Open platform →
Regulation (EU) 2024/2847

The EU Cyber Resilience Act
compliance resource

Independent reference guide for manufacturers, importers and distributors of products with digital elements across the European Union.

Automate your CRA compliance →

Based on Regulation (EU) 2024/2847 and Implementing Regulation (EU) 2025/2392. All content references official EUR-Lex sources.

Key dates and deadlines

Official timeline based on Regulation (EU) 2024/2847, Articles 71–72.

20 November 2024
Published in Official Journal Done
Regulation (EU) 2024/2847 published in the EU Official Journal. OJ L, 2024/2847.
10 December 2024
Entry into force Done
The CRA entered into force. All economic operators must prepare for phased obligations.
21 December 2025
Product classification clarified Done
Commission Implementing Regulation (EU) 2025/2392 entered into force, providing technical descriptions for Important and Critical product categories.
11 June 2026
Conformity assessment bodies
Member States must notify conformity assessment bodies to the European Commission. Chapter IV of the CRA applies from this date.
11 September 2026
Vulnerability reporting begins
Article 14 obligations apply. Manufacturers must report actively exploited vulnerabilities and severe incidents via ENISA's CRA Single Reporting Platform. Deadlines: 24h initial, 72h early notification, 14 days or 1 month final report.
11 December 2027
Full application
All CRA requirements apply: essential cybersecurity requirements (Annex I), CE marking, EU Declaration of Conformity, technical documentation (Annex VII), and market placement rules.

Product classification

Based on Regulation (EU) 2024/2847 (Articles 7–8) and Implementing Regulation (EU) 2025/2392. Classification is determined by a product's core functionality.

Default
Standard products
Self-assessment conformity route. Manufacturer performs internal risk assessment and issues EU Declaration of Conformity.
Most connected software and hardware products
Important — Class I
Higher-risk products
Harmonised standards required, or mandatory third-party assessment by a notified body.
Password managers, VPN clients, smart home security devices
Important — Class II
Significant-risk products
Mandatory third-party assessment by a notified body in all cases.
OS, firewalls, routers, industrial automation (NIS-2 entities)
Critical
Critical infrastructure products
Mandatory notified body assessment, or EU cybersecurity certification scheme where applicable.
Smart meter gateways, secure elements, HSMs

Source: Regulation (EU) 2024/2847 Articles 7–8 and Annexes III–IV; Implementing Regulation (EU) 2025/2392.

Frequently asked questions

Answers based exclusively on the official text of Regulation (EU) 2024/2847 and Implementing Regulation (EU) 2025/2392.

What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is Regulation (EU) 2024/2847, adopted on 23 October 2024 and published in the EU Official Journal on 20 November 2024. It entered into force on 10 December 2024. The CRA establishes mandatory horizontal cybersecurity requirements for all products with digital elements made available on the EU market — covering both hardware and software that can connect directly or indirectly to a device or network.
Source: Regulation (EU) 2024/2847, Article 1 — EUR-Lex
Who does the CRA apply to?
The CRA applies to manufacturers, importers and distributors of products with digital elements made available on the EU market. Manufacturers bear the primary obligations — including designing products to meet essential cybersecurity requirements, managing vulnerabilities, and issuing an EU Declaration of Conformity. The CRA also applies to non-EU manufacturers whose products are placed on the EU market.
Source: Regulation (EU) 2024/2847, Articles 13–26
What are the essential cybersecurity requirements?
Annex I of Regulation (EU) 2024/2847 sets out the essential requirements. Part I covers security properties of the product (secure by default, minimal attack surface, protection of confidentiality and integrity, data minimisation, etc.). Part II covers vulnerability handling processes (identifying and documenting vulnerabilities, CVD policy, security updates for the support period, SBOM, coordinated vulnerability disclosure).
Source: Regulation (EU) 2024/2847, Annex I Parts I and II
When do vulnerability reporting obligations start?
Article 14 obligations apply from 11 September 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe incidents via ENISA's CRA Single Reporting Platform. Timeline: initial notification within 24 hours of becoming aware; early notification within 72 hours; final report within 14 days (for vulnerabilities) or one month (for incidents). Microenterprises and small enterprises are exempt from fines for failing to meet the 24-hour deadline, per Article 64.
Source: Regulation (EU) 2024/2847, Article 14 and Article 64
What is required for technical documentation?
Annex VII of Regulation (EU) 2024/2847 defines the required content of technical documentation. It must include: a general description of the product, design and development documentation, a cybersecurity risk assessment, a list of harmonised standards applied, EU Declaration of Conformity, and information on vulnerability handling processes. Manufacturers must retain technical documentation for at least 10 years after placing the product on the market (Article 31).
Source: Regulation (EU) 2024/2847, Article 31 and Annex VII
What are the penalties for non-compliance?
Article 64 of Regulation (EU) 2024/2847 sets maximum penalties. Non-compliance with essential cybersecurity requirements: up to €15,000,000 or 2.5% of global annual turnover (whichever is higher). Non-compliance with other obligations: up to €10,000,000 or 2% of global annual turnover. Providing incorrect information to authorities: up to €5,000,000 or 1% of global annual turnover. Actual penalties are set by Member States.
Source: Regulation (EU) 2024/2847, Article 64

Country guidance

CRA Ready provides compliance resources in the official languages of the EU's main industrial markets.

🇩🇪
Germany
Deutsch
 🇫🇷
France
Français
 🇳🇱
Netherlands
Nederlands
 🇮🇹
Italy
Italiano
 🇵🇱
Poland
Polski
 🇬🇧
United Kingdom
English

Automate your CRA compliance

CRA Ready is the B2B SaaS platform purpose-built for EU industrial manufacturers. CE marking workflow, technical documentation, vulnerability management, and SBOM — all in one place.

Open platform →
Legal disclaimer: This page is an informational resource. All content references the official text of Regulation (EU) 2024/2847 and related implementing acts published in the EU Official Journal. This page does not constitute legal advice. For binding legal interpretation, refer to the official EUR-Lex text. The Commission's draft guidance (Ares(2026)2319816, March 2026) is not yet finalised and is not cited on this page.
CRA Ready GmbH Investment Opportunity