Cybersecurity Standard

CRA

EU Cyber Resilience Act (CRA) - Regulation (EU) 2024/2847

Official Documentation

Overview

The EU Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for products with digital elements marketed in the EU. It introduces product categories (Default, Important I & II, Critical) with different compliance requirements and costs (Default: €10K-25K, 8-10 weeks). The CRA includes harmonized standards EN 40000 series (40000-1-1 vocabulary, 1-2 principles, 1-3 vulnerability handling) and mandates a comprehensive vulnerability handling process (PRE/RCP/VRF/RMD/RLS/PRA phases). Full implementation starts 2027-12-11 with vulnerability reporting obligations from 2026-09-11.

Scope

Applies to hardware and software products with digital elements that are directly or indirectly connected to another device or network. Covers both consumer and professional products.

Key Requirements

1 Cybersecurity risk assessment
2 Secure by design and development
3 Vulnerability handling and disclosure
4 Security updates and patches
5 Technical documentation
6 EU Declaration of Conformity
7 Conformity assessment procedures
8 Post-market monitoring
9 Incident reporting obligations
10 CE marking for cybersecurity

Target Audience

Hardware manufacturers exporting to EU
Software developers and vendors
IoT device manufacturers
Product compliance managers
Importers and distributors
Digital service providers

Free Templates

Free Download

Get free document templates for CRA. Leave your contact information and we'll send the templates to your email, along with our full catalog.

Get Free Templates

We typically send templates within 24 hours

Related Articles

Deepen your understanding of CRA with these articles and best practices

Need CRA Compliance Support?

Our expert team provides comprehensive compliance consulting and certification support