Cyber Resilience Act, CRA | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

Cyber Resilience Act, CRA

The EU Cyber Resilience Act (CRA) sets out cybersecurity requirements for products with digital elements and obligations for economic operators placing them on the EU market, such as manufacturers, importers, distributors and open-source software stewards. The aim is to improve the cybersecurity of products throughout their entire lifecycle. On this page, we explain what these obligations mean in practice.

On this page

Regulation (EU) 2024/2847 on cyber resilience – also known as the Cyber Resilience Act or CRA – is a European Union regulation aimed at improving the cybersecurity of products with digital elements placed on the EU market.

In future, compliance with the requirements of the CRA will be a precondition for placing a product on the EU market. 

Who and what does the CRA apply to?

Economic operators covered by the CRA

The Cyber Resilience Act applies to economic operators that place products with digital elements on the EU market. These include, for example:

  • manufacturers
  • importers
  • distributors
  • open-source software stewards in certain circumstances

If your organisation develops, manufactures, imports or sells digital products on the EU market, the Cyber Resilience Act is likely to apply to your activities.

Products covered by the CRA

The Cyber Resilience Act applies to products with digital elements. In practice, this means hardware and software that operate in a digital environment and can be connected, directly or indirectly, to a network.

The regulation applies, for example, to:

  • consumer smart devices such as security cameras, televisions, toys and home routers
  • software and applications such as games, word processing and image editing software, operating systems, browsers and password management software
  • industrial and technical digital systems such as industrial control systems, connectable IoT devices and certain microprocessors and microcontrollers

For IoT devices, a remote data processing solution provided by the manufacturer, such as a service for remote management of the device, is also considered part of the product. This may include, for example, a cloud-based component that enables remote management or data processing.

The regulation may also apply to cloud services where they form part of a product or of a remote processing solution provided by its manufacturer.

Products not covered by the CRA

The regulation does not apply, for example, to:

  • medical devices
  • in vitro diagnostic medical devices
  • certain vehicles
  • marine equipment
  • certified aviation equipment, such as aircraft

These are already subject to product-specific cybersecurity requirements.

The regulation also does not apply to products intended exclusively for national security or defence purposes.

What obligations does the CRA impose on economic operators?

The Cyber Resilience Act sets out obligations for economic operators that place products with digital elements on the EU market. These obligations vary depending on the role of the operator and relate, for example, to ensuring that products meet the cybersecurity requirements and to reporting vulnerabilities affecting the products.

The manufacturer is responsible for ensuring that the product complies with the requirements of the Cyber Resilience Act before it is placed on the EU market. For example, the manufacturer must:

  • design and develop the product so that it meets the cybersecurity requirements set out in the regulation
  • carry out a risk assessment of the product
  • draw up the required technical documentation
  • ensure that the required conformity assessment procedure is carried out
  • ensure vulnerability handling and provide the necessary security updates throughout the product lifecycle

More information on the obligations of manufacturers

We have prepared a document describing the obligations of manufacturers under the Cyber Resilience Act, the relevant provisions of the regulation and related indicative requirements based on existing standards. The document is based on ENISA’s Cyber Resilience Act Requirements Standards Mapping.

This overview is not an exhaustive list of requirements but is intended to provide a general picture of the current situation. Legally binding obligations are laid down in the regulation, in Commission implementing acts and in harmonised standards and technical specifications.

Read the overview here::
Obligations of manufacturers under the CRA and indicative requirements (pdf) (in Finnish)

The importer must ensure that a product imported from outside the EU complies with the requirements of the Cyber Resilience Act before it is placed on the EU market. For example, the importer must:

  • verify that the manufacturer has carried out the conformity assessment and drawn up the technical documentation
  • check that the product bears the required markings and is accompanied by the required instructions
  • retain the necessary information and cooperate with the authorities where required

The distributor must act with due care to ensure that the requirements of the regulation are also met in the distribution chain. For example, the distributor must:

  • check that the product bears the required markings and is accompanied by the required instructions
  • ensure that the product is stored and handled appropriately
  • inform the manufacturer or the authorities if non-compliance is identified in the product

In certain situations, activities related to open-source software may also fall within the scope of the Cyber Resilience Act. This may apply, for example, where open-source software is developed or supplied as part of a commercial product or service.

When do the CRA provisions apply?

Key dates of the Cyber Resilience Act

10 December 2024 – Entry into force

The Cyber Resilience Act entered into force in the EU. From this date, the transition period begins before the obligations apply.

11 June 2026 – Application of provisions on notified bodies begins

11 September 2026 – Vulnerability reporting obligations begin

Manufacturers must report actively exploited vulnerabilities and severe security incidents to the authorities. This obligation applies to both new products and products already on the EU market.

11 December 2027 – Application of essential cybersecurity requirements and conformity assessment provisions begins

The essential cybersecurity requirements apply to products placed on the EU market from 11 December 2027 onwards.

Reporting of vulnerabilities and security incidents affecting products

The Cyber Resilience Act requires manufacturers to report actively exploited vulnerabilities and severe incidents affecting the security of a product. This obligation applies to both new products and products already on the EU market.

The manufacturer must submit an early warning notification, a follow-up notification and a final report. From 11 September 2026 onwards, all notifications must be submitted through the Single Reporting Platform maintained by ENISA. At present, the NCSC-FI does not have a separate form for submitting notifications.

What is an actively exploited vulnerability?

Actively exploited vulnerabilities are vulnerabilities where a malicious actor has exploited a weakness in a product with digital elements that has been made available on the market by the manufacturer. Mandatory reporting does not apply where a vulnerability is identified without malicious intent, for example through good faith testing or research, including bug bounty programmes.

What is a severe incident having an impact on product security?

A severe incident having an impact on the security of a product refers to situations where an event affects the availability, authenticity, integrity or confidentiality of a product. Such incidents may occur, for example, in the manufacturer’s development, production or maintenance processes. One example is a situation where an attacker has successfully injected malware into the manufacturer’s software update distribution channel.

Manufacturer: how to report a cybersecurity incident or vulnerability detected in your product

  • Step 1

    Submit an early warning notification within 24 hours of becoming aware of the situation

    Submit the notification via ENISA's Single Reporting Platform.
     

    Early warning notification – required information

    • Member States where the manufacturer is aware that the product has been made available
    • whether the incident is suspected to be caused by unlawful or malicious acts (for incidents)
  • Step 2

    Submit the follow-up notification within 72 hours of becoming aware of the incident

    Submit the follow-up notification within 72 hours of becoming aware of the incident..
     

    Follow-up notification – required information

    Vulnerabilities:

    • general information about the product, the vulnerability and its exploitation
    • corrective or mitigating measures taken
    • corrective or mitigating measures that users can take
    • the sensitivity of the information, as assessed by the manufacturer

    Incidents:

    • general information about the nature of the incident and an initial assessment
    • corrective or mitigating measures taken
    • corrective or mitigating measures that users can take
    • the sensitivity of the information, as assessed by the manufacturer
  • Step 3

    Submit the final report for vulnerabilities no later than 14 days after a corrective or mitigating measure becomes available and, for incidents, within one month of submitting the follow-up notification.

    Submit the notification via ENISA's Single Reporting Platform.
     

    Final report – required information

    Vulnerabilities:

    • a description of the vulnerability, including its severity and impact
    • where possible, information on any malicious actor that has exploited or is exploiting the vulnerability
    • details about the security update or other corrective measures made available to remedy the vulnerability

    Incidents:

    • a detailed description of the incident, including its severity and impact
    • the type of threat or the likely root cause of the incident
    • applied and ongoing mitigation measures

Notifications submitted via the Single Reporting Platform are forwarded to the responsible CSIRT entity, which is generally the CSIRT of the country where the report is made. The information is also forwarded to the CSIRTs of the countries where the product is made available.

When making the notification the manufacturer may request the responsible CSIRT to delay the notification if one of the following conditions is met:

  • the notified vulnerability has been actively exploited by a malicious actor and, according to the information available, it has only been exploited in the Member State of the CSIRT designated as coordinator to which the manufacturer has notified the vulnerability
  • any immediate further dissemination of the notified vulnerability would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State
  • the notified vulnerability poses an imminent high cybersecurity risk due to the further dissemination of the information

In such cases, the CSIRT will assess the situation and make a decision based on the available information. The CSIRT may also decide on its own initiative to delay the transmission of the notification without a separate request if the above conditions are met.

What requirements does the CRA impose on products?

Manufacturers must ensure that a product is designed, developed and produced in accordance with the essential cybersecurity requirements set out in the Cyber Resilience Act. These requirements cover both the technical characteristics of the product and the manufacturer’s obligations to manage vulnerabilities and provide security updates throughout the product lifecycle.

The detailed requirements are laid down in Article 13 and Annex I of the Cyber Resilience Act. Compliance with the requirements is demonstrated by CE marking.

The essential cybersecurity requirements apply to products placed on the EU market from 11 December 2027 onwards. Placing on the market means making a product available on the EU market for the first time.

The essential cybersecurity requirements are implemented on the basis of risks. They include, for example:

  • secure default configurations and automatic security updates
  • protection against unauthorised access
  • confidentiality of data processing and data minimisation
  • safeguarding of critical functions

Further details will be set out in harmonised standards and technical specifications. Harmonised standards are published in the Official Journal of the European Union as they become available.

The European Commission has requested the European standardisation organisations to prepare approximately 40 standards to support the technical interpretation of the regulation. These are referred to as harmonised standards and implementation in accordance with them is, in principle, presumed to comply with the requirements.

Compliance may also be demonstrated by means other than those specified in the standards. In such cases, however, responsibility for the interpretation rests with the manufacturer.

CRA standards are being prepared within the following European standardisation organisations:

  • CEN (general standardisation)
  • CENELEC (electrotechnical standardisation)
  • ETSI (telecommunications standardisation)

In Finland, standardisation work is monitored through the national member organisations:

  • SFS Suomen standardit (CEN)
  • SESKO (CENELEC)
  • Traficom (ETSI)

The monitoring services provided by SFS and SESKO are subject to a fee. At the NCSC-FI at Traficom, CRA-related work is monitored within the Information Security Standardisation Network, which has established a dedicated CRA subgroup. Membership of the network is open and free of charge.

In addition, Traficom is responsible for consultation rounds relating to the standards. 

Read more

How is conformity assessed?

Before a product can be placed on the EU market, the manufacturer must demonstrate that it complies with the essential cybersecurity requirements of the Cyber Resilience Act. This is known as conformity assessment.

The assessment procedure depends on the category of the product. In most cases, the manufacturer can carry out the assessment itself, but in certain cases a notified body is involved.

Find your product category below to see the applicable assessment procedure.

CRA product categories

Most products fall into this category. For these products, the manufacturer may carry out the conformity assessment itself.

How conformity can be demonstrated for this category

Conformity can be demonstrated by choosing one of the following procedures:

  • self-assessment (module A)
  • application of standards
  • EU-type examination and internal production control (modules B and C)
  • examination conducted by a notified body (module H)
  • European cybersecurity certificate

(Article 32 and Annex VIII)

Examples of products in this category

Smart speakers, hard drives, image editing software, games

Criteria for inclusion in this category

No specific criteria are defined for this category.

The Cyber Resilience Act defines a set of products considered important from a cybersecurity perspective.

These products may be subject to stricter conformity assessment, and in some cases a notified body may be involved.

How conformity can be demonstrated for this category

Conformity can be demonstrated by choosing one of the following procedures:

  • application of standards
  • EU-type examination and internal production control (modules B and C)
  • examination conducted by a notified body (module H)
  • European cybersecurity certificate at assurance level substantial or high

(Article 32 and Annex VIII)

Examples of products in this category

Routers, browsers, smart home products, wearable smart products, smart toys

(Annex III)

Criteria for inclusion in this category

A product falls into this category if one of the following applies:

a) the product has a cybersecurity-related functionality
b) the product presents a significant cybersecurity risk

Class II products are considered particularly significant from a cybersecurity perspective. The conformity assessment for these products usually involves a notified body.

How conformity can be demonstrated for this category

Conformity can be demonstrated by choosing one of the following procedures:

  • EU-type examination and internal production control (modules B and C)
  • examination conducted by a notified body (module H)
  • European cybersecurity certificate at assurance level substantial or high

(Article 32 and Annex VIII)

Examples of products in this category

Virtualisation solutions, firewalls, tamper-resistant processors

(Annex III)

Criteria for inclusion in this category

A product falls into this category if both of the following apply:

a) the product has a cybersecurity-related functionality
b) the product presents a significant cybersecurity risk

(Article 7)

The Cyber Resilience Act also identifies products considered particularly critical from a cybersecurity perspective. These products are subject to stricter assessment procedures.

How conformity is demonstrated for this category

For these products, the following is required:

  • mandatory European cybersecurity certification at assurance level substantial or high

(Article 32)

Examples of products in this category
Hardware security modules, smart meter gateways, smart cards

(Annex IV)

Criteria for inclusion in this category

A product falls into this category if the following applies:

a) an essential entity under the NIS2 Directive is critically dependent on the product

b) exploited vulnerabilities could cause widespread disruption in the supply chain

(Article 8)

.

How to place a product on the EU market

  • Step 1

    Identify the applicable requirements and take them into account during development

    Assess whether your product falls within the scope of the Cyber Resilience Act and which cybersecurity requirements apply to it. 

    Design and develop the product so that it meets the requirements of the Cyber Resilience Act.

    Also assess the cybersecurity risks associated with the product, document them and take the requirements of the regulation into account already at the design and development stage.
     

  • Step 2

    Ensure that the product complies with the requirements

    The manufacturer must draw up technical documentation for the product and, where required, carry out a conformity assessment. In some cases, a notified body is involved.

  • Step 3

    Draw up the EU declaration of conformity and ensure the required markings

    Once the product complies with the requirements, the manufacturer must draw up the EU declaration of conformity and ensure that the product bears the required markings, such as the CE marking, and is accompanied by the necessary instructions and information for the user.

  • Step 4

    Ensure cybersecurity also after placing the product on the market

    The manufacturer must monitor vulnerabilities affecting the product and provide the necessary security updates throughout the product lifecycle. 

    The manufacturer must also cooperate with the authorities in market surveillance situations and take action where necessary if the product is found to be non-compliant.

    The cybersecurity risk assessment must be maintained and updated as necessary throughout the product's support period.

See also

Do you know what CRA requires from you?

Use the CRA Compass (in Finnish) to find out whether your product falls within the scope of the regulation and what it means in practice.

Try the CRA Compass (in Finnish)

CRA compliant notified bodies

Could your organisation act as a notified body under the Cyber Resilience Act (CRA)?

Read more about nodified bodies under the CRA

European cybersecurity certificate

Product compliance can also be demonstrated through EU cybersecurity certification.

Go to the page on cybersecurity certification
Page was last updated