Updated: July 2025:
The Cyber Resilience Act (CRA) is an EU cybersecurity regulation that mandates manufacturers of products with digital elements to meet specific requirements before they can be sold or provided within EU member countries.
The Cyber Resilience Act (CRA) was proposed by the European Commission on September 15, 2022. It primarily targets manufacturers, importers, and distributors of products with digital elements that are intended to be placed on the EU market. This includes both hardware and software products, as well as remote data processing solutions that form part of these products.
Under the CRA, products with digital elements may only be made available within the EU if they comply with the essential cybersecurity requirements outlined in CRA-Annex I of the regulation.
In CRA-Annex I, there’s two types of essential cybersecurity requirements:
The EU Cyber Resilience Act applies to a broad range of digital products sold or available in the EU. This includes consumer electronics like smartphones and laptops, Internet of Things (IoT) devices such as smartwatches and connected home appliances, network equipment like routers and modems, and various software products including operating systems and applications.
And yes, with some exceptions: Notably, products already covered by existing, industry-specific regulations, like medical devices, in vitro, aviation products, and motor vehicles, are generally exempt. Free and open-source software is also exempt unless it's monetized or used in a commercial product. Additionally, certain cloud services, particularly cloud/Software-as-Service - except “remote data processing solutions”.
Depending on the product class category, different conformity assessments are applicable according to CRA legal text. The classification for Important Products (Class I and Class II) and Critical Products can be found in CRA-ANNEX III and IV, and more definitions in the drafted Annexes from Technical description of important and critical products with digital elements.
If you are a manufacturer, make sure you are aware of the main process and all the steps to be followed:
Contact Applus+ if you need help in understanding the requirements and how to proceed. We are walking all through this new regulation.
The CRA Act is intended to work in conjunction with existing cybersecurity certification frameworks, including the EU Common Criteria based scheme (EUCC) coming from the CSA (Cybersecurity Act). The EUCC offers a voluntary certification scheme and can be used as a tool to show compliance with CRA. Mappings between CRA and EUCC are present with Applus+ contributions, please check Applus+ publication: How to comply through the EUCC certification.
These mapping approaches ensure a more cohesive and comprehensive cybersecurity landscape across the EU, blending voluntary and mandatory measures to enhance overall digital security.
On 3 April 2025, CEN, CENELEC, and ETSI officially accepted the standardisation request (Mandate M/606) from the European Commission to develop harmonised standards supporting CRA compliance with EU-funded initiatives STAN4CR and STAN4CR2, supported by EISMEA/EFTA to coordinate CEN/CENELEC and ETSI efforts.
Started around April 2025, these projects provide structure and resources to speed up standard development and stakeholder engagement. Horizontal and vertical standards are under development, with key milestones in August and October 2026 - and full implementation expected by late 2027. ETSI is already leading vertical standardisation work and gap analysis reporting.
If you manufacture products in any of the above categories, start your compliance journey early to stay ahead and avoid last-minute rushes. Ensure you're on track with our Cyber resilience services today.
If you have any doubts or questions our Applus+ Laboratories experts will be more than happy to walk you through this new regulation and help you con the compliance path. Check out our complete cybersecurity services.
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). Click HERE for more information. You can accept all cookies by pressing the "Accept" button or configure or reject their use by clicking here.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy