CRA Compliance Educational Guide: Product Cybersecurity and Legal Responsibility

CRA Compliance Educational Guide: Product Cybersecurity Is Becoming a Legal Responsibility

CRA readiness guide illustration from SecPoint, showing product cybersecurity, CE evidence, SBOM, PSIRT, secure design, risk-based security, updates and support

Educational CRA readiness guidance: this page is provided for general information, awareness, and product-security planning. It is not legal advice, a CRA certification, a CE marking approval, or a formal conformity assessment. CRA obligations depend on the specific product, role in the supply chain, market placement, applicable standards, and conformity route. Always verify decisions against official EU materials and qualified legal or conformity-assessment advice.

The EU Cyber Resilience Act, usually called the CRA, is one of the most important cybersecurity regulations for vendors, software developers, hardware manufacturers, importers, and distributors selling digital products in the European Union.

Unlike older cybersecurity rules that mainly focused on organizations, critical sectors, or financial institutions, the CRA focuses on the product itself. The basic idea is simple: if a product contains digital elements and is placed on the EU market, it must be designed, developed, delivered, updated, and maintained with cybersecurity in mind.

This is a major shift. Cybersecurity is no longer only an internal IT responsibility for the customer. It is also becoming a product responsibility for the vendor.

The CRA entered into force on 10 December 2024. Its main obligations apply from 11 December 2027, while reporting obligations for actively exploited vulnerabilities and severe security incidents start earlier, on 11 September 2026.

What Is The Cyber Resilience Act?

The CRA is an EU regulation that introduces horizontal cybersecurity requirements for products with digital elements. This includes both hardware and software products made available on the EU market. It can apply to consumer devices, IoT products, routers, modems, network printers, cameras, sensors, controllers, gateways, operating systems, firmware, mobile apps, desktop applications, enterprise software, and software or hardware components placed separately on the market.

It can also include remote data processing solutions when those cloud-based functions are part of the product's operation. Standalone SaaS and general cloud services are normally outside CRA, unless they are tied to a product with digital elements as a necessary remote processing function.

A product is generally in scope when its intended or reasonably foreseeable use includes a direct or indirect data connection to a device or network. This makes the CRA sector agnostic. It is not only for banks, hospitals, energy companies, public authorities, or critical infrastructure. It can affect vendors selling digital products into almost any sector.

The CRA was created because many digital products are still sold with weak default settings, poor patching processes, unclear support periods, insecure components, missing vulnerability handling, and limited transparency for customers. The regulation aims to raise the minimum cybersecurity level across the EU market.

Examples Of Products With Digital Elements

The CRA can apply to many different types of products with digital elements. This includes both physical connected products and software products placed on the EU market.

Category Examples CRA Relevance
Consumer digital products Smartphones, tablets, fitness trackers, smart watches, smart speakers, smart locks, smart thermostats Usually in scope when connected to a device or network
IoT and connected hardware Routers, modems, gateways, network printers, IP cameras, sensors, controllers, industrial IoT devices Usually in scope because they communicate with networks or other devices
Software products Operating systems, desktop applications, mobile apps, enterprise software, ERP systems, CRM systems, AI-enabled software products, firmware Usually in scope when placed on the market as software products
Firmware and embedded software Router firmware, camera firmware, appliance firmware, device management software Often in scope as part of a hardware product or as a separately supplied component
Lifecycle updates Patches, updates, upgrades, new features, substantial product changes Relevant because CRA security duties continue during the support period
Indirectly connected products Products connected through USB, Bluetooth, hubs, gateways, management consoles, or other foreseeable connections Can be in scope if connection is part of intended or reasonably foreseeable use
Remote processing linked to a product Cloud backend for smart cameras, device management portals, cloud analytics needed for connected sensors Can be in scope when the remote processing is part of the product functionality
Pure mechanical products Non-connected analogue tools or devices Normally outside CRA
Internal prototypes or trials Products not placed on the EU market Normally outside CRA until commercially supplied
Standalone SaaS or cloud services Browser-only SaaS, general cloud hosting, cloud storage, IaaS, PaaS Generally outside CRA unless they form part of a product's remote processing solution
Open-source software Non-commercial open source, commercial open-source projects, open-source components Needs case-by-case assessment. Non-commercial open source is treated differently, while commercial open-source stewards may have specific obligations

Important And Critical Products Under CRA

The CRA does not treat every product in the same way. Most ordinary products with digital elements can follow a self-assessment route, but products that are more important from a cybersecurity point of view may face stricter conformity assessment requirements. Under CRA, these higher-risk categories are listed as important products in Annex III and critical products in Annex IV.

This matters because many security and infrastructure products are not just ordinary connected products. They may protect identities, networks, privileged access, certificates, endpoint security, remote access, logging, monitoring, routing, or traffic filtering. If such a product has the core functionality of an important or critical category, the manufacturer must assess which conformity route applies before placing it on the EU market.

CRA Category Examples Mentioned In CRA Annex III Practical Meaning
Important products, Class I Identity management and privileged access systems, authentication and access control readers, password managers, malware detection or quarantine tools, VPN products, network management systems, SIEM systems, boot managers, certificate issuance software, operating systems, routers, modems, smart building security products, connected toys with social or location functions, and some personal wearable products These products may require harmonised standards, common specifications, an EU cybersecurity certification scheme, or third-party assessment depending on the route used
Important products, Class II Hypervisors, container runtime systems, firewalls, intrusion detection systems, intrusion prevention systems, tamper-resistant microprocessors, and tamper-resistant microcontrollers These products are more likely to require a notified body or an applicable European cybersecurity certification scheme
Critical products Products listed in CRA Annex IV, such as certain highly security-sensitive hardware or trust components These are subject to the strictest conformity expectations and may require mandatory third-party assessment or certification where applicable

For cybersecurity vendors, this is especially relevant. A vulnerability scanner, firewall, SIEM platform, VPN solution, intrusion detection system, or network security appliance may not only be a useful security tool for customers. It may also be a product with digital elements that needs its own CRA classification, documentation, vulnerability handling process, support period, and conformity assessment.

For buyers, the practical question becomes: is this product simply connected, or is it also a higher-risk security or infrastructure product under CRA? The answer can affect vendor due diligence, procurement requirements, documentation expectations, and long-term support obligations.

Which Product Types Need To Prepare For CRA?

CRA is not only a regulation for specialist cybersecurity tools. It creates a baseline for a wide range of products with digital elements, then applies stricter assessment expectations where the product has a stronger security role, higher system impact, or critical trust function. The practical question is not only whether the product connects to the internet. It is also what the product does, what it protects, what could happen if it fails, and whether other systems depend on it.

Product Group Typical Examples Why The Risk Profile Changes Likely Compliance Impact
Default products with digital elements Smart devices, smart home applications, connected consumer devices, fitness trackers, smart watches, network printers, standard mobile or desktop software, ordinary business applications, and companion apps linked to connected products These products are connected or software-based, but they are not usually the main security control for other systems Secure-by-design controls, vulnerability management, SBOM or component tracking, update capability, documented support period, technical documentation, EU Declaration of Conformity, and CE marking. In many cases the manufacturer can use self-assessment
Important products, Class I Password managers, antivirus or endpoint protection tools, VPN clients, IoT gateways, backup software, network management tools, operating systems, SIEM-type systems, routers, modems, and identity or access-related products The product performs a security-relevant function or could affect multiple systems if compromised Higher documentation expectations, stronger evidence of security testing and vulnerability handling, and careful selection of the conformity assessment route. Harmonised standards, common specifications, or an EU certification scheme may reduce the need for third-party assessment where available and applicable
Important products, Class II Firewalls, intrusion detection and prevention systems, identity and access management systems, hypervisors, container runtime systems, enterprise routers and switches, and OT or industrial control gateways These products often protect infrastructure, enforce access, segment networks, or control environments where one weakness can affect many systems Stricter conformity assessment. A notified body, external assessment, or an applicable European cybersecurity certification scheme is more likely to be required
Critical products Hardware security modules, secure elements, smart cards, trusted platform modules, and cryptographic key management components These products can act as a root of trust or single point of failure for highly sensitive security functions The highest assurance expectations. Where the Commission requires it and an EU scheme exists, a European cybersecurity certificate at least at substantial assurance level may be needed

Classification should be based on the product's core functionality. A product is not automatically treated as a higher class only because it contains a small security feature, and it is not automatically outside a higher class because it also performs ordinary non-security functions. Manufacturers should document the reasoning behind the classification because that decision drives the conformity route, audit effort, and evidence package.

CE Marking, EU Declaration, And Cybersecurity Certificates

The slides mention a Danish term, cybersikkerhedsattest. In English, this refers to a European cybersecurity certificate under an EU cybersecurity certification scheme. It is not the same as a normal marketing claim, a vendor security statement, or a basic compliance letter.

For ordinary products with digital elements, the manufacturer must demonstrate conformity with the CRA requirements, draw up an EU Declaration of Conformity, and affix the CE marking where the applicable conformity assessment has been completed. For important products, the manufacturer may need to apply harmonised standards, common specifications, a European cybersecurity certification scheme, or involve a notified body depending on the product class and the route chosen.

Before CRA And After CRA: What Changes For CE Marking?

Before the CRA, cybersecurity for many digital products was often handled through voluntary best practices, customer requirements, internal risk management, or sector-specific standards. A vendor could follow good security practices, but for many products cybersecurity was not a direct condition for CE marking.

With the CRA, cybersecurity becomes part of the product conformity model. For in-scope products with digital elements, a vendor cannot treat security as an optional feature. Product development, secure defaults, vulnerability management, secure updates, support period, documentation, and supply-chain control become part of the evidence needed to place the product on the EU market.

In practical terms, CRA turns cybersecurity into a CE-marking gate for digital products. Supporting practices such as DevSecOps, secure software development lifecycle, ISO/IEC 27001 and ISO/IEC 27002, OWASP, CIS Controls, SBOM, and supply-chain security can help vendors build and prove the required security posture. They do not replace the CRA, but they help produce the evidence needed for CRA conformity.

CRA Turns Cybersecurity Into A Sales And Procurement Requirement

The practical message is clear: when an in-scope product with digital elements is sold or otherwise made available on the EU market, CRA compliance becomes part of the product's market access requirements. This does not mean every product in the world needs CRA. It means that hardware, software, firmware, connected devices, security appliances, mobile apps, and other products with digital elements that are in CRA scope must be able to meet the CRA requirements when they are placed on the EU market.

Before CRA, cybersecurity was often a hidden quality. A vendor could say that the product was secure, but the buyer often had to trust sales material, questionnaires, best-practice claims, or separate security certifications. After CRA, cybersecurity becomes a documented product property. Buyers, public authorities, enterprise customers, integrators, and distributors can ask for evidence such as the EU Declaration of Conformity, technical documentation, support period, secure update process, vulnerability handling process, SBOM or software component overview, and proof that the correct conformity route has been followed.

This will also affect tenders and enterprise sales. A product that can demonstrate CRA readiness may be easier to approve in procurement, while a product without clear security documentation may be delayed, rejected, or require extra due diligence. For security vendors, IoT vendors, software vendors, and manufacturers of connected products, CRA can therefore become a commercial advantage as well as a legal obligation.

Business Area How CRA Changes The Discussion
Product development Security must be considered during design, development, testing, release, maintenance, and end-of-support planning
Sales and tenders Customers may request CRA evidence before accepting products, especially in enterprise, public sector, critical infrastructure, and NIS2-related environments
Time to market Vendors may need more time for secure design, testing, documentation, vulnerability handling, conformity assessment, and possible external review
Supply chain Component security, third-party dependencies, supplier documentation, and update responsibility become more important
Customer trust Cybersecurity becomes something the vendor can document, not only something the vendor claims

In simple commercial terms: after the CRA applies, selling an in-scope digital product in the EU without the required cybersecurity evidence can become a market access problem, not only a technical problem.

Cost And Time-To-Market Impact: What Vendors Should Expect

CRA preparation can increase development cost, operating cost, compliance work, and time-to-market, especially for vendors that do not already have secure development, vulnerability management, SBOM, patching, and technical documentation processes in place. It is therefore relevant to discuss cost impact, but it should be done carefully.

There is no universal official percentage that says a CRA product will become 5%, 10%, 20%, or 50% more expensive. The impact depends on the product category, the maturity of the vendor, the number of third-party components, the complexity of the product, the expected support period, whether cloud functions are part of the product, and whether a notified body or cybersecurity certification is required.

Product Category Typical Cost Impact Main Cost Drivers
Default products Lower to moderate Cybersecurity risk assessment, secure defaults, vulnerability handling, SBOM or component overview, security updates, technical documentation, EU Declaration of Conformity, and self-assessment
Important products, Class I Moderate More structured secure development, stronger vulnerability management, harmonised standards where available, more testing, and stronger evidence for security-relevant functions
Important products, Class II Higher More demanding conformity assessment, possible notified body involvement, deeper testing, documentation, architecture review, and product security evidence
Critical products Highest Possible mandatory external conformity assessment, possible EU cybersecurity certification where required, cryptographic assurance, secure element or trust-anchor evidence, and stronger audit requirements

Percentage estimates found in presentations or workshops should be treated as indicative planning assumptions, not as official CRA numbers. For a public website, it is safer to explain the cost drivers and business impact than to claim a fixed price increase.

In practice, first-generation CRA readiness can be more expensive than maintaining CRA readiness later. The first phase may require new processes, new documentation, improved CI/CD controls, SBOM tooling, supplier reviews, secure update mechanisms, vulnerability intake channels, PSIRT roles, and external advice. Later, these activities should become part of normal product lifecycle management.

The commercial impact is also important. Cheaper products that cannot document secure design, updates, vulnerability handling, and conformity may become harder to sell into enterprise, public sector, NIS2-regulated, and critical infrastructure environments. Vendors that can prove product security may gain a procurement advantage.

For critical products listed in Annex IV, the CRA allows the European Commission to require a European cybersecurity certificate at an assurance level of at least substantial, where an applicable EU cybersecurity certification scheme exists. In practice, this means the product may need external certification proving that it meets defined security requirements at a recognised assurance level.

Term Meaning Why It Matters
EU Declaration of Conformity A formal manufacturer declaration that the product meets the applicable CRA requirements Needed before making the product available on the EU market
CE marking A visible indication that the product has gone through the required conformity route Shows that the product is intended to comply with the applicable EU product rules
Notified body An independent conformity assessment body designated under the CRA framework May be required for certain important or critical products
European cybersecurity certificate A certificate issued under an EU cybersecurity certification scheme, such as schemes created under the EU Cybersecurity Act framework Can be used to demonstrate security assurance, and may become mandatory for certain critical products
Assurance level The level of evaluation behind a certificate. EU cybersecurity certification uses levels such as basic, substantial, and high Critical CRA products may require at least substantial assurance where certification is mandated

In simple terms: a normal CRA product may be handled through conformity assessment and CE marking. An important product may face stricter conformity assessment. A critical product may, where the Commission requires it and a suitable scheme exists, need a European cybersecurity certificate at least at substantial assurance level.

CRA makes cybersecurity part of product conformity. For in-scope products, cybersecurity is not only a technical best practice or a sales claim. It becomes part of the evidence needed before the product can be placed on the EU market with the required conformity documentation and CE marking.

Essential Cybersecurity Requirements In Practice

CRA Annex I is central because it describes both product security requirements and vulnerability handling requirements. The product must not only be secure at the moment it is sold. The manufacturer must also have processes that keep vulnerabilities under control during the support period.

Requirement Area Practical Meaning For Vendors
Risk-based cybersecurity Design and produce the product with a security level appropriate to the risk
No known exploitable vulnerabilities at market entry Products should not be placed on the market with known exploitable weaknesses
Secure default configuration Products should be delivered with secure settings and allow secure reset where relevant
Security updates Vulnerabilities must be addressable through security updates, preferably automatic where appropriate
Data minimization The product should process only the data that is needed for its intended purpose
Integrity protection The product should protect data, commands, configurations, and software against unauthorized change or corruption
Confidentiality protection Stored and transmitted data should be protected with appropriate technical measures, including encryption where relevant
Access control The product should prevent unauthorized access through suitable authentication, authorization, and control mechanisms
Attack surface reduction Design and development should limit exposed services, unnecessary functions, and avoidable entry points
Incident impact reduction The product should limit negative impact on other devices and networks if an incident occurs
Logging and monitoring Where relevant, products should record and monitor security-relevant internal activity
Component transparency Vendors must be able to identify product components and vulnerabilities, including software components
Vulnerability handling Vendors need a process to identify, document, handle, disclose, and remediate vulnerabilities
Secure removal of data and settings Users should be able to securely remove personal data, configuration, and sensitive settings where relevant

This is why CRA preparation should not be reduced to a document exercise. A vendor needs real engineering controls, secure development practices, vulnerability scanning, component tracking, update mechanisms, access control, logging, and a support process that can be demonstrated if authorities, customers, or partners request evidence.

CRA Requires A Risk-Based Product Security Approach

CRA is risk-based product legislation with fixed minimum cybersecurity requirements. This means a manufacturer cannot simply copy a generic checklist and declare the product secure. The manufacturer must understand the product, identify its risks, reduce those risks through design and controls, manage vulnerabilities during the lifecycle, and document why the chosen controls are appropriate.

The risk-based approach should answer four practical questions: what can go wrong, how likely is it, what would the impact be, and what has the manufacturer done to reduce the risk? The answer will be different for a smart thermostat, a router, a firewall, a password manager, a connected medical device, or an industrial gateway.

Risk Factor What Vendors Should Assess CRA Relevance
Product function What the product does, whether it handles security, identity, network access, data, automation, safety, or remote control Higher security impact usually means stronger controls and stronger evidence
Exposure Whether the product is internet-facing, remotely accessible, connected through cloud services, used in hostile environments, or deployed at scale Exposure affects attack surface, patch urgency, monitoring, and vulnerability handling
Threat level Who may attack the product, including cybercriminals, botnets, insiders, competitors, or state-linked actors The expected attacker influences authentication, hardening, logging, secure updates, and testing depth
Consequences What happens if the product fails, is compromised, leaks data, becomes unavailable, or is used as a pivot into other systems Potential impact drives risk treatment, customer warnings, documentation, and conformity evidence
Lifecycle How the product is developed, updated, maintained, supported, retired, and replaced CRA expects security to be managed during the support period, not only at release

In practice, this means vendors should be able to explain their choices. Why was a feature enabled by default? Why was a protocol allowed? Why is the support period appropriate? Why is the update mechanism secure? Why was a vulnerability rated as critical, high, medium, or low? Under CRA, the reasoning matters because it becomes part of the evidence behind product conformity.

Standards and frameworks should be used where they reduce risk and improve evidence. They are especially useful in design, product classification, secure development, operation, vulnerability management, and lifecycle support. But the vendor still needs to map those practices back to the CRA requirements and the specific product risk assessment.

CRA And Security Frameworks: CIS Controls, OWASP, SSDLC And ISO/IEC 27001

CRA can be connected with existing cybersecurity frameworks, but it is important to understand the difference. CRA is a binding EU product regulation. Frameworks such as CIS Controls, OWASP, secure software development lifecycle practices, and ISO/IEC 27001 are ways to organize, implement, test, and evidence security work. They can support CRA compliance, but they do not automatically replace the CRA conformity assessment.

Framework Or Standard Main Focus How It Helps With CRA Key Difference From CRA
CRA EU product cybersecurity law for products with digital elements Sets mandatory product security, vulnerability handling, documentation, support, reporting, conformity assessment, and CE marking requirements CRA is legally binding for in-scope products placed on the EU market. It is the compliance obligation, not just guidance
Harmonised European standards, common specifications, and EU cybersecurity certification schemes Formal compliance routes under EU product regulation Can help demonstrate conformity with CRA requirements. Where applicable and cited, harmonised standards can provide a presumption of conformity for the requirements they cover These are the standards and schemes with the strongest direct legal relevance for CRA conformity
CIS Controls, often called CIS 18 Practical cyber hygiene controls for organizations and systems Supports asset inventory, secure configuration, vulnerability management, access control, logging, monitoring, incident response, and continuous improvement CIS is a strong operational control framework, but it is not a CRA product certification or CE marking route by itself
OWASP Application and software security guidance, including secure design, verification, testing, and maturity models Useful for web applications, APIs, mobile apps, software products, secure coding, threat modeling, vulnerability testing, and software assurance OWASP helps engineering teams build and test safer software, but CRA still requires product classification, documentation, support, reporting, and conformity assessment
SSDLC Secure software development lifecycle from requirements and design through coding, testing, release, maintenance, and end-of-support Directly supports CRA because CRA expects security to be considered through the product lifecycle, not only at release SSDLC is a process model. CRA is the legal product obligation that the process must help satisfy
ISO/IEC 27001 Information security management system for an organization Helps show governance, risk management, policies, supplier controls, incident management, access control, and continuous improvement ISO/IEC 27001 certifies the management system, not the product itself. A company can be ISO 27001 certified and still need separate CRA product conformity work

The practical way to use these frameworks is to map them to CRA Annex I and the technical documentation file. For example, OWASP testing can support evidence for secure software design. CIS Controls can support evidence for secure operations and vulnerability management. ISO/IEC 27001 can support governance and repeatable security processes. SSDLC can show that security is built into product planning, development, testing, release, patching, and support.

However, customers and vendors should avoid a common mistake: saying "we use OWASP" or "we are ISO 27001 certified" is not the same as saying "this product is CRA compliant." CRA requires the manufacturer to classify the product, meet the essential cybersecurity requirements, maintain technical documentation, define a support period, provide security updates, handle vulnerabilities, report actively exploited vulnerabilities and severe incidents where required, and complete the applicable conformity assessment.

A Practical CRA Technical Security Stack

A useful way to prepare for CRA is to translate the legal requirements into technical control areas that engineering, security, compliance, and product teams can actually work with. CIS Controls can support this, but the official CIS Controls are 18 controls, not 22. The 22-point view below is better understood as a CRA product-security checklist that draws from CRA Annex I, CIS Controls, OWASP guidance, secure development lifecycle practice, and ISO/IEC 27001 governance.

# Control Area What It Means For CRA Readiness Useful Supporting Frameworks
1 Secure-by-design Security requirements are included from the first design stage, not added only before release CRA Annex I, SSDLC, OWASP SAMM, CIS 16
2 System hardening Default services, ports, functions, accounts, and settings are reduced to what is necessary CIS 4, CRA secure configuration requirements
3 Identity and access management Authentication, authorization, privileged access, account lifecycle, and access control are designed and tested CIS 5, CIS 6, ISO/IEC 27001, CRA access control requirements
4 Software bill of materials The vendor can identify software components, dependencies, versions, and affected packages when vulnerabilities appear CRA component transparency, CIS 2, supply chain security practice
5 Supply chain security Third-party components, libraries, firmware, cloud dependencies, and suppliers are assessed and controlled CIS 15, ISO/IEC 27001 supplier controls, CRA lifecycle duties
6 Vulnerability management Vulnerabilities are identified, triaged, documented, remediated, disclosed, and monitored during the support period CIS 7, CRA vulnerability handling, PSIRT process
7 Secure update mechanism Security updates are delivered in a controlled way, protected against tampering, and available during the support period CRA update requirements, CIS 7, CIS 4, SSDLC release controls
8 Cryptography and key management Data, communications, firmware, update packages, credentials, and sensitive operations are protected with appropriate cryptographic controls CIS 3, CIS 13, ISO/IEC 27001, CRA confidentiality and integrity requirements
9 Logging Security-relevant events are recorded where appropriate so misuse, faults, and attacks can be investigated CIS 8, CRA monitoring and internal activity requirements
10 Monitoring and detection The vendor has a way to detect exploitation, abnormal product behavior, suspicious activity, or vulnerability abuse CIS 13, CIS 8, CRA reporting readiness
11 Incident response and PSIRT The manufacturer can investigate product security incidents, coordinate response, notify users, and report where CRA requires it CIS 17, ISO/IEC 27001, CRA incident reporting
12 Secure development lifecycle Security is built into requirements, design, coding, review, testing, release, maintenance, and end-of-support decisions SSDLC, OWASP SAMM, CIS 16, CRA lifecycle requirements
13 Configuration management Product configurations, baselines, secure defaults, changes, and reset options are controlled and documented CIS 4, CRA secure default requirements
14 Network security Network interfaces, management services, protocols, segmentation, remote access, and exposed communication paths are secured CIS 12, CIS 13, CRA attack surface and communication protection
15 Data protection Data is minimized, protected against unauthorized access, protected in transit and at rest where relevant, and removable where required CIS 3, GDPR where personal data is involved, CRA data minimization and confidentiality requirements
16 Lifecycle and support management The vendor defines the support period, maintains security updates, communicates end-of-support, and keeps evidence current CRA support period duties, SSDLC, ISO/IEC 27001 governance
17 Security testing The product is tested through methods such as SAST, DAST, dependency scanning, vulnerability scanning, fuzzing, penetration testing, and secure code review where appropriate CIS 16, CIS 18, OWASP ASVS, CRA risk-based security requirements
18 Threat modeling Likely attackers, abuse cases, trust boundaries, attack paths, and failure scenarios are identified early and revisited when the product changes OWASP, SSDLC, CRA risk-based design
19 Firmware and embedded security Boot process, firmware integrity, debug interfaces, secure storage, update flow, and hardware-close software are protected CIS 4, CIS 16, CRA requirements for connected hardware and embedded software
20 API security Product APIs are protected against unauthorized access, abuse, injection, excessive permissions, weak tokens, and insecure data exposure OWASP API Security, CIS 16, CRA access control and data protection requirements
21 Cloud and remote processing security Cloud functions that are necessary for the product, such as authentication, updates, telemetry, management, or remote control, are secured and included in the product risk assessment CRA remote data processing scope, CIS 12, CIS 5, ISO/IEC 27001
22 Device, IoT, and endpoint security Connected devices are protected against compromise through secure defaults, hardening, updateability, identity controls, and reduced attack surface CIS 1, CIS 4, CRA connected product requirements

This checklist is not a separate legal standard. It is a practical bridge between CRA obligations and day-to-day security engineering. Vendors can use it to assign owners, collect evidence, map controls to technical documentation, and show customers that product security is being managed systematically.

In practical terms, CRA implementation is not about proving that a product is perfect. It is about proving that the manufacturer can discover security problems, handle them through a defined process, fix or mitigate them quickly, inform the right parties where required, and produce evidence that the process works. That evidence matters for authorities, customers, distributors, importers, and NIS2-regulated buyers that need stronger supply-chain assurance.

The official CIS Controls themselves are also useful to mention in a CRA program. They cover inventory of enterprise assets, software inventory, data protection, secure configuration, account management, access control, vulnerability management, audit logs, email and browser protections, malware defenses, data recovery, network infrastructure, network monitoring, security awareness, service provider management, application software security, incident response, and penetration testing. Not every CIS control maps one-to-one to CRA, but together they help create the operational discipline needed to maintain secure products over time.

Technical Documentation: The Evidence Behind CRA Compliance

The CRA also creates extensive documentation expectations. This is important because compliance is not only about saying that a product is secure. The manufacturer must be able to show how security requirements were considered, tested, documented, and maintained.

Technical documentation is not normally a public sales document. It does not have to be handed to every customer by default. But it must be prepared before the product is placed on the market, kept up to date, and made available to market surveillance authorities when required.

Documentation Area What It Should Cover
General product description What the product is, what it does, how it connects, and what digital elements are included
Design, development, and production How the product was designed, developed, produced, secured, and maintained
Vulnerability handling process How vulnerabilities are reported, assessed, remediated, disclosed, and tracked
Cybersecurity risk assessment The risks identified for the product and how those risks informed the security controls
Support period basis Why the chosen support period is appropriate for the product and its expected use
Applied standards Which harmonised standards, common specifications, or other technical measures were used
Testing and assessment reports Evidence from security tests, conformity assessments, vulnerability scans, penetration tests, or other validation activities
EU Declaration of Conformity A copy of the declaration showing the product's conformity with applicable CRA requirements
Software component list A software component list or SBOM-style overview that helps identify dependencies, components, and vulnerability exposure

This is one reason why vulnerability scanning, software component tracking, secure update procedures, and documented remediation workflows matter. They create evidence. Without evidence, a vendor may struggle to prove that product cybersecurity is controlled in a repeatable and auditable way.

Support Period And Security Updates

The support period is the period during which the manufacturer must handle vulnerabilities effectively for the product. Under CRA, the manufacturer must determine the support period and clearly specify the end date, including at least the month and year, at the time of purchase.

As a general rule, the support period must be at least five years. A shorter period can be justified only where the product is expected to be used for less than five years. The basis for the support period should be documented, and users should be informed where possible when the support period is approaching its end.

Security updates made available during the support period must also remain available after they are issued for a minimum of 10 years, or for the remainder of the support period, whichever is longer. In practice, this means vendors need a controlled patch archive, clear update distribution, and reliable access to historical security fixes.

Support Requirement Practical Meaning
Defined support period The vendor must state how long the product will receive vulnerability handling and security support
Minimum period At least five years unless the product's expected use time is shorter
Documented reasoning The vendor should document why the support period is suitable for the product type and expected use
Security updates Security updates must be made available during the support period and handled in a way that users can install them securely
Update availability Security updates made available during the support period must remain available after issuance for at least 10 years or for the remainder of the support period, whichever is longer
Patch archive Vendors should maintain a reliable archive of security updates, release notes, affected versions, and installation guidance
Technical documentation retention Technical documentation and the EU Declaration of Conformity must be kept available to market surveillance authorities for at least 10 years after market placement or for the support period, whichever is longer
User information Users must be given clear information and instructions for secure installation, operation, updates, support, and end of support

For buyers, this is a useful procurement question: "How long will this product receive security support, and what happens when that period ends?" For vendors, the answer should not be improvised. It should be part of the product lifecycle plan.

What Counts As An Actively Exploited Vulnerability?

The CRA reporting duty is triggered by actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements. An actively exploited vulnerability is not just a theoretical weakness. It is a vulnerability where there is reliable evidence that a malicious actor has exploited it in a system without permission.

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents to the relevant CSIRT and ENISA through the CRA Single Reporting Platform. The reporting flow includes an early warning within 24 hours, a main notification within 72 hours, and a final report within the relevant deadline.

The CRA should not be simplified into "every zero-day must be patched within 14 days." For actively exploited vulnerabilities, the 14-day deadline refers to the final report after a corrective or mitigating measure is available. In practice, however, vendors should be ready to investigate, mitigate, patch, and communicate as quickly as possible when a zero-day affects their product.

This makes speed and evidence essential. Vendors must be able to identify vulnerable components, confirm whether exploitation is active, assess product impact, issue mitigations or patches, and communicate with authorities and affected users.

Is SaaS Exempt From CRA?

The short answer is: standalone SaaS is generally outside CRA, but SaaS or cloud functionality can be included if it is a remote data processing solution that is necessary for a product with digital elements to function.

This distinction is important. The CRA is primarily product law. A pure browser-based SaaS platform, sold only as a service and not as a software or hardware product, will normally not be treated as a CRA product. Such cloud services may instead fall under other cybersecurity rules, such as NIS2, depending on the provider's size, role, and sector.

However, if a connected product depends on a cloud backend, that backend may be part of the product's CRA scope. For example, a smart camera that requires a vendor cloud service to manage video processing, alerts, authentication, firmware updates, or remote access may bring the relevant cloud functionality into scope as a remote data processing solution.

A connected robot vacuum cleaner is a useful example. The physical robot, its firmware, the mobile app used to control it, and any cloud function needed for mapping, scheduling, account login, remote control, updates, or security management may all need to be considered in the CRA scope assessment. The mobile app is software, the robot is connected hardware, and the cloud backend may be relevant if the product depends on it to perform one of its functions.

Therefore, vendors should not simply ask, "Is this SaaS?" They should ask, "Is this cloud function necessary for the product to perform one of its functions?" If yes, the CRA assessment must include it.

Who Must Comply With CRA?

The main responsibility falls on manufacturers. In CRA language, a manufacturer is the natural or legal person that places a product with digital elements on the market under its own name or trademark. This includes companies that develop software, build hardware, rebrand products, or sell digital products as their own.

But manufacturers are not the only actors. The CRA also creates responsibilities for importers, distributors, authorised representatives, and, in certain cases, open-source software stewards.

Actor Responsibility
Manufacturers Design, develop, assess, document, update, support, and monitor the product securely
Importers Check that products from outside the EU meet CRA requirements before placing them on the EU market
Distributors Verify basic compliance signals such as CE marking, user information, and support period
Authorised representatives Act on behalf of manufacturers for certain compliance tasks
Open-source software stewards In specific commercial and sustained support cases, follow defined cybersecurity and vulnerability handling duties

The CRA therefore affects the full supply chain. A non-EU vendor selling software or hardware into the EU cannot simply ignore the law. Importers and distributors may also have obligations if they make the product available on the EU market.

Supply Chain Responsibility: Manufacturer, Importer, Distributor, User

CRA responsibility follows the product through the supply chain. The manufacturer carries the main product, process, approval, support, and reporting obligations. Importers and distributors have more limited duties, but they are still expected to check that the product carries the right compliance information before it reaches the end user.

Market Participant Main CRA Relevance
Manufacturer Responsible for product cybersecurity requirements, vulnerability handling processes, conformity assessment, CE marking, support period, technical documentation, and reporting obligations
Importer Must check that the non-EU product has the required conformity assessment, technical documentation, CE marking, contact details, and user information before placing it on the EU market
Distributor Must act with due care, verify basic marking and documentation, and avoid making products available where there is reason to believe they are non-compliant
End user Receives information, instructions, security updates, and support information, but does not normally carry CRA manufacturer obligations simply by using the product

A distributor or importer can become treated as the manufacturer if it places the product on the market under its own name or trademark, or if it makes a substantial modification to the product. This is especially important for white-label products, OEM appliances, partner-branded software, and modified security appliances.

For partners and resellers, this means contracts may need to become more precise. Agreements should clarify who maintains technical documentation, who handles vulnerability disclosure, who reports actively exploited vulnerabilities, who provides security updates, and who is responsible if the product is rebranded or modified.

What Must Vendors Do?

The CRA requires cybersecurity to be handled across the product lifecycle. That means security must be part of planning, design, development, production, delivery, maintenance, vulnerability handling, and customer communication.

Manufacturers must perform a cybersecurity risk assessment and use it to guide the design and development of the product. They must also meet essential cybersecurity requirements, prepare technical documentation, carry out conformity assessment, issue an EU declaration of conformity, and affix the CE marking before placing the product on the market.

In practical terms, vendors should be able to show that they have:

  • A secure development process
  • Vulnerability management
  • Patch and update processes
  • Secure default configuration
  • Protection against unauthorized access
  • Clear product security documentation
  • A defined support period
  • Procedures for handling exploited vulnerabilities
  • Evidence that the product was tested and assessed
  • A process for reporting severe incidents and actively exploited vulnerabilities

This is where cyber hygiene becomes a product responsibility. Vendors must know what is inside their products, how vulnerabilities are handled, how long security support is provided, and how customers are protected after purchase.

A Practical CRA Implementation Plan

CRA implementation should not start as a paperwork exercise. It should start with the product: what the product does, how it connects, which users depend on it, what could go wrong, which components it contains, and how the vendor will keep it secure during the support period.

A pragmatic plan helps vendors move from uncertainty to evidence. The aim is to make CRA operational inside product development, engineering, support, compliance, and customer communication.

Step What To Do Practical Output
1. Classify the product Decide whether the product is a standard product, important Class I, important Class II, or critical. Include firmware, mobile apps, remote processing functions, components, and foreseeable connections. Product classification memo and scope decision
2. Assign ownership Define who owns product security, vulnerability handling, compliance evidence, support period decisions, and customer communication. Governance model and RACI-style responsibility matrix
3. Build secure-by-design Make security part of architecture, feature design, authentication, access control, configuration, logging, update design, and data protection. Security design requirements and architecture review
4. Implement secure development Use a secure software development lifecycle with code review, security testing, dependency checks, build control, release gates, and DevSecOps practices. SSDLC process, CI/CD security controls, and release evidence
5. Create SBOM and component control Track software components, versions, suppliers, package identifiers, hashes where relevant, dependencies, and known vulnerabilities. SBOM or software component list linked to vulnerability monitoring
6. Establish vulnerability handling Create intake channels, triage rules, severity scoring, impact analysis, mitigation workflow, patch prioritisation, disclosure rules, and reporting support. PSIRT or equivalent vulnerability handling process
7. Define support and update mechanisms Set the support period, explain it to users, implement secure update delivery, separate security updates where practical, and keep updates available as required. Support policy, secure update design, and patch archive process
8. Prepare technical documentation Document the product, risk assessment, design choices, development process, vulnerability handling, standards used, test results, support period, and component list. Technical file ready for internal review and authority requests
9. Choose conformity route Decide whether self-assessment is sufficient, whether harmonised standards or common specifications apply, or whether a notified body or certification route is needed. Conformity assessment plan, EU Declaration of Conformity, and CE marking evidence
10. Make it operational Turn the plan into normal product operations: patch management, incident response, supplier reviews, compliance review, customer advisories, training, and periodic reassessment. Operational CRA process that survives staff changes and product updates

Secure-by-design means evidence, not slogans

A vendor should be able to explain why a design choice was made, which risk it reduces, which controls support it, how it was tested, and how it will be maintained. CRA implementation is not about claiming that a product is perfect. It is about showing that the vendor can identify risks, reduce them, handle vulnerabilities, update the product, communicate clearly, and prove the process.

A small vendor does not need the same organisation as a large enterprise, but the responsibilities still need to exist. At minimum, there should be a product security owner, a vulnerability handling owner, a compliance evidence owner, and a clear escalation path to engineering, support, legal, and management.

Common CRA Implementation Mistakes To Avoid

Many CRA failures will not come from one missing tool. They will come from weak ownership, poor documentation, uncontrolled components, unclear support periods, and informal vulnerability handling. CRA readiness should therefore focus on evidence, repeatability, and operational discipline.

Common Mistake Why It Creates Risk Better CRA Approach
Underestimating the support period The vendor may promise a product lifecycle without the patching, vulnerability handling, update availability, and documentation needed to support it Define the support period early, document the reasoning, and connect it to engineering capacity, patch delivery, and customer communication
No control over open-source and third-party components A vulnerable library, outdated dependency, unsupported package, or unknown component can become a product vulnerability Maintain a software component list or SBOM, track versions, suppliers, identifiers, dependencies, and known vulnerabilities
Scanning without a real vulnerability process Finding vulnerabilities is not enough if there is no owner, severity decision, impact analysis, patch route, disclosure process, or evidence trail Use scanning as input to a PSIRT or equivalent vulnerability handling process with defined ownership and deadlines
Missing organisational anchoring If only one developer or one compliance person understands the process, the product becomes fragile when people change role or leave Create a RACI-style model so every product security activity has an accountable owner, a backup, and a clear escalation path
Forgetting mobile apps, firmware, or remote processing The product scope may be too narrow, leaving important digital elements outside the risk assessment and documentation Include hardware, firmware, mobile apps, desktop software, cloud functions required by the product, APIs, management portals, and update infrastructure
Treating CRA as a one-time launch task CRA obligations continue through the support period, especially for vulnerabilities, updates, user information, and technical documentation Make CRA a normal operating discipline across secure development, patch management, incident response, supplier review, and release management

Compliance is not only a checklist

A checklist helps structure the work, but CRA evidence must be real. The vendor should be able to show that risks were identified, controls were selected, vulnerabilities were handled, updates were delivered, users were informed, and decisions were documented.

Open Source Components And SBOM: From Inventory To Operations

Open-source and third-party components are central to CRA readiness because modern products rarely consist only of code written by the vendor. Libraries, frameworks, containers, firmware modules, drivers, crypto packages, package managers, build tools, and cloud SDKs can all introduce product risk.

Non-commercial open-source software is treated differently under CRA, but a manufacturer that integrates open-source or third-party components into a commercial product still needs component due diligence. The question is not whether a component is open source. The question is whether the finished product placed on the EU market is secure, maintained, documented, and supported.

SBOM Area What To Track Why It Matters
Component identity Component name, supplier, package name, version, package URL, hash, license, and source where relevant Allows the vendor to know exactly what is inside each product release
Dependencies Direct and transitive dependencies, embedded libraries, runtime packages, firmware modules, and container images Helps identify hidden exposure when a vulnerability is found in a dependency chain
Vulnerability mapping CVEs, advisories, exploit status, severity, affected versions, fixed versions, and compensating controls Turns the SBOM into an operational input for vulnerability management and PSIRT work
Release linkage Which SBOM belongs to which product, version, build, customer image, firmware release, or appliance package Supports fast impact analysis when a new vulnerability is disclosed
Evidence archive SBOM history, scan results, approvals, exceptions, risk acceptances, and patch decisions Supports technical documentation, authority requests, customer questions, and internal audits

An SBOM should not be treated as a static document created once for compliance. It is more useful when integrated into CI/CD, release management, vulnerability feeds, patch prioritisation, and PSIRT workflows. In practice, a mature SBOM process helps the vendor answer quickly: which products are affected, which customers may be exposed, which update is needed, and what evidence proves the decision.

SBOM Maturity Level Status Practical Meaning
Level 1 No reliable SBOM The vendor cannot quickly identify affected components when a vulnerability is disclosed
Level 2 Manual component list Useful as a start, but likely to become outdated and incomplete
Level 3 Automated SBOM generation SBOMs are generated for builds or releases, reducing manual errors
Level 4 CI/CD integrated SBOM SBOM data is connected to release gates, dependency checks, vulnerability scanning, and approval workflows
Level 5 Continuous vulnerability tracking SBOM data is actively used by PSIRT, patch management, product owners, and compliance teams for real-time impact analysis

CRA Readiness Checklist

The following checklist is a practical starting point for vendors, importers, distributors, integrators, and buyers that want to understand whether a product is moving toward CRA readiness. It is not a replacement for legal review, but it helps translate CRA into concrete evidence.

Use the standalone checklist page for internal workshops, supplier reviews, and readiness planning: SecPoint CRA Readiness Checklist.

The checklist is an educational aid and should be validated against the official CRA text, updated guidance, product classification, and your selected conformity route.

Checklist Area Question To Answer Evidence To Prepare
Product scope Have we identified all digital elements, including firmware, apps, APIs, remote processing, update systems, and components? Product scope map
Product classification Is the product standard, important Class I, important Class II, or critical under CRA? Classification memo
Economic operator role Are we manufacturer, importer, distributor, authorised representative, open-source steward, or buyer? Role and responsibility assessment
Risk assessment Have we assessed product function, exposure, threat level, user impact, and consequences? Cybersecurity risk assessment
Secure-by-design Are security requirements built into architecture, access control, configuration, logging, update design, and data protection? Security design review
Secure development Do we use SSDLC, code review, dependency control, security testing, release gates, and build integrity controls? SSDLC process evidence
SBOM and component control Do we know which components, versions, suppliers, identifiers, and dependencies are inside each release? SBOM or software component list
Open-source due diligence Do we track open-source components, licenses, maintainers, known vulnerabilities, update status, and end-of-life risk? Third-party component review
Vulnerability intake Can customers, researchers, partners, and internal teams report vulnerabilities through a controlled channel? Security contact, disclosure policy, intake log
Vulnerability handling Do we validate, score, prioritise, mitigate, patch, test, disclose, and learn from vulnerabilities? PSIRT or equivalent process
Reporting readiness Can we identify actively exploited vulnerabilities and severe incidents and meet CRA reporting timelines? Reporting procedure and escalation path
Secure updates Can users receive and install security updates securely, preferably separated from feature updates where practical? Update mechanism and patch policy
Support period Is the support period defined, justified, communicated, and backed by engineering capacity? Support policy and end-date statement
Technical documentation Can we show design, risk assessment, standards, tests, component list, support basis, and conformity evidence? Technical documentation file
Conformity route Do we know whether self-assessment, harmonised standards, common specifications, certification, or notified body assessment is needed? Conformity assessment plan
CE marking evidence Can we draw up the EU Declaration of Conformity and support the CE marking with evidence? Declaration of Conformity and CE file
Supplier contracts Do supplier, OEM, white-label, and distributor agreements support security updates, vulnerability notification, and evidence sharing? Contract and supplier review
Operational ownership Will the process continue when key employees change role, leave, or when the product is updated? RACI matrix, backup owners, and governance review

Why Vendors Need A PSIRT Function

CRA does not require every vendor to use the exact label "PSIRT", but it does require vulnerability handling, security updates, documentation, user communication, and reporting where the conditions are met. A Product Security Incident Response Team, or PSIRT, is the practical function that makes this possible. It can be a dedicated team in a large company or a defined cross-functional process in a smaller vendor.

A PSIRT is the bridge between security, development, operations, product management, legal, compliance, and customer support. Without this function, vulnerabilities are often handled ad hoc, responsibility becomes unclear, evidence is missing, customer communication is delayed, and CRA reporting can fail in practice.

PSIRT Capability What It Does Why It Matters For CRA
Vulnerability intake Receives reports from internal teams, customers, researchers, bug bounty programs, partners, distributors, and monitoring systems Creates a controlled entry point for product security issues instead of scattered emails and informal handling
Validation and triage Confirms whether the issue is real, identifies affected products and versions, scores severity, and assesses exploitation and customer impact Supports correct prioritization, reliable evidence, and timely decisions
Mitigation and remediation Coordinates engineering fixes, workarounds, patches, configuration changes, test validation, and release timing Turns vulnerability handling into concrete action during the support period
Disclosure and communication Prepares advisories, customer notices, release notes, coordinated disclosure messages, and authority communication where required Helps ensure users receive clear security information and that public disclosure does not create unnecessary risk
CRA reporting support Determines whether an actively exploited vulnerability or severe incident triggers reporting to CSIRT and ENISA through the CRA Single Reporting Platform Supports the 24-hour, 72-hour, and final report timeline when CRA reporting duties apply
Learning and prevention Feeds lessons learned back into root cause analysis, secure development, testing, threat modeling, documentation, and product architecture Prevents the same class of weakness from returning in later versions

A practical PSIRT model should define ownership. Typical roles include a PSIRT lead for escalation and governance, a PSIRT analyst for validation and severity assessment, development or engineering for root cause and fixes, product management for customer impact and release priority, a security architect for solution review, legal and compliance for CRA reporting and disclosure review, and communication or support for customer advisories.

A simple RACI model is useful here. For each activity, such as intake, ticketing, validation, CVSS scoring, CRA impact assessment, patch development, testing, release, disclosure, customer communication, authority reporting, and post-mortem learning, the vendor should know who is accountable, who performs the work, who must be consulted, and who must be informed. This prevents the process from collapsing when key employees change position or leave.

For CRA readiness, the important point is not the job title. The important point is traceability. The vendor should be able to show when a vulnerability was received, who assessed it, what products were affected, how severity was determined, what mitigation was chosen, when users were informed, whether reporting was required, and how the product was improved afterward.

CRA Reporting Obligations

From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents affecting the security of products with digital elements.

Deadline Requirement
Within 24 hours Early warning after becoming aware
Within 72 hours Main notification
Final report for exploited vulnerabilities No later than 14 days after a corrective or mitigating measure is available
Final report for severe incidents Within one month from the 72-hour notification

Reports are submitted through the CRA Single Reporting Platform, which ENISA is responsible for establishing. This is different from normal customer support. If a product vulnerability is being actively exploited, the manufacturer must have a process to detect it, evaluate it, report it, correct it, and communicate responsibly.

CRA Timeline

Date Milestone
10 December 2024 CRA entered into force
11 June 2026 Provisions on conformity assessment bodies begin to apply
11 September 2026 Reporting obligations begin
11 December 2027 Main CRA obligations fully apply

Products placed on the market before 11 December 2027 are generally subject to the CRA only if they undergo a substantial modification after that date. However, reporting obligations can still apply to products already made available on the EU market.

CRA Compared With GDPR, NIS2, DORA, CER, AI Act And Cybersecurity Act

The CRA is part of a much wider EU regulatory landscape. The easiest way to understand it is to ask what each law is trying to protect. GDPR protects personal data. NIS2 improves cybersecurity for important and essential entities. DORA strengthens operational resilience in the financial sector. CER focuses on the resilience of critical entities and essential services. The AI Act regulates AI risks. The Cybersecurity Act creates EU cybersecurity certification schemes. CRA focuses on the cybersecurity of digital products placed on the EU market.

Regulation Main Focus Who It Mainly Applies To How It Differs From CRA
GDPR Personal data protection and privacy Organizations that process personal data of individuals in the EU GDPR asks how personal data is collected, used, protected, and shared. CRA asks whether a digital product is secure by design, maintained, documented, and supported.
NIS2 Cybersecurity risk management for important and essential entities Organizations in critical and important sectors such as energy, health, transport, digital infrastructure, public administration, manufacturing, and others NIS2 is entity and sector focused. CRA is product focused and can apply regardless of the customer's sector.
DORA Digital operational resilience in finance Banks, insurers, investment firms, payment institutions, and certain ICT third-party providers DORA protects the resilience of financial operations. CRA protects the security quality of products used across many sectors, including finance.
CRA Cybersecurity of products with digital elements Manufacturers, importers, distributors, authorised representatives, and some open-source software stewards CRA is the product-security law: secure-by-design, vulnerability handling, support period, CE marking, technical documentation, and product incident reporting.
CER Directive Resilience of critical entities and essential services Critical entities in sectors such as energy, transport, banking, health, water, food, digital infrastructure, public administration, and space CER is about keeping essential services running against all-hazard disruption risks. CRA is about the cybersecurity of products sold or supplied on the market.
AI Act Risk-based regulation of artificial intelligence systems AI providers, deployers, importers, distributors, and users depending on role and risk category AI Act asks whether an AI system is prohibited, high-risk, transparent, or general-purpose. CRA asks whether a digital product, including AI-enabled software where relevant, meets product cybersecurity requirements.
EU Cybersecurity Act EU cybersecurity certification framework and ENISA mandate ICT products, services, processes, certification schemes, and EU cybersecurity coordination The Cybersecurity Act creates certification schemes. CRA can use those schemes to demonstrate conformity and may require certification for certain critical products.

This means several rules can apply at the same time. A connected medical logistics product might involve GDPR because it processes personal data, NIS2 because the customer is a healthcare entity, CRA because the product contains digital elements, and the AI Act if the product includes a regulated AI function. The key is to identify whether the obligation is about the organization, the personal data, the operational service, the AI function, or the product itself.

How CRA Differs From GDPR

GDPR is about personal data and privacy. It applies when personal data is processed, regardless of whether the processing happens in a product, service, website, database, app, or internal system. CRA is different because it focuses on product cybersecurity. A product can be in CRA scope even if it processes little or no personal data, simply because it is connected hardware or software with digital elements.

The two laws can overlap. A robot vacuum app, smart camera, wearable device, or enterprise security platform may process personal data and therefore raise GDPR questions. At the same time, the product may need CRA conformity, secure updates, vulnerability handling, and technical documentation.

How CRA Differs From NIS2

NIS2 is focused on organizations operating in important and essential sectors. It covers cybersecurity risk management, incident handling, supply chain security, governance, and reporting for entities in critical areas such as energy, transport, health, digital infrastructure, public administration, manufacturing, and other sectors.

CRA is different. It does not start with the sector. It starts with the product.

A hospital may fall under NIS2 because it is an important entity. A software vendor selling a connected medical inventory tool may fall under CRA because the product has digital elements. A manufacturer selling a firewall, router, IoT device, security appliance, mobile app, or software platform may fall under CRA regardless of whether the buyer is in finance, healthcare, defense, logistics, retail, or manufacturing.

There is also a procurement connection. NIS2 requires covered entities to manage cybersecurity risk, including supply-chain security and security in the acquisition, development, and maintenance of network and information systems. This does not mean NIS2 is the same as CRA, and it should not be described as a simple rule that every NIS2 entity must only buy CRA-compliant products. The more accurate point is that, once CRA applies, NIS2-regulated organizations will have a strong reason to prefer vendors that can show CRA conformity, secure update processes, vulnerability handling, and reliable product security documentation.

NIS2 CRA
Entity and sector focused Product focused
Applies to essential and important organizations Applies to products with digital elements on the EU market
Focuses on organizational cybersecurity Focuses on secure product design, maintenance, and vulnerability handling
Requires governance and risk management Requires conformity, documentation, CE marking, support, and product security
Incident reporting by covered entities Vulnerability and product security incident reporting by manufacturers

NIS2 asks: is the organization secure enough? CRA asks: is the product secure enough?

How CRA Differs From DORA

DORA, the Digital Operational Resilience Act, is focused on the financial sector. It applies to banks, insurance companies, investment firms, payment institutions, and other financial entities, as well as certain ICT third-party providers. DORA has applied from 17 January 2025 and covers ICT risk management, incident reporting, resilience testing, third-party risk, and oversight of critical ICT providers.

CRA is broader in product scope, but narrower in regulatory object. It is not only about financial services. It is about products with digital elements sold in the EU.

A financial institution may need DORA compliance for its internal ICT risk and third-party management. But the software, firewall, router, cloud-connected appliance, or security tool it buys may need CRA compliance from the vendor.

DORA CRA
Financial sector focused Sector agnostic
Applies to financial entities and ICT third-party providers Applies to products with digital elements
Focuses on operational resilience Focuses on product cybersecurity
Includes ICT third-party risk and resilience testing Includes secure product lifecycle and vulnerability handling
Uses financial supervision logic Uses product conformity and market surveillance logic

DORA protects the resilience of financial operations. CRA improves the security of the digital products those operations may depend on.

How CRA Differs From CER

The Critical Entities Resilience Directive, or CER, is about the resilience of critical entities that provide essential services. It is not only a cyber law. It covers broader disruption risks such as natural hazards, sabotage, terrorism, insider threats, public health emergencies, and other incidents that can interrupt essential services.

CRA is narrower and more product-specific. It does not ask whether a power company, water provider, bank, hospital, or transport operator is resilient as an entity. It asks whether a product with digital elements placed on the EU market meets cybersecurity requirements. However, the two can meet in procurement: a critical entity covered by CER may prefer, require, or eventually expect CRA-ready products from its suppliers.

How CRA Differs From The AI Act

The AI Act regulates artificial intelligence through a risk-based model. It focuses on AI systems, their providers and deployers, prohibited AI practices, high-risk use cases, transparency duties, general-purpose AI model obligations, and lifecycle governance for AI.

CRA focuses on product cybersecurity. If a product includes AI, both laws may matter. For example, an AI-enabled security camera, industrial sensor, access control system, autonomous device, or AI-driven cybersecurity product may need AI Act analysis for the AI function and CRA analysis for the product's cybersecurity, vulnerability handling, support period, software components, and secure update process.

How CRA Differs From The EU Cybersecurity Act

The EU Cybersecurity Act strengthened ENISA and created an EU-wide cybersecurity certification framework for ICT products, services, and processes.

CRA is different because it creates mandatory cybersecurity requirements for products with digital elements. Certification schemes under the Cybersecurity Act may help demonstrate conformity in some cases, but the CRA itself is the regulation that makes product cybersecurity a market requirement.

Cybersecurity Act CRA
Creates EU cybersecurity certification framework Creates mandatory product cybersecurity obligations
Focuses on certification schemes Focuses on product conformity and lifecycle security
Supports trust and assurance Requires vendors to meet essential cybersecurity requirements
Can support CRA compliance Is a direct product compliance regime

Why CRA Matters For Cyber Hygiene

CRA compliance is not just about paperwork. It requires real security discipline.

A vendor must know whether its product contains vulnerable components. It must be able to patch weaknesses. It must be able to explain the support period. It must provide secure instructions to customers. It must reduce insecure defaults. It must handle vulnerabilities in a structured way.

For customers, this creates a stronger basis for trust. Buyers should be able to ask vendors:

  • Is the product covered by CRA?
  • What is the support period?
  • How are vulnerabilities handled?
  • How fast are critical patches released?
  • Is the product tested regularly?
  • Is there documentation of conformity?
  • Are updates provided securely?
  • Does the vendor monitor actively exploited vulnerabilities?
  • Is there a clear incident reporting process?

For vendors, the message is equally clear: security must be built into the product, not added only after a customer complains.

Educational CRA Readiness Guidance

Important clarification: this page is an educational guide about CRA readiness and product cybersecurity. SecPoint does not issue CRA certifications, legal approvals, CE markings, or formal conformity assessments under the Cyber Resilience Act.

CRA compliance remains the responsibility of the relevant manufacturer, importer, distributor, authorised representative, or other responsible market participant. SecPoint solutions can support vulnerability discovery, cyber hygiene, security validation, and evidence gathering, but they do not by themselves make a product CRA compliant.

CRA interpretation can depend on product scope, product classification, supply-chain role, applicable harmonised standards, common specifications, certification schemes, national market-surveillance practice, and future EU guidance. Nothing on this page should be treated as legal advice. Always confirm decisions with official sources and qualified advisers.

How SecPoint Helps Organizations Prepare

CRA does not replace vulnerability scanning, penetration testing, compliance scanning, patch management, or security monitoring. It makes these activities more important.

The SecPoint Penetrator helps organizations identify vulnerabilities across public and internal systems, document findings, reduce exposure, and support stronger cyber hygiene. For vendors, integrators, and customers preparing for CRA, NIS2, DORA, and broader EU cybersecurity expectations, regular vulnerability scanning can provide practical evidence that security risks are being found and addressed as part of a broader compliance and product security program.

The SecPoint Protector helps organizations reduce exposure to known hostile sources and unwanted traffic, supporting a layered security model where prevention, detection, and response work together.

CRA compliance will require more than one tool. It requires process, documentation, ownership, and continuous improvement. But the starting point is clear: you cannot manage product security properly if you do not know where your vulnerabilities are.

Conclusion

The Cyber Resilience Act changes the cybersecurity conversation in Europe. It moves responsibility closer to the vendor and makes secure product development, vulnerability handling, support periods, conformity assessment, and incident reporting part of doing business in the EU.

NIS2 focuses on organizations in important and essential sectors. DORA focuses on digital operational resilience in finance. The Cybersecurity Act supports EU-wide certification. CRA focuses on the security of products with digital elements.

For vendors, the deadline may look far away, but the practical work should start now. By 11 September 2026, reporting obligations begin. By 11 December 2027, the main CRA requirements apply.

The companies that prepare early will be in a stronger position. They will have cleaner documentation, better vulnerability management, stronger product security, and more trust from customers.

CRA is not just another regulation. It is a signal that cybersecurity is becoming a core part of product quality.