EU Cyber Resilience Act (CRA)
The Cyber Resilience Act establishes cybersecurity requirements for all products with digital elements (PDEs) placed on the EU market covering both hardware and software.
Overview
Unlike RED, which focuses on radio equipment, CRA applies horizontally across almost every connected product category.
Security Across the Full Product Lifecycle
Under the CRA, manufacturers remain responsible for cybersecurity throughout the supported lifetime of the product (typically five years or more).
This includes secure design and default configurations (no hardcoded or default passwords), ongoing vulnerability remediation, and security updates throughout the lifecycle.
Cybersecurity is no longer a one-time compliance activity at product launch.
Vulnerability Handling and Transparency
Manufacturers must actively monitor vulnerabilities and report exploited or critical vulnerabilities within 24 hours to national CSIRTs and to ENISA.
Additionally, they are required to maintain and provide a Software Bill of Materials (SBOM) listing software components and dependencies, allowing for the rapid identification of affected products when new vulnerabilities are discovered.
Key Compliance Timelines
CRA entered into force: December 2024
Vulnerability reporting obligations: September 2026
Full product compliance required: December 2027