Cybersecurity

CRA Compliance Essentials: 10 FAQs Answered

The EU Cyber Resilience Act (CRA) will be fully implemented in 2027. This article addresses the 10 most common questions about product classification, compliance pathways, technical requirements, and Chinese exporters.

8 min read
CRA Compliance Essentials: 10 FAQs Answered

CRA Compliance Essentials: 10 FAQs Answered

The EU Cyber Resilience Act (CRA) officially entered into force on December 12, 2024, and will be fully implemented on December 11, 2027. This regulation establishes mandatory cybersecurity requirements for any “product with digital elements” placed on the EU market.

For Chinese power electronics manufacturers, CRA compliance presents both a challenge and a necessary threshold for entering the EU market. This article addresses the 10 most common CRA compliance questions, covering four core areas: product classification, compliance processes, technical requirements, and export compliance.


Part I: Product Classification

Q1: Is my product within the scope of CRA regulation?

To determine whether your product falls within the scope of CRA regulation, use the following checklist:

Checklist ItemDescription
✓ Product contains software or firmwarePure hardware products are not regulated
✓ Product is sold in the EU marketOnly products exported to the EU market need compliance
✓ Product has data connectivity capabilityWired or wireless network connection
✓ Product is used to communicate with other devices or networksHas communication functionality
✓ Product does not fall under exclusion categoriesSpecific sectors like medical, automotive, aviation have separate regulations

If all of the above are “yes,” then the product is within the scope of CRA regulation.

For power electronics products, the vast majority of Energy Storage Systems (ESS), PV inverters, EV charging stations, and Energy Management Systems (EMS) fall within the scope of CRA regulation due to their network communication and remote monitoring capabilities.

Q2: How do I determine which risk category my product belongs to?

CRA classifies products with digital elements into four main categories:

Quick Classification Reference Table:

CategoryCharacteristicsCompliance PathwayNotified Body Required
DefaultGeneral products not in Class I or II Important, or CriticalInternal control procedure❌ No
Important Class IPerforms critical cybersecurity functions (firewall, authentication, etc.)Internal control* or EU-type examination❌/✅
Important Class IIHas hardware security functions or processes sensitive dataEU-type examination✅ Yes
CriticalUsed in critical infrastructure, contains security modulesEUCC certification✅ Yes

Core Principle: According to CRA regulations, Default is the default classification. Only products explicitly listed in CRA Annex III belong to Important or Critical categories.

Power Electronics Product Classification:

  • Energy Storage Systems (ESS) → Default
  • PV Inverters → Default
  • EV Charging Stations → Default
  • Energy Management Systems (EMS) → Default

Network connectivity, remote monitoring, and data processing functions of these products are normal features of Default category and do not automatically upgrade the classification. Unless the product contains a Hardware Security Module (HSM/SE), it maintains Default category classification.


Part II: Compliance Process

Q3: What is the Internal Control Procedure (Module A)?

Internal Control Procedure (Module A) is a process where manufacturers self-declare compliance, applicable to Default category products.

Technical Documentation Preparation → Compliance Assessment → EU Declaration of Conformity → CE Marking → Placing on Market

Manufacturer Obligations:

  1. Prepare technical documentation (CRA Annex II requirements)
  2. Conduct compliance assessment and testing
  3. Sign EU Declaration of Conformity
  4. Affix CE marking
  5. Maintain documentation for 10 years

Key Advantage: No notified body involvement required, lower cost, shorter timeframe (approximately 8-10 weeks).

flowchart LR
    A[Technical Documentation] --> B[Compliance Assessment]
    B --> C[Declaration of Conformity]
    C --> D[CE Marking]
    D --> E[Placing on Market]

    style A fill:#e3f2fd
    style B fill:#fff3e0
    style C fill:#e8f5e9
    style D fill:#ffccbc
    style E fill:#c8e6c9

Q4: What must be included in the technical documentation?

According to CRA Annex II, technical documentation must include the following:

Documentation ComponentSpecific Requirements
1. General DescriptionIntended use, software version, product illustrations, internal layout, user information
2. Design, Development, ProductionSystem architecture, software component architecture, design/development processes, vulnerability handling processes
3. Cybersecurity Risk AssessmentThreat modeling, risk analysis, mitigation measures
4. Support PeriodLength of support period and basis for determination (at least 5 years)
5. Harmonized StandardsHarmonized standards applied in whole or in part
6. Test ReportsCompliance test reports, verification test reports
7. Declaration of ConformityCopy of EU Declaration of Conformity
8. SBOMSoftware Bill of Materials (if applicable)

Retention Requirement: Technical documentation must be maintained for at least 10 years, calculated from the date the product was last placed on the market.


Part III: Technical Requirements

Q5: What are the basic cybersecurity requirements under CRA?

CRA Annex I Part I specifies the basic cybersecurity requirements that all products must meet, including 10 main categories:

Key Requirements Explained:

Requirement CategoryCore Points
Cybersecurity Risk AssessmentThroughout product lifecycle, documented and continuously updated
Secure by Default ConfigurationFactory configuration is secure, no additional setup required
Access ControlThree-in-one: authentication, authorization, session management
Cryptographic ProtectionData encryption, communication encryption, key management
Security UpdatesSignature verification, integrity protection, rollback mechanism

Q6: What is a Software Bill of Materials (SBOM)?

Software Bill of Materials (SBOM) is a detailed list of all software components used in a product.

Information SBOM Should Contain:

Information ItemDescriptionExample
Component NameName of software componentOpenSSL, FreeRTOS
Version NumberComponent version1.1.1, 10.4.3
SupplierComponent maintainerOpenSSL Project
LicenseOpen source license typeApache 2.0, MIT
Download SourceSource for obtaining componentGitHub URL
Hash ValueHash of componentSHA-256

Recommended Formats: SPDX or CycloneDX

Importance of SBOM:

  • Rapid identification of components affected by vulnerabilities
  • Improved supply chain transparency
  • Support for security assessment and audit

Q7: What are the stages of the vulnerability handling process?

According to CRA Annex I Part II, manufacturers must establish a complete vulnerability handling process:

Vulnerability Discovery → Vulnerability Report → Vulnerability Verification → Risk Assessment → Develop Fix → Testing & Verification → Release Update → Notify Users

Core Requirements:

RequirementDescription
SBOM MaintenanceContinuously update software bill of materials
CVD PolicyEstablish Coordinated Vulnerability Disclosure policy
Secure DistributionEnsure secure distribution of updates (signature + encryption)
Regular TestingConduct regular security testing and verification
Information SharingShare vulnerability information with third parties

Reporting Obligations:

  • Actively exploited vulnerabilities → Immediately report to EU CSIRT
  • Critical/High severity vulnerabilities → Immediately notify users
  • Medium/Low severity vulnerabilities → Notify within appropriate timeframe

Part IV: Export Compliance

Q8: What do Chinese manufacturers need to do to export to the EU?

Recommendation: Start preparation in 2026

CRA Timeline:

timeline
    title CRA Implementation Timeline
    section Completed
      2024-08 : CRA officially enters into force
    section Near Term
      2026-09 : Vulnerability reporting requirements effective
      2026-08 : Type A standards expected release
      2026-10 : Type B/C standards expected release
    section Long Term
      2027-10 : Common technical measures standards released
      2027-12 : CRA fully implemented
      2029-12 : Inventory product clearance period ends

Preparation Recommendations:

TimelineAction
2026Begin product classification assessment, gap analysis
Late 2026Establish vulnerability handling processes, prepare technical documentation
First Half 2027Complete compliance assessment for major products
By September 2027Ensure vulnerability reporting mechanism is ready
By December 2027All new products must be compliant

Why start preparing now?

  • Notified bodies may have backlogs
  • Product improvements take time
  • Documentation preparation requires resources
  • Vulnerability handling requires process establishment

Key Takeaways

  1. The vast majority of power electronics products belong to Default category, using Module A pathway, cost €10K-25K, timeframe 8-10 weeks

  2. Default is the default classification, network connectivity, remote control, payment functions, etc. do not automatically upgrade product classification

  3. Module A is a manufacturer self-declaration process, no notified body involvement required, most cost-effective compliance pathway

  4. Technical documentation must be maintained for 10 years, important basis for market surveillance audits

  5. Vulnerability handling is an ongoing obligation, requires establishing lifecycle-wide vulnerability management processes

  6. Vulnerability reporting requirements become effective from September 2026, need to establish vulnerability reporting channels in advance

  7. EN 40000 series are harmonized standards, using harmonized standards can simplify compliance assessment

  8. Micro-enterprises have partial exemptions, but core cybersecurity requirements must still be met

  9. Recommend starting preparation in 2026, allow sufficient time for product improvements and documentation preparation

  10. Existing certifications can be reused, RED EN 18031 certification can save 30-50% of compliance costs


Further Reading

If you need professional support with CRA compliance, our services include:

  • Product Classification Assessment - Accurately determine your product category
  • Gap Analysis - Identify gaps between your product and CRA requirements
  • Compliance Consulting - Full-process compliance guidance
  • Documentation Preparation - Assistance in preparing technical documentation
  • Testing Support - Coordinate cybersecurity testing
  • Training Services - CRA compliance training

Please contact us for more details.

Tags

#CRA #Cybersecurity #Compliance #FAQ #EU Regulation