Back to blog

Understanding the Cyber Resilience Act

Michael Grand

2/10/2026

#CRA#Cybersecurity#Regulation#EU
Understanding the Cyber Resilience Act

The Cyber Resilience Act (CRA) represents a paradigm shift in how digital products are regulated in the European Union. Similar to how the GDPR revolutionized data privacy, the CRA aims to set a global standard for the cybersecurity of products with digital elements.

Context and Objectives

The CRA was born out of a simple observation: while our lives are increasingly dependent on digital devices and software, the regulation governing their security has been fragmented and insufficient.

The objectives of the CRA are clear:

  1. Enhance Security: Ensure that manufacturers improve the security of products with digital elements strictly from the design phase.
  2. Transparency: Provide users with sufficient information about the cybersecurity of the products they buy.
  3. Market Surveillance: Create a robust framework for monitoring compliance.

Key Requirements

The regulation applies to a broad range of "products with digital elements", covering both hardware and software. The pillars of compliance include:

  • Security by Design: Security mechanisms must be built-in, not bolted on. This includes secure default configurations, protection against unauthorized access, and data integrity.
  • Vulnerability Handling: Manufacturers must implement a Coordinated Vulnerability Disclosure (CVD) policy to receive and manage security reports.
  • Support Period: Manufacturers must determine a support period (at least 5 years, unless the product's expected lifetime is shorter).
  • Update Availability: Security updates must remain available for at least 10 years after they are published, even if the support period has ended.

CE Marking and Self-Assessment

Compliance with the CRA is a prerequisite for affixing the CE mark, which effectively acts as a passport for the EU market.

  • Unclassified (Default Category): For the vast majority of products, manufacturers can perform a self-assessment to declare conformity.
  • Important Class I: Includes products like browsers, password managers, antivirus software, and smart home devices. Manufacturers can still perform a self-assessment if they fully apply harmonized standards; otherwise, third-party assessment is required.
  • Important Class II: Higher-risk products such as hypervisors, industrial firewalls, or tamper-resistantmicroprocessors. These strictly require assessment by a third-party notified body.
  • Critical Products: The highest risk category, including smart cards, Hardware Security Modules (HSM), and smart meter gateways. These always require third-party assessment or certification.

Deadlines and Penalties

The CRA has entered into force, starting a countdown for compliance:

  • September 2026: Reporting obligations for actively exploited vulnerabilities and severe incidents kick in.
  • December 2027: Full application of requirements, including CE marking.

Non-compliance can be costly. Fines can reach up to €15 million or 2.5% of global annual turnover, whichever is higher.

Conclusion

The CRA is not just a checklist; it's a call to action for better engineering practices. Start preparing your compliance journey today by assessing your product portfolio against these new standards.