An overview of EU's Cyber Resilience Act  

What is the CRA (Cyber Resilience Act)?  

The Cyber Resilience Act (CRA) was proposed by the European Commission on September 15, 2022. It primarily targets manufacturers, importers, and distributors of products with digital elements that are intended to be placed on the EU market. This includes both hardware and software products, as well as remote data processing solutions that form part of these products.

Under the CRA, products with digital elements may only be made available within the EU if they comply with the essential cybersecurity requirements outlined in CRA-Annex I of the regulation.
 

What are the cybersecurity essential requirements about? 

In CRA-Annex I, there’s two types of essential cybersecurity requirements:

• Product cybersecurity properties: This section sets out the core cybersecurity requirements for products to protect its defined assets. It ensures that products are securely designed, protect against unauthorized access, secure storage, come with safe default settings, and include mechanisms like update support and security event logging

• Vulnerability handling requirements: Manufacturers must manage cybersecurity throughout the product’s lifecycle. This includes fixing vulnerabilities, reporting active threats to ENISA within 24 hours, maintaining a clear vulnerability disclosure policy, and informing users about how long security updates will be provided.

Scope: What type of products are in the scope of the CRA? 

The EU Cyber Resilience Act applies to a broad range of digital products sold or available in the EU. This includes consumer electronics like smartphones and laptops, Internet of Things (IoT) devices such as smartwatches and connected home appliances, network equipment like routers and modems, and various software products including operating systems and applications.   

And yes, with some exceptions: Notably, products already covered by existing, industry-specific regulations, like medical devices, in vitro, aviation products, and motor vehicles, are generally exempt. Free and open-source software is also exempt unless it's monetized or used in a commercial product. Additionally, certain cloud services, particularly cloud/Software-as-Service - except “remote data processing solutions”.  

Depending on the product class category, different conformity assessments are applicable according to CRA legal text. The classification for Important Products (Class I and Class II) and Critical Products can be found in CRA-ANNEX III and IV, and more definitions in the drafted Annexes from Technical description of important and critical products with digital elements.   

CRA key dates

• Entry into force: 10th December 2024.
• Transition period: There is a 36-month transition period before most obligations become fully applicable.
• Full application: 11th December 2027. This is when manufacturers and other economic operators must fully comply with the CRA requirements.
• Reporting obligations for incidents and vulnerabilities:11th September 2026. Some reporting obligations (e.g. for vulnerabilities) apply earlier, after 21 months.

I am a manufacturer, what steps shall I follow?

If you are a manufacturer, make sure you are aware of the main process and all the steps to be followed:

Contact Applus+ if you need help in understanding the requirements and how to proceed. We are walking all through this new regulation.

CRA relation with EUCC and other schemes

The CRA Act is intended to work in conjunction with existing cybersecurity certification frameworks, including the EU Common Criteria based scheme (EUCC) coming from the CSA (Cybersecurity Act). The EUCC offers a voluntary certification scheme and can be used as a tool to show compliance with CRA. Mappings between CRA and EUCC are present with Applus+ contributions, please check Applus+ publication: How to comply through the EUCC certification.

These mapping approaches ensure a more cohesive and comprehensive cybersecurity landscape across the EU, blending voluntary and mandatory measures to enhance overall digital security.  
 

Standarization request and joint response

On 3 April 2025, CEN, CENELEC, and ETSI officially accepted the standardisation request (Mandate M/606) from the European Commission to develop harmonised standards supporting CRA compliance with EU-funded initiatives STAN4CR and STAN4CR2, supported by EISMEA/EFTA to coordinate CEN/CENELEC and ETSI efforts.

Started around April 2025, these projects provide structure and resources to speed up standard development and stakeholder engagement. Horizontal and vertical standards are under development, with key milestones in August and October 2026 - and full implementation expected by late 2027. ETSI is already leading vertical standardisation work and gap analysis reporting.

Applus+ Laboratories, providing support to help you navigate the CRA  

If you manufacture products in any of the above categories, start your compliance journey early to stay ahead and avoid last-minute rushes. Ensure you're on track with our Cyber resilience services today.
If you have any doubts or questions our Applus+ Laboratories experts will be more than happy to walk you through this new regulation and help you con the compliance path. Check out our complete cybersecurity services.