The Cyber Resilience Act: A Plain-English Guide

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the EU's first binding regulation focused specifically on the cybersecurity of products with digital elements — hardware, software, and connected devices. It was formally adopted in October 2024 and begins phased enforcement from December 2027.

The CRA exists because the EU recognised that most IoT devices, software applications, and connected products reach the market with inadequate security — often with no security updates, no vulnerability disclosure process, and no accountability after sale. The regulation changes this fundamentally.

Under the CRA, manufacturers and developers of digital products must design, develop, and maintain products that meet EU cybersecurity requirements — and prove it through conformity assessment.

The CRA applies to any manufacturer or importer that places products with digital elements on the EU market. This includes:

• Consumer IoT devices (routers, cameras, smart home devices)
• Industrial connected equipment and operational technology
• Software products (apps, operating systems, desktop and mobile software)
• Cloud-connected components and remote data processing products
• Professional and enterprise hardware with digital interfaces

Open source software developed not-for-profit is generally excluded, but commercial deployments of open source components are not. If your product has a digital interface and is sold in the EU, you are likely in scope.

The CRA introduces requirements across the full product lifecycle:

• Security by design: Products must be designed with security as a baseline — no default passwords, minimal attack surface, data minimisation, encrypted data in transit and at rest.
• Vulnerability management: Manufacturers must have a documented process for identifying, triaging, and addressing vulnerabilities, including coordinated vulnerability disclosure (CVD) policies.
• Security updates: Critical security patches must be available for at least 5 years (or the expected product lifetime if shorter). Updates must be free of charge.
• Incident reporting: Actively exploited vulnerabilities and severe incidents must be reported to ENISA within 24 hours of discovery.
• Conformity assessment: Products are classified into Default, Important Class I, and Important Class II categories. Higher-risk categories require third-party conformity assessment and CE marking.
• Technical documentation: A full Software Bill of Materials (SBOM), EU Declaration of Conformity, and user documentation must be maintained and available.

The CRA entered into force in December 2024. Enforcement follows a phased schedule:

• June 2026: Notified Body requirements and market surveillance authority obligations apply.
• September 2026: Vulnerability and incident reporting obligations become enforceable.
• December 2027: All essential requirements and conformity assessment obligations become fully enforceable for all in-scope products.

Non-compliance penalties can reach up to €15 million or 2.5% of global annual turnover, whichever is higher. Market surveillance authorities can prohibit, restrict, or recall non-compliant products.

Kortave's CRA module automates the documentation and workflow layer of your compliance obligations:

• Product classification assessment — determining your product's risk category under the CRA annex
• Security requirement gap analysis against the CRA's essential requirements
• Coordinated vulnerability disclosure policy templates and notification workflows
• SBOM (Software Bill of Materials) documentation support
• EU Declaration of Conformity and technical documentation templates
• 72-hour incident reporting workflow to ENISA
• Ongoing monitoring of product security update obligations

Kortave does not replace conformity assessment bodies or legal counsel for Class II products — but it automates the documentation and process layer that consumes most of your compliance time and budget.