LexoregTry Free Demo
Back to Lexoreg

What Is the EU Cyber Resilience Act (CRA)?

The CRA is the EU's new regulation requiring cybersecurity for all products with digital elements sold in the European market. It applies to IoT devices, embedded systems, software, and AI-enabled products.

5 min read

The Regulation in Plain English

The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a new EU-wide regulation that sets cybersecurity requirements for products with digital elements. It entered into force on December 10, 2024, with a phased compliance timeline through December 2027.

If you manufacture, import, or distribute any product that connects to a network or processes data — IoT sensors, smart home devices, industrial controllers, embedded systems, or software — the CRA applies to you.

Who Does the CRA Apply To?

The CRA applies to three types of economic operators:

  • -Manufacturers — anyone who designs, develops, or produces products with digital elements for the EU market
  • -Importers — anyone who brings products with digital elements from outside the EU into the EU market
  • -Distributors — anyone who makes products available on the EU market without affecting the product itself

The heaviest obligations fall on manufacturers. If you build the product, you carry the primary responsibility for its cybersecurity throughout its entire lifecycle.

What Products Are Covered?

The CRA covers any product with digital elements — meaning any software or hardware product that includes a data processing component. This includes:

  • -IoT devices (sensors, gateways, smart home products, wearables)
  • -Industrial IoT and OT equipment (PLCs, SCADA components, industrial sensors)
  • -Embedded systems (firmware, real-time operating systems)
  • -Consumer electronics with network connectivity
  • -Software products sold or distributed in the EU
  • -AI-enabled products (robots, autonomous systems, edge AI devices)

Important Exception

Pure SaaS products that are not delivered alongside hardware are generally not covered by the CRA. However, if your software is part of a product with digital elements (e.g., firmware, companion apps), it falls under CRA scope.

CRA Product Categories

The CRA classifies products into four risk categories, each with increasing requirements:

  • -Default — Most products. Self-assessment allowed. Standard cybersecurity requirements apply.
  • -Important Class I — Products with higher risk (e.g., network management systems, VPN products, smart home products with security functions). Third-party assessment or harmonised standards required.
  • -Important Class II — Products with significant risk (e.g., operating systems, firewalls, tamper-resistant microcontrollers). Mandatory third-party conformity assessment.
  • -Critical — Products essential to EU security (e.g., smart meters, hardware security modules). Strictest requirements and EU certification.

Key Requirements for Manufacturers

The CRA imposes several obligations on manufacturers:

  • -Security by design — build cybersecurity into the product from the start, not as an afterthought
  • -Vulnerability handling — maintain a process to identify, document, and address vulnerabilities throughout the product lifecycle
  • -SBOM (Software Bill of Materials) — maintain and make available a machine-readable SBOM for every product
  • -Security updates — provide free security patches for at least 5 years (or the expected product lifetime, whichever is longer)
  • -Incident reporting — report actively exploited vulnerabilities to ENISA within 24 hours
  • -Technical documentation — maintain documentation proving compliance with CRA requirements (Annex VII)
  • -CE marking — affix the CE mark only when all cybersecurity requirements are met
  • -Coordinated vulnerability disclosure — establish a CVD policy and make it publicly available

Key Deadlines

December 10, 2024CRA entered into force
September 11, 2026ENISA reporting obligations start
December 11, 2027Full compliance required

Penalties for Non-Compliance

The CRA gives EU market surveillance authorities the power to enforce compliance across all 27 member states. Penalties include:

  • -Up to EUR 15 million or 2.5% of global annual turnover (whichever is higher) for violations of essential cybersecurity requirements
  • -Up to EUR 10 million or 2% of global annual turnover for other non-compliance
  • -Up to EUR 5 million or 1% of global annual turnover for providing incorrect or misleading information
  • -Product recall from the EU market
  • -Withdrawal of CE marking

How Lexoreg Helps

Lexoreg automates the ongoing CRA compliance obligations that manufacturers face — from SBOM management and vulnerability monitoring to ENISA Article 14 reporting and CE readiness tracking.

  • -Upload your SBOM and we monitor CVE databases every 2 hours
  • -When a vulnerability affects your product, we auto-draft the ENISA report
  • -Track your compliance against all CRA Annex I, II, and VII requirements
  • -Maintain a tamper-proof audit trail for regulatory evidence

Ready to automate CRA compliance?

Lexoreg handles SBOM management, vulnerability monitoring, and ENISA reporting — so your team can focus on building products.

Try Free DemoContact Us