CRA Compliance Essentials: 10 FAQs Answered
The EU Cyber Resilience Act (CRA) officially entered into force on December 12, 2024, and will be fully implemented on December 11, 2027. This regulation establishes mandatory cybersecurity requirements for any “product with digital elements” placed on the EU market.
For Chinese power electronics manufacturers, CRA compliance presents both a challenge and a necessary threshold for entering the EU market. This article addresses the 10 most common CRA compliance questions, covering four core areas: product classification, compliance processes, technical requirements, and export compliance.
Part I: Product Classification
Q1: Is my product within the scope of CRA regulation?
To determine whether your product falls within the scope of CRA regulation, use the following checklist:
| Checklist Item | Description |
|---|---|
| ✓ Product contains software or firmware | Pure hardware products are not regulated |
| ✓ Product is sold in the EU market | Only products exported to the EU market need compliance |
| ✓ Product has data connectivity capability | Wired or wireless network connection |
| ✓ Product is used to communicate with other devices or networks | Has communication functionality |
| ✓ Product does not fall under exclusion categories | Specific sectors like medical, automotive, aviation have separate regulations |
If all of the above are “yes,” then the product is within the scope of CRA regulation.
For power electronics products, the vast majority of Energy Storage Systems (ESS), PV inverters, EV charging stations, and Energy Management Systems (EMS) fall within the scope of CRA regulation due to their network communication and remote monitoring capabilities.
Q2: How do I determine which risk category my product belongs to?
CRA classifies products with digital elements into four main categories:
Quick Classification Reference Table:
| Category | Characteristics | Compliance Pathway | Notified Body Required |
|---|---|---|---|
| Default | General products not in Class I or II Important, or Critical | Internal control procedure | ❌ No |
| Important Class I | Performs critical cybersecurity functions (firewall, authentication, etc.) | Internal control* or EU-type examination | ❌/✅ |
| Important Class II | Has hardware security functions or processes sensitive data | EU-type examination | ✅ Yes |
| Critical | Used in critical infrastructure, contains security modules | EUCC certification | ✅ Yes |
Core Principle: According to CRA regulations, Default is the default classification. Only products explicitly listed in CRA Annex III belong to Important or Critical categories.
Power Electronics Product Classification:
- Energy Storage Systems (ESS) → Default
- PV Inverters → Default
- EV Charging Stations → Default
- Energy Management Systems (EMS) → Default
Network connectivity, remote monitoring, and data processing functions of these products are normal features of Default category and do not automatically upgrade the classification. Unless the product contains a Hardware Security Module (HSM/SE), it maintains Default category classification.
Part II: Compliance Process
Q3: What is the Internal Control Procedure (Module A)?
Internal Control Procedure (Module A) is a process where manufacturers self-declare compliance, applicable to Default category products.
Technical Documentation Preparation → Compliance Assessment → EU Declaration of Conformity → CE Marking → Placing on Market
Manufacturer Obligations:
- Prepare technical documentation (CRA Annex II requirements)
- Conduct compliance assessment and testing
- Sign EU Declaration of Conformity
- Affix CE marking
- Maintain documentation for 10 years
Key Advantage: No notified body involvement required, lower cost, shorter timeframe (approximately 8-10 weeks).
flowchart LR
A[Technical Documentation] --> B[Compliance Assessment]
B --> C[Declaration of Conformity]
C --> D[CE Marking]
D --> E[Placing on Market]
style A fill:#e3f2fd
style B fill:#fff3e0
style C fill:#e8f5e9
style D fill:#ffccbc
style E fill:#c8e6c9
Q4: What must be included in the technical documentation?
According to CRA Annex II, technical documentation must include the following:
| Documentation Component | Specific Requirements |
|---|---|
| 1. General Description | Intended use, software version, product illustrations, internal layout, user information |
| 2. Design, Development, Production | System architecture, software component architecture, design/development processes, vulnerability handling processes |
| 3. Cybersecurity Risk Assessment | Threat modeling, risk analysis, mitigation measures |
| 4. Support Period | Length of support period and basis for determination (at least 5 years) |
| 5. Harmonized Standards | Harmonized standards applied in whole or in part |
| 6. Test Reports | Compliance test reports, verification test reports |
| 7. Declaration of Conformity | Copy of EU Declaration of Conformity |
| 8. SBOM | Software Bill of Materials (if applicable) |
Retention Requirement: Technical documentation must be maintained for at least 10 years, calculated from the date the product was last placed on the market.
Part III: Technical Requirements
Q5: What are the basic cybersecurity requirements under CRA?
CRA Annex I Part I specifies the basic cybersecurity requirements that all products must meet, including 10 main categories:
Key Requirements Explained:
| Requirement Category | Core Points |
|---|---|
| Cybersecurity Risk Assessment | Throughout product lifecycle, documented and continuously updated |
| Secure by Default Configuration | Factory configuration is secure, no additional setup required |
| Access Control | Three-in-one: authentication, authorization, session management |
| Cryptographic Protection | Data encryption, communication encryption, key management |
| Security Updates | Signature verification, integrity protection, rollback mechanism |
Q6: What is a Software Bill of Materials (SBOM)?
Software Bill of Materials (SBOM) is a detailed list of all software components used in a product.
Information SBOM Should Contain:
| Information Item | Description | Example |
|---|---|---|
| Component Name | Name of software component | OpenSSL, FreeRTOS |
| Version Number | Component version | 1.1.1, 10.4.3 |
| Supplier | Component maintainer | OpenSSL Project |
| License | Open source license type | Apache 2.0, MIT |
| Download Source | Source for obtaining component | GitHub URL |
| Hash Value | Hash of component | SHA-256 |
Recommended Formats: SPDX or CycloneDX
Importance of SBOM:
- Rapid identification of components affected by vulnerabilities
- Improved supply chain transparency
- Support for security assessment and audit
Q7: What are the stages of the vulnerability handling process?
According to CRA Annex I Part II, manufacturers must establish a complete vulnerability handling process:
Vulnerability Discovery → Vulnerability Report → Vulnerability Verification → Risk Assessment → Develop Fix → Testing & Verification → Release Update → Notify Users
Core Requirements:
| Requirement | Description |
|---|---|
| SBOM Maintenance | Continuously update software bill of materials |
| CVD Policy | Establish Coordinated Vulnerability Disclosure policy |
| Secure Distribution | Ensure secure distribution of updates (signature + encryption) |
| Regular Testing | Conduct regular security testing and verification |
| Information Sharing | Share vulnerability information with third parties |
Reporting Obligations:
- Actively exploited vulnerabilities → Immediately report to EU CSIRT
- Critical/High severity vulnerabilities → Immediately notify users
- Medium/Low severity vulnerabilities → Notify within appropriate timeframe
Part IV: Export Compliance
Q8: What do Chinese manufacturers need to do to export to the EU?
Recommendation: Start preparation in 2026
CRA Timeline:
timeline
title CRA Implementation Timeline
section Completed
2024-08 : CRA officially enters into force
section Near Term
2026-09 : Vulnerability reporting requirements effective
2026-08 : Type A standards expected release
2026-10 : Type B/C standards expected release
section Long Term
2027-10 : Common technical measures standards released
2027-12 : CRA fully implemented
2029-12 : Inventory product clearance period ends
Preparation Recommendations:
| Timeline | Action |
|---|---|
| 2026 | Begin product classification assessment, gap analysis |
| Late 2026 | Establish vulnerability handling processes, prepare technical documentation |
| First Half 2027 | Complete compliance assessment for major products |
| By September 2027 | Ensure vulnerability reporting mechanism is ready |
| By December 2027 | All new products must be compliant |
Why start preparing now?
- Notified bodies may have backlogs
- Product improvements take time
- Documentation preparation requires resources
- Vulnerability handling requires process establishment
Key Takeaways
-
The vast majority of power electronics products belong to Default category, using Module A pathway, cost €10K-25K, timeframe 8-10 weeks
-
Default is the default classification, network connectivity, remote control, payment functions, etc. do not automatically upgrade product classification
-
Module A is a manufacturer self-declaration process, no notified body involvement required, most cost-effective compliance pathway
-
Technical documentation must be maintained for 10 years, important basis for market surveillance audits
-
Vulnerability handling is an ongoing obligation, requires establishing lifecycle-wide vulnerability management processes
-
Vulnerability reporting requirements become effective from September 2026, need to establish vulnerability reporting channels in advance
-
EN 40000 series are harmonized standards, using harmonized standards can simplify compliance assessment
-
Micro-enterprises have partial exemptions, but core cybersecurity requirements must still be met
-
Recommend starting preparation in 2026, allow sufficient time for product improvements and documentation preparation
-
Existing certifications can be reused, RED EN 18031 certification can save 30-50% of compliance costs
Further Reading
If you need professional support with CRA compliance, our services include:
- Product Classification Assessment - Accurately determine your product category
- Gap Analysis - Identify gaps between your product and CRA requirements
- Compliance Consulting - Full-process compliance guidance
- Documentation Preparation - Assistance in preparing technical documentation
- Testing Support - Coordinate cybersecurity testing
- Training Services - CRA compliance training
Please contact us for more details.