Cyber-summer at the Cybrela academy. 6 cybersecurity webinars, online every other Friday. Register for free ➡️

Cyber Resilience Act (CRA)

From 11th December 2027, it will no longer be possible to place products with digital elements on the EU market without meeting CRA requirements and bearing the CE marking. We help manufacturers, importers and distributors set up processes and documentation so that their products obtain the CE marking and remain on the European market.

What is CRA and who is affected by the regulation?

Cyber Resilience Act (CRA) is a European regulation that introduces cybersecurity obligations for products with digital elements placed on the EU market.

CRA requirements concern not only the technical security of the product, but its entire lifecycle: from cybersecurity risk assessment through vulnerability handling, security updates and the support period to technical documentation, conformity assessment and CE marking.

It applies to manufacturers, importers and distributors of products with digital elements.

If your product communicates with its environment and you make it available on the EU market, it is likely a product with digital elements. Manufacturer obligations will apply to you – from documentation through vulnerability monitoring to conformity assessment.

CRA applies to you as an importer. Your main obligation will be to verify that the manufacturer has met the CRA requirements, check the documentation and CE marking, and add your identification details to the documentation. But beware: if, for example, you place products on the market under your own name or trademark, you may be subject to the same obligations as the manufacturer.

Distributors also have obligations under the CRA, in particular verifying that the product bears the CE marking, has the required documentation and the contact details of the manufacturer and importer. If you identify non-compliance, you must not continue to place the product on the market. As in the previous point, if, for example, you place products on the market under your own name or trademark, you may be subject to the same obligations as the manufacturer.

CRA applies to you as a manufacturer. You will need to demonstrate that the product was designed in line with security by default principles, prepare a cybersecurity risk analysis and technical documentation, and ensure security updates throughout a support period of at least 5 years.

If a product fails to meet CRA requirements, it faces fines of up to 15 million EUR or 2.5% of global turnover, withdrawal from the market and a sales ban.

To be placed on the EU market, products with digital elements will have to meet CRA requirements, undergo a conformity assessment and bear the CE marking.

The CRA regulation covers software, hardware, IoT devices, embedded solutions, mobile applications and other products with digital elements.

How can we help?

We will help you determine where you stand in relation to the CRA and walk you through the entire preparation step by step. For areas requiring deeper technical expertise, we have trusted, long-standing partners. We can either deliver the preparation as a whole, or recommend partners and take over the coordination. If you already have ISO 27001 in place or are implementing the new Cybersecurity Act, we will build on what you are already developing within the company and help connect these requirements with the CRA in a meaningful way.

Impact assessment and gap analysis

Output: a gap analysis with a prioritized preparation plan.

Preparing for compliance

Output: a complete documentation package ready for conformity assessment.

Operation, sustainability and training

Output: processes and checklists for long-term CRA compliance in day-to-day operations. 

WE WORK WITH ORGANISATIONS FROM INDUSTRY, IT, ENERGY AND OTHER SECTORS

What duties does the CRA introduce?

The CRA divides obligations according to a company's role in the supply chain. Manufacturers have the most obligations, but the new requirements also affect importers and distributors. For all of them, compliance with the CRA requirements will need to be demonstrated before a product is placed on the EU market.

Main obligations of manufacturers

Main obligations of importers

Main obligations of distributors

Frequently asked questions about the CRA

The CRA applies to manufacturers, importers and distributors of products with digital elements. The new regulation likely applies to you if you develop software under your own brand, place a digital product on the EU market, import a digital product from third countries, or distribute a product with digital elements. At the outset, it is crucial to correctly determine whether, in relation to a product containing digital elements, you act as a manufacturer, importer or distributor. If you are unsure about this, it is the first thing that needs to be clarified when it comes to the CRA.

According to the CRA's definition, it is any hardware or software product capable of connecting to a network or another device, including remote data processing functions, where these are designed by the product's manufacturer and the product would not perform its function without them. Put simply: if a product has a digital function and communicates with its environment, there is a strong chance that it is a product with digital elements. Products with digital elements typically include mobile and web applications, operating systems, cloud-connected platforms, smart home devices, industrial IoT solutions, routers, cameras, wearables, or manufacturing technology with embedded software.

Conversely, the CRA does not apply to certain categories of products already subject to their own sector-specific cybersecurity regulation, for example medical devices, motor vehicles or certified aviation systems. Also excluded are products for national security and defence and non-commercial free and open-source software.

Not only manufacturers, but also importers and distributors have obligations under the CRA. They do not have to meet everything a manufacturer does, but they cannot simply take over a product and sell it on without checks. They must verify the basic essentials, typically whether the product has the CE marking, the required documentation and information from the manufacturer. If they identify non-compliance, they cannot continue placing the product on the market and must cooperate on remediation. Moreover, if they place an imported or distributed product on the market under their own name or trademark, for example, they may be subject to the same obligations as the manufacturer.

The CRA entered into force on 10th of December 2024. From 11th September 2026, the obligations for reporting actively exploited vulnerabilities and serious incidents will start to apply. The main CRA obligations will start to apply from the 11th of December 2027. This is the date from which products with digital elements will have to meet CRA requirements in order to be placed on the EU market.

CRA (Cyber Resilience Act) addresses the security of products with digital elements – that is, what software and hardware must meet in order to reach the EU market. The CSA (Cybersecurity Act) is a framework for European cybersecurity certification; it does not impose general obligations on all products. NIS2 (Network and Information Security) targets organisations and their services, not products themselves. In the Czech Republic, the requirements of the NIS Directive are transposed into the Cybersecurity Act. Simply put: the CRA addresses the product, NIS2 the organisation, and the CSA certification schemes.

The place where a product is developed is not in itself decisive. If you place the product on the EU market, the CRA may also apply to a product developed outside the European Union. In such a case, it is important to determine who is the manufacturer, who the importer and who the distributor under the CRA. It is this role that then determines the obligations, documentation and responsibility for the product's compliance with the CRA.

The CRA has specific deadlines. Don't delay your preparation

If the CRA applies to you, you have limited time to adapt to new processes, implement security by default principles and prepare technical documentation, so that you are not under pressure once the obligations start to apply in full.

1
2
3
10. 12. 2024

EU Regulation 2024/2847 (Cyber Resilience Act) entered into force.

11. 9. 2026

The obligation to actively report vulnerabilities and serious incidents begins. Initial reporting within 24 hours of detection.

11. 12. 2027

Full application of the CRA. Products with digital elements that do not meet the conditions of the regulation will no longer be allowed to be placed on the EU market.

Initial CRA consultation is for free

We will assess whether the Cyber Resilience Act applies to your products. We will help you get your bearings on which obligations apply to you, what you need to prepare and how to approach the whole process so that you are ready for the CRA in time.