EU Cyber Resilience Act (CRA) Compliance for Product Companies
If you sell software, hardware, or connected devices in the EU, the Cyber Resilience Act applies to you. Fines up to €15M. ComplyOne maps your CRA obligations and tracks your readiness — whether you build apps, IoT devices, or enterprise software.
What the CRA Requires from Product Companies
The CRA introduces mandatory cybersecurity requirements across the entire product lifecycle — from design to end-of-life support.
Security by design
Products must be designed and developed with cybersecurity built in — not bolted on. This includes secure defaults, minimal attack surface, and protection of data in transit and at rest.
Vulnerability management
You must have a documented process for handling vulnerabilities — including a coordinated disclosure policy and a commitment to provide security updates for the product's support lifetime.
Incident reporting
Actively exploited vulnerabilities and severe incidents must be reported to ENISA within 24 hours (early warning) and 72 hours (full notification) — same tight timelines as NIS2.
Software Bill of Materials (SBOM)
You must maintain a machine-readable inventory of all software components — including open-source dependencies — so vulnerabilities in third-party libraries can be quickly identified and addressed.
Conformity assessment
'Important' and 'critical' products (Class I and Class II) require formal third-party conformity assessments before market placement. Default/standard products can self-assess.
CE marking
Compliant products will carry a new cybersecurity CE mark. Products without valid CRA certification cannot be sold in the EU after December 2027.
Which Products Are In Scope
Default products
Consumer apps, standard software, connected accessories
Required: Self-assessment
Class I (Important)
Identity management, browsers, password managers, VPNs, SIEM, network devices, industrial automation
Required: Third-party assessment or harmonised standard
Class II (Critical)
OS, hypervisors, industrial control systems, safety-critical systems, smart meters
Required: Mandatory third-party certification
Not sure which class your product falls into? Run a free compliance check.
Key Dates
December 2024
CRA entered into force
September 2026
Vulnerability & incident reporting obligations apply
June 2027
Notified body obligations apply
December 2027
Full CRA requirements apply — all products must comply
Penalties
€15M
or 2.5% of global turnover
Violation of essential cybersecurity requirements.
€10M
or 2% of global turnover
Other violations — including reporting failures and incorrect declarations.
How to Approach CRA Compliance: First Steps
Product companies have until December 2027 for full compliance — but vulnerability reporting obligations begin in September 2026. Start now.
Classify your product
Determine whether your product is a default product (self-assessment), Class I Important (third-party or harmonised standard route), or Class II Critical (mandatory certification). The classification drives your conformity assessment route and documentation obligations — getting this wrong means starting the process over.
Conduct a security risk assessment
Identify all potential attack surfaces, vulnerabilities, and realistic misuse scenarios for your product. This risk assessment is the foundation of your CRA technical file — it must be documented and updated whenever significant design changes are made.
Implement security-by-design requirements
Ensure your product ships with secure defaults, minimal attack surface, and protection of data in transit and at rest. Disable insecure features and protocols by default. Each security control must be documented and mapped to the relevant CRA essential requirements in Annex I of the regulation.
Set up vulnerability management
Establish a formal process for receiving, assessing, and addressing vulnerability reports — including a published coordinated vulnerability disclosure policy. Commit to providing security updates for the product's supported lifetime and document that support period clearly in product materials.
Build your SBOM and technical documentation
Create a Software Bill of Materials (SBOM) listing all third-party and open-source components with version numbers. Assemble your technical file: security design documentation, risk assessment, test results, and the EU declaration of conformity. All documentation must be retained for 10 years after market placement.
Is your product CRA-ready?
Free check in 5 minutes. Covers CRA, NIS2, GDPR, and every other regulation that applies to your product and organisation.
Start Free CRA CheckCRA FAQ
What is the EU Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU regulation that sets mandatory cybersecurity requirements for products with digital elements — including hardware and software sold in the EU. It covers everything from smart devices and industrial equipment to consumer apps and enterprise software. It entered into force in December 2024, with most obligations applying from December 2027.
Does the CRA apply to my product?
If your product has digital components — software, connectivity, or data processing — and is sold or used in the EU, the CRA likely applies. This includes SaaS products, mobile apps, IoT devices, industrial control systems, network equipment, and more. A key distinction is whether your product is 'important' or 'critical' — these face stricter conformity assessment requirements.
When does the CRA take effect?
The CRA entered into force on December 10, 2024. The full requirements apply from December 11, 2027, with vulnerability and incident reporting requirements applying earlier — from September 11, 2026.
What are the penalties for CRA non-compliance?
Fines up to €15 million or 2.5% of global annual turnover for the most serious violations (non-compliant essential requirements). Up to €10 million or 2% for other violations. Non-EU companies selling into the EU are equally subject to these fines.
How does the CRA overlap with NIS2?
They're complementary. NIS2 targets organisations and their cybersecurity practices. The CRA targets products — the security built into the things you sell. If you manufacture software or hardware sold in the EU, the CRA applies to your products. If you operate critical infrastructure, NIS2 applies to your organisation. Many companies face both.
We're a SaaS company. Does the CRA apply to us?
Potentially yes. The CRA covers software with 'remote data processing' — which includes many SaaS products. However, pure B2B SaaS sold under service contracts (not as a product) may be treated differently. ComplyOne's free compliance check will assess whether your specific product model triggers CRA obligations.
What is a Software Bill of Materials (SBOM) and why does the CRA require it?
An SBOM is a machine-readable inventory of all software components in your product — including open-source libraries, dependencies, and third-party modules with version numbers. The CRA requires SBOMs because vulnerabilities in common open-source components (such as the Log4j incident) affect thousands of products simultaneously. With an SBOM, you can immediately identify whether your product is affected when a new vulnerability is disclosed and respond before exploitation occurs at scale.
Does the CRA apply to open-source software?
Free and open-source software provided without commercial intent is largely exempt from CRA obligations. However, if you commercialise open-source software — by selling it, providing paid support, or integrating it into a commercial product — CRA obligations apply to you as the manufacturer. The regulation includes specific provisions addressing open-source community concerns that were raised extensively during its development.
Related compliance areas