Cyber Resilience Act (CRA)
From 11th December 2027, it will no longer be possible to place products with digital elements on the EU market without meeting CRA requirements and bearing the CE marking. We help manufacturers, importers and distributors set up processes and documentation so that their products obtain the CE marking and remain on the European market.
What is CRA and who is affected by the regulation?
Cyber Resilience Act (CRA) is a European regulation that introduces cybersecurity obligations for products with digital elements placed on the EU market.
CRA requirements concern not only the technical security of the product, but its entire lifecycle: from cybersecurity risk assessment through vulnerability handling, security updates and the support period to technical documentation, conformity assessment and CE marking.
It applies to manufacturers, importers and distributors of products with digital elements.
"We're developing a SaaS platform or mobile app."
If your product communicates with its environment and you make it available on the EU market, it is likely a product with digital elements. Manufacturer obligations will apply to you – from documentation through vulnerability monitoring to conformity assessment.
"We import IoT products from Asia and distribute them to B2B partners."
CRA applies to you as an importer. Your main obligation will be to verify that the manufacturer has met the CRA requirements, check the documentation and CE marking, and add your identification details to the documentation. But beware: if, for example, you place products on the market under your own name or trademark, you may be subject to the same obligations as the manufacturer.
"We are a distributor of digital products for the Czech market."
Distributors also have obligations under the CRA, in particular verifying that the product bears the CE marking, has the required documentation and the contact details of the manufacturer and importer. If you identify non-compliance, you must not continue to place the product on the market. As in the previous point, if, for example, you place products on the market under your own name or trademark, you may be subject to the same obligations as the manufacturer.
"We are a Czech manufacturer of IoT devices and sell to Germany."
CRA applies to you as a manufacturer. You will need to demonstrate that the product was designed in line with security by default principles, prepare a cybersecurity risk analysis and technical documentation, and ensure security updates throughout a support period of at least 5 years.
- Penalties for non-compliance
If a product fails to meet CRA requirements, it faces fines of up to 15 million EUR or 2.5% of global turnover, withdrawal from the market and a sales ban.
- CE marking as a condition
To be placed on the EU market, products with digital elements will have to meet CRA requirements, undergo a conformity assessment and bear the CE marking.
- Products with digital elements
The CRA regulation covers software, hardware, IoT devices, embedded solutions, mobile applications and other products with digital elements.
How can we help?
We will help you determine where you stand in relation to the CRA and walk you through the entire preparation step by step. For areas requiring deeper technical expertise, we have trusted, long-standing partners. We can either deliver the preparation as a whole, or recommend partners and take over the coordination. If you already have ISO 27001 in place or are implementing the new Cybersecurity Act, we will build on what you are already developing within the company and help connect these requirements with the CRA in a meaningful way.
Impact assessment and gap analysis
- We assess whether and which of your products fall under the CRA and in what role you act (manufacturer, importer, distributor).
- We determine the product classification, which defines the path to conformity assessment.
- We compare your current processes and documentation with CRA requirements and show what is missing, what to adjust and what to prioritise.
Output: a gap analysis with a prioritized preparation plan.
Preparing for compliance
- We draw up a cybersecurity risk analysis, on which the CRA builds further obligations.
- We prepare the basis for technical documentation so that it is possible to demonstrate how the CRA requirements were addressed – including the SBOM and CVD policy.
- We support you in the conformity assessment according to the product classification. For Default and Class I products, this involves self-assessment by the manufacturer – we prepare the documentation as well as the EU declaration of conformity.
- Once the methodologies and further procedures are known, we will help prepare the supporting materials and coordinate the entire process.
Output: a complete documentation package ready for conformity assessment.
Operation, sustainability and training
- We set up a procedure for reporting actively exploited vulnerabilities and serious incidents.
- We explain the CRA clearly to management and to the operational teams that will handle the new obligations – we will prepare a training tailored specially for you.
- For importers and distributors, we prepare a checklist of what they must verify before placing a product on the market and how to work with the manufacturer's documentation.
Output: processes and checklists for long-term CRA compliance in day-to-day operations.
WE WORK WITH ORGANISATIONS FROM INDUSTRY, IT, ENERGY AND OTHER SECTORS












What duties does the CRA introduce?
The CRA divides obligations according to a company's role in the supply chain. Manufacturers have the most obligations, but the new requirements also affect importers and distributors. For all of them, compliance with the CRA requirements will need to be demonstrated before a product is placed on the EU market.
Main obligations of manufacturers
- Design, develop and manufacture the product with digital elements in line with security by default principles.
- Carry out a risk analysis.
- Prepare and maintain technical documentation.
- Ensure security updates throughout the product's support period.
- Carry out a conformity assessment of the product.
- Draw up an EU declaration of conformity.
- Monitor vulnerabilities and report incidents and vulnerabilities affecting the product.
Main obligations of importers
- Verify that the manufacturer has met its obligations under the CRA.
- Check the conformity assessment, documentation and CE marking.
- Add their identification details and contact information to the documentation.
- Not place a product that does not comply with the CRA on the EU market.
- Cooperate with supervisory authorities.
Main obligations of distributors
- Verify that the manufacturer and importer have met their obligations.
- Check the conformity assessment, documentation and CE marking.
- Verify the presence of the manufacturer's and importer's contact details in the documentation.
- Notify the manufacturer of actively exploited vulnerabilities affecting the product.
Frequently asked questions about the CRA
Does the CRA apply to our company too?
What is a product with digital elements?
According to the CRA's definition, it is any hardware or software product capable of connecting to a network or another device, including remote data processing functions, where these are designed by the product's manufacturer and the product would not perform its function without them. Put simply: if a product has a digital function and communicates with its environment, there is a strong chance that it is a product with digital elements. Products with digital elements typically include mobile and web applications, operating systems, cloud-connected platforms, smart home devices, industrial IoT solutions, routers, cameras, wearables, or manufacturing technology with embedded software.
Conversely, the CRA does not apply to certain categories of products already subject to their own sector-specific cybersecurity regulation, for example medical devices, motor vehicles or certified aviation systems. Also excluded are products for national security and defence and non-commercial free and open-source software.
We are "just" an importer or distributor – what do we need to deal with?
Not only manufacturers, but also importers and distributors have obligations under the CRA. They do not have to meet everything a manufacturer does, but they cannot simply take over a product and sell it on without checks. They must verify the basic essentials, typically whether the product has the CE marking, the required documentation and information from the manufacturer. If they identify non-compliance, they cannot continue placing the product on the market and must cooperate on remediation. Moreover, if they place an imported or distributed product on the market under their own name or trademark, for example, they may be subject to the same obligations as the manufacturer.
When do the individual obligations start to apply?
The CRA entered into force on 10th of December 2024. From 11th September 2026, the obligations for reporting actively exploited vulnerabilities and serious incidents will start to apply. The main CRA obligations will start to apply from the 11th of December 2027. This is the date from which products with digital elements will have to meet CRA requirements in order to be placed on the EU market.
What is the difference between the CRA, CSA and NIS2?
CRA (Cyber Resilience Act) addresses the security of products with digital elements – that is, what software and hardware must meet in order to reach the EU market. The CSA (Cybersecurity Act) is a framework for European cybersecurity certification; it does not impose general obligations on all products. NIS2 (Network and Information Security) targets organisations and their services, not products themselves. In the Czech Republic, the requirements of the NIS Directive are transposed into the Cybersecurity Act. Simply put: the CRA addresses the product, NIS2 the organisation, and the CSA certification schemes.
What if our product is developed outside the EU?
The place where a product is developed is not in itself decisive. If you place the product on the EU market, the CRA may also apply to a product developed outside the European Union. In such a case, it is important to determine who is the manufacturer, who the importer and who the distributor under the CRA. It is this role that then determines the obligations, documentation and responsibility for the product's compliance with the CRA.
The CRA has specific deadlines. Don't delay your preparation
If the CRA applies to you, you have limited time to adapt to new processes, implement security by default principles and prepare technical documentation, so that you are not under pressure once the obligations start to apply in full.
10. 12. 2024
EU Regulation 2024/2847 (Cyber Resilience Act) entered into force.
11. 9. 2026
The obligation to actively report vulnerabilities and serious incidents begins. Initial reporting within 24 hours of detection.
11. 12. 2027
Full application of the CRA. Products with digital elements that do not meet the conditions of the regulation will no longer be allowed to be placed on the EU market.
Initial CRA consultation is for free
We will assess whether the Cyber Resilience Act applies to your products. We will help you get your bearings on which obligations apply to you, what you need to prepare and how to approach the whole process so that you are ready for the CRA in time.