The Cyber Resilience Act (CRA) is a European Union regulation aimed at ensuring some level of cybersecurity for products with digital elements placed on the EU market depending on its criticality. Its primary objective is to enhance the overall cybersecurity posture by embedding security throughout the entire lifecycle of the product with digital elements, from design and development to post-market support.
For manufacturers, the CRA represents a significant shift in regulatory expectations, placing clear responsibilities on them to deliver secure products by default and to manage vulnerabilities effectively over time. Understanding and complying with the CRA is essential not only for legal market access but also for maintaining customer trust, avoiding penalties, and staying competitive in an increasingly security-conscious market.
Placing on the market is defined as 'making a product available on the Union market for the first time with a view to its distribution or use within the Union, whether for reward or free of charge and irrespective of the selling technique'.
According to the Blue Guide, it is important to note that a new batch of an existing product will need to be compliant with the new requirements even if the version is the same as before the deadline.
The Cyber Resilience Act applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. The regulation establishes a set of essential cybersecurity requirements aimed at ensuring that products are designed, developed, and maintained with an appropriate level of cybersecurity throughout their entire lifecycle.
For manufacturers, these essential requirements cover areas such as cybersecurity risk management, secure-by-default configurations, access control, secure data storage, and the establishment of vulnerability handling and incident reporting processes, as set out in Article 14. In addition, products must be accompanied by the relevant Technical Documentation demonstrating compliance with the applicable requirements. This documentation serves as evidence that the product has been designed, developed, and maintained in accordance with the regulatory obligations.

The exact scope and application of these requirements depend on the role of the economic operator, the characteristics of the product, and its classification under the CRA. For an overview of some of the legal responsibilities that manufacturers must fulfil before and after placing products on the market, see our dedicated articles on CRA manufacturer obligations and CRA reporting obligations.
It is important to note that the reporting obligations apply to all products. According to Article 69 (3), obligations extend to all products with digital elements, even those sold before 11 Dec 2027. So, from 11 Sept 2026, any product still on the market, including those placed before 2026, must have processes to detect and report vulnerabilities.
Beyond this high-level timeline, the implementation of the EU Cyber Resilience Act includes a wide range of additional milestones. These include, among others, the designation and accreditation of Notified Bodies, the development and harmonisation of European standards, and the publication of further implementation guidance. These elements are essential to fully understand how and when formal conformity assessments will become available. For a more detailed overview of key milestones and deadlines, please refer to the dedicated guidance on CRA timeline.
The CRA applies to “products with digital elements” (PDEs), which include both hardware and software, as well as associated remote data processing solutions. To be covered, the product’s use must foreseeably involve either a logical or a physical connection to a network or another device.
The categorization of a product under the CRA is the first step, as it determines which conformity assessment procedures will apply. The Regulation foresees different levels of assessment depending on whether a product is classified under the general default category of PDEs or falls within a higher-risk class (Important and Critical).
Those products include most consumer devices with digital elements as well as general software. The main conformity route for this category is self-assessment (Module A) although manufacturers can voluntariry go for a third-party assessment to reduce non-compliance risks.
This category includes a wide range of solutions that traditionally implement specific security functions, such as networking security and authentication. Examples include password managers, antivirus software, routers, VPNs, web browsers, operating systems, and secure chips. It also covers certain consumer products that process sensitive information or critical functions, such as smart home devices, smart toys, and health or personal wearables. Specific standards are being developed for each product category. Once these standards are harmonised and cited in the EUOJ, self‑assessment may become an applicable conformity route for Important Class I. Until then, third‑party assessment remains the only available compliance option.
This category mainly covers four types of products: hypervisors and containers, firewalls (including IDS/IPS), and tamper‑resistant microprocessors and microcontrollers.
The main difference compared to Class I is that products in this category will require third‑party conformity assessment.
This category covers three types of products: hardware devices with security boxes, smart cards or similar devices, and smart meter gateways. As many of these products are linked to high‑security applications such as banking or electronic identification (eID), they are typically within the scope of EUCC / Common Criteria certifications. Critical products will also require third‑party conformity assessment, with EUCC representing the most common and appropriate compliance route for most manufacturers.
For more detailed information, you can check in which category your product falls in Annex III and IV of the CRA text. Guidance is expected from the European Commission and implementing acts to help manufacturers and providers determine the correct categorization. In the meantime, the Commission has drafted the technical description of the categories of important and critical products in the Technical description of important and critical products with digital elements.
Excluded from CRA are product categories already regulated by specific EU frameworks:
Be careful because pertaining to a sector does not mean you are excluded. The idea behind the CRA is that products covered by other regulations.
Under the Cyber Resilience Act, compliance will be supported by a combination of horizontal standards, as a standardization framework, and product‑specific (vertical) standards for Important and Critical products. These standards are expected to play a key role in demonstrating conformity with the CRA essential requirements. Understanding the status of CRA standardization is therefore particularly important for manufacturers of Important and Critical products, especially where the applicable product‑specific standards are still under development. During this phase, manufacturers remain fully responsible for meeting the CRA essential requirements, which may affect conformity strategies, technical documentation, and assessment routes throughout the transition period.
For an up‑to‑date overview of ongoing standardization activities, consult our CRA standards mapping, and for context on key deadlines and implementation milestones, refer to the CRA timelines and implementation status section.
Yes. Some of the defined cases of non-compliance are:
The best practices for CRA engagement.
For more detail, check our Cyber Resilience Act compliance hub
We help our customers get ahead of compliance deadlines by offering:
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). You can accept all cookies by pressing the "Accept" button or configure or reject their use. Consult our Cookies Policy for more information.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy.
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy.
Based on your behavior on the website (where you click, how long you browse, etc.) we establish parameters and a profile for you to display ads that correspond to your interests. See the cookies we store in our Cookies Policy.