# CRA Reference - Verified Facts + Sources Regulation (EU) 2024/2847 - the Cyber Resilience Act (CRA). Last verified: June 2026. All steers are guidance, not legal advice. --- ## 1. Phased dates (Article 71) - CONFIRMED | Date | What happens | Status | |------|--------------|--------| | **10 December 2024** | CRA enters into force. Transition periods start. No product obligations yet. | Confirmed | | **11 June 2026** | Provisions on notified bodies (conformity assessment bodies) apply. Member states designate them. | Confirmed | | **11 September 2026** | **Reporting obligations (Article 14) apply.** ENISA Single Reporting Platform (SRP) goes live. Manufacturers must report actively exploited vulnerabilities and severe incidents. | Confirmed | | **11 December 2027** | **Full application.** All essential requirements (Annex I), conformity assessment, CE marking, EU Declaration of Conformity, SBOM, technical documentation, support-period obligations apply. Products placed on the market from this date must be fully compliant. | Confirmed | Sources: [EUR-Lex Reg. (EU) 2024/2847](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402847) · [EC CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary) --- ## 2. Scope - "products with digital elements" (PDE) A PDE is any **software or hardware that contains software** and is capable of connecting (directly or indirectly) to a device or network, **including the manufacturer's own remote data-processing solutions** for that product. Standalone components placed on the market separately also count. **In scope (examples):** apps, operating systems, firmware, IoT/smart devices, network equipment, security appliances, industrial controllers with software, connected consumer electronics, browsers, password managers, VPNs. **Out of scope / excluded (covered by sector rules instead):** - Pure SaaS / hosted cloud services with no client-side software → covered by **NIS2** (Dir. (EU) 2022/2555). A client app or SDK shipped alongside is still a PDE. - Medical devices & IVDs → **MDR** (Reg. (EU) 2017/745) / **IVDR** (Reg. (EU) 2017/746). - Motor vehicles under EU type-approval → **Reg. (EU) 2018/858**. - Civil aviation products regulated by **EASA** → **Reg. (EU) 2018/1139**. - Marine equipment → **Dir. 2014/90/EU**. - Products developed/used solely internally and never placed on the market. Source: [EC CRA policy](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act) --- ## 3. Roles | Role | Core duty | Penalty exposure | |------|-----------|------------------| | **Manufacturer** | Full obligations: risk assessment, essential requirements (Annex I), SBOM, vulnerability handling + CVD, security updates, conformity assessment, CE marking, EU DoC, technical documentation, incident reporting. | Yes | | **Importer** | Verify the (non-EU) manufacturer did the conformity work (CE mark, EU DoC, technical docs) before placing on market. Affix own contact details. Keep records 10 years. Report incidents in products they placed on market. | Yes | | **Distributor** | Verify CE marking + required docs are present before making available. Act on non-compliance. Keep records. No own conformity assessment. | Yes | | **Open-source software steward** | Article 24 lighter duties: maintain a security policy, cooperate on CVD, document for downstream integrators. **Cannot be fined** under the CRA penalty regime. | No | Note: substantial modification of a product, or placing it under your own name/trademark, makes you the **manufacturer**. --- ## 4. Product classification | Tier | Where defined | Conformity route | Examples | |------|---------------|------------------|----------| | **Default** (~90% of products) | Residual - not in Annex III or IV | Self-assessment (internal control) | Photo/video editors, games, productivity apps, smart speakers, hard drives, connected white goods | | **Important - Class I** | Annex III, Class I | Self-assess **only if** you fully apply applicable harmonised standards; otherwise third-party (notified body) | Web browsers, password managers, consumer VPNs, IAM systems, operating systems, network management tools, PKI/certificate issuers, container runtimes, smart-home security devices (locks, cameras, baby monitors, alarms), connected toys, health-monitoring wearables | | **Important - Class II** | Annex III, Class II | Third-party (notified body) assessment **always** required | Firewalls (industrial/professional), intrusion detection & prevention systems (IDS/IPS), tamper-resistant microprocessors & microcontrollers | | **Critical** | Annex IV | Strictest route; mandatory third-party assessment, and an **EU cybersecurity certificate** (ENISA scheme) may be required before sale | Hardware security modules (HSMs), smartcards & secure elements, smart meter gateways | Note: Product class only affects **manufacturers**. The Commission can refine Annex III/IV technical descriptions by delegated/implementing acts - confirm against the current official list. As of mid-2026, **harmonised standards (CEN/CENELEC) are still in development and not yet published**, so the Class I "self-assess via standards" route is not yet usable in practice. --- ## 5. Essential requirements - Annex I **Part I - Security properties of the product (security by design / by default):** - No known exploitable vulnerabilities at time of placing on market. - Secure by default configuration; ability to reset to secure state. - Protection from unauthorised access (authentication, identity/access management). - Confidentiality (e.g. encryption of stored/transmitted data). - Integrity of data, commands, configuration. - Data minimisation - only process data adequate, relevant and limited to the purpose. - Availability / resilience to denial-of-service. - Minimise own negative impact on other devices/networks. - Limit attack surfaces, including external interfaces. - Reduce impact of incidents (exploitation mitigation techniques). - Security-relevant logging/monitoring. - Provide a secure update mechanism; security updates separable from functionality updates; automatic where appropriate. **Part II - Vulnerability handling requirements:** - Identify and document components (→ **SBOM**, machine-readable, covering at least top-level dependencies). - Address and remediate vulnerabilities without delay, including via security updates. - Apply effective, regular tests and reviews. - Publicly disclose information about fixed vulnerabilities once a fix is available. - Have a **coordinated vulnerability disclosure (CVD)** policy and a contact point for reporting. - Provide a mechanism to securely distribute updates; disseminate them without delay and free of charge. Source: [EUR-Lex Annex I](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402847) --- ## 6. Reporting obligations - Article 14 (from 11 Sep 2026) Manufacturers must report via the **ENISA Single Reporting Platform (SRP)**; one submission reaches the relevant national CSIRT and ENISA. **Two reportable events:** 1. An **actively exploited vulnerability** in the product. 2. A **severe incident** having impact on the security of the product. **Reporting clock (both events):** | Step | Deadline | |------|----------| | Early warning | within **24 hours** of becoming aware | | Notification | within **72 hours** of becoming aware | | Final report | **14 days** after a corrective/mitigating measure is available (actively exploited vulnerability) / **1 month** after the notification (severe incident) | Micro and small enterprises are not penalised for missing the 24-hour early-warning window in the same way. Confirm specifics. Sources: [EC CRA reporting](https://digital-strategy.ec.europa.eu/en/policies/cra-reporting) · [ENISA SRP](https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp) --- ## 7. Support / security-update period - Article 13 Manufacturers must declare and provide a **support period** during which security updates and vulnerability handling are provided. Minimum **5 years** from placing on the market, or the expected product lifetime if shorter. Security updates must be **free of charge** and, where feasible, separable from feature updates. The support period must be stated to buyers before purchase. Source: [EC CRA summary](https://digital-strategy.ec.europa.eu/en/policies/cra-summary) --- ## 8. Conformity, CE marking, technical documentation - **Conformity assessment** route depends on product class (see §4). - On success: affix the **CE marking** and draw up the **EU Declaration of Conformity (EU DoC)**. - **Technical documentation** (Annex VII): product description, design/architecture, risk assessment, SBOM, conformity results, test reports, vulnerability-handling procedures. Keep, with the EU DoC, for **10 years** after placing on market. - A product fully applying a **published harmonised standard** benefits from a **presumption of conformity** for the requirements it covers (standards still pending as of mid-2026). --- ## 9. Penalties - Article 64 | Breach category | Maximum | |-----------------|---------| | Breach of essential requirements (Annex I) / core manufacturer obligations | up to **€15 million or 2.5% of total worldwide annual turnover**, whichever is higher | | Breach of other obligations | up to **€10 million or 2% of worldwide turnover** | | Incorrect/incomplete/misleading information to notified bodies / market surveillance | up to **€5 million or 1% of worldwide turnover** | Open-source software stewards are excluded from these fines. Source: [EUR-Lex Art. 64](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402847) --- ## 10. Canonical sources - Regulation (EU) 2024/2847 full text - https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402847 - European Commission - CRA policy - https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act - European Commission - CRA summary - https://digital-strategy.ec.europa.eu/en/policies/cra-summary - European Commission - CRA reporting - https://digital-strategy.ec.europa.eu/en/policies/cra-reporting - ENISA - Single Reporting Platform (SRP) - https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp