manufacturers must identify and document components in machine-readable format, covering at least top-level dependencies. Internal document - not required to be published.

Art. 13

Security Updates

Security updates must be provided for a minimum of 5 years from date of placing on market, or throughout expected product lifetime if shorter.

Annex V-VI

CE Marking & Declaration of Conformity

Products must display CE marking to indicate conformity. Mandatory from 11 December 2027 - products without CE mark cannot be legally sold in the EU.

Penalties & Enforcement

Tier 1 - Essential requirement violations

EUR 15M or 2.5% global turnover

Non-compliance with Annex I essential cybersecurity requirements and obligations under Art. 13 and Art. 14 (Art. 64).

Tier 2 - Other obligation breaches

EUR 10M or 2% global turnover

Non-compliance with obligations under Art. 18-23, Art. 28, Art. 30-33, Art. 39, 41, 47, 49, 53 (Art. 64).

Tier 3 - False/misleading information

EUR 5M or 1% global turnover

Supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities (Art. 64).

How Orizon Can Help

Compliance Management

We provide structured preparation and compliance support for CRA.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your CRA compliance posture and build a practical roadmap.

Get Started

CRA

Regulation on horizontal cybersecurity requirements for products with digital elements

EU 2024/2847Active — In force since 10 December 2024

Implementation Timeline

10 December 2024

Regulation entered into force

11 June 2026

Conformity assessment body notification obligations apply (Chapter IV)

11 September 2026

Manufacturer reporting obligations begin - vulnerability and incident reporting to ENISA (Art. 14)

11 December 2027

Full application - all essential cybersecurity requirements and CE marking mandatory

11 June 2028

Transition period ends for existing EU type-examination certificates

Who's In Scope

Default Products (~90%)

All products with digital elements not listed in Annex III or IV
Conformity: internal control (self-assessment)

Important Products - Class I (Annex III)

Web browsers
Password managers
VPN tools
Connected toys and smart home devices (locks, cameras, baby monitors, alarm systems)
Operating systems
Routers, modems, switches
SIEM systems, identity/PAM systems
Conformity: third-party assessment required

Important Products - Class II (Annex III)

Firewalls
Intrusion detection/prevention systems
Tamper-resistant microprocessors
Conformity: mandatory third-party assessment

Critical Products (Annex IV)

Hardware devices with security boxes
Smart meter gateways
Smartcards and secure elements
Conformity: mandatory third-party assessment; EU cybersecurity certification may be required

Key Requirements

Art. 13, Annex I

Essential Cybersecurity Requirements

Products must be designed and developed with minimal vulnerabilities, include automatic security update mechanisms, and undergo risk assessments. Security by design and by default.

Art. 14

Vulnerability & Incident Reporting

Art. 13

Software Bill of Materials (SBOM)

Manufacturers must identify and document components in machine-readable format, covering at least top-level dependencies. Internal document - not required to be published.

Art. 13

Security Updates

Security updates must be provided for a minimum of 5 years from date of placing on market, or throughout expected product lifetime if shorter.

Annex V-VI

CE Marking & Declaration of Conformity

Products must display CE marking to indicate conformity. Mandatory from 11 December 2027 - products without CE mark cannot be legally sold in the EU.

Penalties & Enforcement

Tier 1 - Essential requirement violations

EUR 15M or 2.5% global turnover

Non-compliance with Annex I essential cybersecurity requirements and obligations under Art. 13 and Art. 14 (Art. 64).

Tier 2 - Other obligation breaches

EUR 10M or 2% global turnover

Non-compliance with obligations under Art. 18-23, Art. 28, Art. 30-33, Art. 39, 41, 47, 49, 53 (Art. 64).

Tier 3 - False/misleading information

EUR 5M or 1% global turnover

Supply of incorrect, incomplete or misleading information to notified bodies and market surveillance authorities (Art. 64).