Mandatory cybersecurity for products with digital elements. Scope, product classes, SBOM, reporting duties, and the timeline.
What is the CRA?
The Cyber Resilience Act, Regulation (EU) 2024/2847, is the EU's product-cybersecurity law. For the first time it puts mandatory, CE-marked cybersecurity requirements on "products with digital elements", which means almost any hardware or software placed on the EU market that can connect to a device or network.
Think of it as the cyber equivalent of product-safety law: before you can sell a connected product in the EU, you must show it is secure by design and that you will keep it secure for its expected lifetime.
Who and what is in scope
- Manufacturers of products with digital elements, plus importers and distributors that place them on the EU market
- Both hardware (connected devices, components) and standalone software
Important boundary: pure software-as-a-service is largely out of scope unless it is part of a product with digital elements. Products already covered by sectoral regimes (for example certain medical devices, cars, or aviation) are carved out to avoid double regulation.
Product classes (this sets the assessment route)
The CRA sorts products by risk, and the class decides how you can prove conformity:
- Default products: the large majority. Self-assessment of conformity is allowed
- Important products (class I and class II): e.g. password managers, network management, identity systems. Stricter routes, often involving harmonised standards or a third party
- Critical products: the highest-risk category, where a stronger conformity route can be required
The core obligations
- Secure by design (Annex I, Part I): meet the essential cybersecurity requirements across design, development, and production
- Vulnerability handling (Annex I, Part II): identify and fix vulnerabilities throughout the support period, run coordinated vulnerability disclosure
- SBOM: produce and maintain a machine-readable software bill of materials covering top-level dependencies
- Security updates: provide updates for the product's expected lifetime / declared support period
- Conformity and CE marking (Articles 13, 32): carry out conformity assessment and affix the CE marking before placing the product on the market
Reporting: the 24h / 72h cascade
Under Article 14, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA and the relevant CSIRT on an escalating timeline: an early warning within 24 hours, a fuller notification within 72 hours, and a final report (14 days for a vulnerability once a fix is available, or one month for a severe incident). This mirrors the reporting logic you already see in NIS2 and DORA.
The timeline
- 10 December 2024: entered into force
- 11 June 2026: rules on notification of conformity-assessment bodies apply
- 11 September 2026: the vulnerability and incident reporting obligations start
- 11 December 2027: all remaining requirements apply, including the essential requirements before placing a product on the market
What to do next
- Inventory your products with digital elements and decide which are in scope
- Classify each (default, important, critical) to find your conformity route
- Stand up secure-by-design practices, an SBOM, and a support-period update process
- Build the 24h/72h reporting workflow ahead of 11 September 2026
- Use the classifier tool for a first read, then confirm with qualified counsel
This lesson is educational, not legal advice. Confirm with qualified counsel before relying on any classification for compliance purposes.