THREAT BRIEFING · 11.07.2026 DEENFRES

Security Glossary

What Is the CRA? Obligations for Digital Products

By Benedikt Langer · July 7, 2026 · 6 min read

What is the Cyber Resilience Act? The Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, is an EU regulation for products with digital elements. It obliges manufacturers of hardware and software to adopt security-by-design, provide security updates throughout the product lifecycle, and report exploited vulnerabilities. Reporting obligations apply from 11. September 2026, and main obligations from 11. December 2027.

Key Takeaways

  • Legal nature: EU Regulation, applies directly in all Member States. No national transposition is required, unlike a directive.
  • Scope: Products with digital elements, i.e., hardware and software with a direct or indirect data connection to a device or network.
  • Core obligations: Security-by-Design, free security updates throughout the support period, CE marking following conformity assessment.
  • Deadlines: In force since 10. December 2024. Reporting obligations from 11. September 2026, full application from 11. December 2027.
  • Quick tip: The CRA governs the product, NIS2 the operator, DORA the financial sector.

What the Cyber Resilience Act (CRA) actually means

The Cyber Resilience Act (CRA) applies at market launch. A product with digital elements may only be made available in the EU if it meets the essential cybersecurity requirements of the regulation. This shifts responsibility to the start of the supply chain: the manufacturer must embed security into the product before it reaches the customer.

Obligations do not end with the sale. Manufacturers must address vulnerabilities throughout the support period, which is based on the expected useful life and is typically at least five years. Security updates must be provided free of charge. Before market access, a conformity assessment with CE marking is required, with stricter procedures for certain critical product classes.

Products that have their own sectoral security regime, such as medical devices, motor vehicles or certified aerospace technology, may be exempt, provided the relevant EU regulations apply.

Who the CRA Applies To

First and foremost, the manufacturers are the target, regardless of their headquarters location. Anyone supplying from outside the EU into the single market must appoint an EU-based representative. Importers and retailers have their own due‑diligence obligations. For open‑source software, an important clarification applies: merely providing code on repositories does not, by itself, constitute placing the product on the market. What matters is whether the software is made available as part of a commercial activity.

Indirectly, the CRA affects every purchase: For CISOs and IT decision‑makers, CRA compliance will soon become a procurement criterion. Violations of core obligations can result in fines of up to 15 million euros or 2.5 percent of worldwide annual turnover, whichever is higher, for manufacturers.

What Companies Must Check Now

Manufacturers should start with a portfolio inventory: every product with a data connection potentially falls under the regulation. This gives rise to support commitments, reporting processes and the preparation of conformity assessments.

Check now

  • Product inventory: capture all own and distributed products with a data connection
  • Define support commitments for each product in writing, and make update paths freely available
  • Set up a reporting process with 24‑ and 72‑hour deadlines, and appoint responsible persons
  • Prepare a conformity assessment, and secure a notified body for critical product categories
  • Update procurement policies: make CRA compliance a purchasing criterion from 2026 onward

Scope of Related Terms

The CRA is constantly confused with NIS2 and DORA. The three regulations complement each other and do not replace one another. The overview shows how they divide responsibilities.

Regulation Scope Addressee
CRA (Verordnung (EU) 2024/2847) Products with digital elements Manufacturers, importers, distributors
NIS2 (Richtlinie (EU) 2022/2555) Operation of essential and important entities Operators and organizations
DORA (Verordnung (EU) 2022/2554) Digital operational resilience in the financial sector Financial institutions and ICT service providers

The two neighboring regulations explain our glossary entries What is NIS2? and What is DORA?. What the CRA means for already sold products is examined in our article The Cyber Resilience Act also affects your inventory.

Frequently Asked Questions

Every question is locked. A tap unlocks the answer.

From when does the Cyber Resilience Act apply?

The regulation has been in force since December 10, 2024. Reporting obligations for manufacturers apply from September 11, 2026, and the full primary obligations from December 11, 2027.

Is the CRA a law only for manufacturers?

Manufacturers bear primary responsibility. Importers and retailers have their own due diligence obligations. Manufacturers located outside the EU must additionally appoint an authorized representative in the EU.

When must a manufacturer report a vulnerability?

When critical vulnerabilities are actively exploited and serious incidents occur, an early warning must be issued within 24 hours of becoming aware. The detailed report will follow within 72 hours via the central reporting platform to the coordinating CSIRT and ENISA. A final report concludes the notification.

Does the CRA also apply to open-source software?

The mere provision of software on repositories or platforms does not in itself constitute placing on the market. Under the EU’s Cyber Resilience Act (CRA), obligations kick in as soon as an organization provides software as part of a commercial activity and thereby acts as a manufacturer.

What distinguishes CRA, NIS2 and DORA?

The Cyber Resilience Act (CRA) regulates products with digital elements and their manufacturers. The NIS2 Directive regulates the operation of important and essential entities. The Digital Operational Resilience Act (DORA) regulates the digital resilience of the financial sector. Together, they cover products, operators, and the financial sector.

Editor’s Picks

Editor’s PickThe Cyber Resilience Act Also Affects Your Installed BaseEditor’s PickWhat Is NIS2? Definition, Obligations, and LiabilityEditor’s PickWhat Is DORA? Definition, Obligations and Deadlines

More from the MBF Media Network

cloudmagazinBanning shadow AI is the most expensive reflex in IT securityMyBusinessFutureElectricity Price Relief 2026: What Manufacturing Businesses Need to CheckDigital ChiefsThe Chief AI Officer is here. The problem remains.

Further reading

A magazine by Evernine Media GmbH