Skip to main content
Preparing for the EU Cyber Resilience Act (CRA) 
  • Cyber Regulation

Preparing for the EU Cyber Resilience Act (CRA) 

Kieran Larking

22 Jan 2026 8 Min Read

TL;DR  

  • The EU Cyber Resilience Act (CRA) sets a mandatory baseline for security in digital products sold in the EU, covering their entire lifecycle from design to end of support. 
  • Products must meet 13 essential security requirements and 8 vulnerability handling requirements, including secure defaults, timely patching, and secure update mechanisms. 
  • Manufacturers must have formal processes for identifying, fixing, and publicly disclosing vulnerabilities, as well as providing free security updates. 
  • Non-compliance can result in significant fines, market restrictions, or product withdrawal, making cybersecurity both a technical and legal obligation. 

Raising the baseline for product security 

Product security has matured significantly over the last decade. Secure defaults, defined ownership of security risk, reliable update mechanisms, and structured vulnerability handling are now mainstream and well understood by experienced engineering and security teams. These practices are no longer aspirational. They are now the minimum required to build and operate digital products responsibly.  

The new EU Cyber Resilience Act (CRA) formalises this reality. Rather than introducing new security concepts, it codifies expectations that already exist across mature product security programmes and makes them enforceable across the EU market. The result is a consistent baseline for how software and hardware products with digital components are designed, maintained, and supported throughout their lifecycle. 

What is in scope 

The CRA act is an EU regulation designed to improve cybersecurity across software and hardware based digital products that are sold in or to the EU. This regulation sets binding minimum cybersecurity requirements for products throughout their entire lifecycle, from design, deployment and market deployment to maintenance.  

The act intends to safeguard consumers and businesses within the EU when purchasing and operating these products, addressing inadequate levels of cybersecurity as well as a lack of timely security updates and patching. In doing this, it allows consumers to easily identify which products are implemented with the correct cybersecurity features for their intended application. Unlike the earlier EU cyber legislation, which focused primarily on networks or specific sectors, the CRA applies horizontally across industries.  

If a product contains digital components and is placed on the EU market, it is likely to fall within scope. 

When obligations apply 

The CRA was implemented on the 10th of December 2024, with the primary obligations of the act being introduced from the 11th of December 2027. Reporting obligations will apply from the 11th of September 2026. 

Products will bear the CE marking to indicate that they comply with the CRA requirements and national market surveillance authorities will ensure enforcement of the rules. It should be noted that this is shown as an assessment of confirmation rather than a one-time declaration. 

Security requirements of the CRA 

The security requirements of the CRA are split into 13 essential requirements and 8 vulnerability handling requirements.  

Vendors need to be ready to meet all these criteria before December 2027. Although these requirements currently exist in law, they become enforceable and compulsory for products placed on the market from December 2027. 

These are shown in Annex I of the CRA and summarised below: 

13 essential requirements

  1. No known exploitable vulnerabilities: Products are not released with known exploitable vulnerabilities. 
  2. Secure by default: The default setting of the product on release should exhibit the strongest security configuration. 
  3. Security updates: The product must support security updates, automatic by default. Users are clearly informed about the option to opt out or delay. 
  4. No unauthorised access: Sufficient access controls are implemented within the product to prevent unauthorised access. 
  5. Protect confidentiality of data: Data at rest and in transit is secure and encrypted. 
  6. Protect integrity of data: Data cannot be manipulated or modified by unauthorised users. Tampering or corruption is reported. 
  7. Minimisation of data: Only data necessary for the intended purpose of the product can be processed or collected. 
  8. Availability of data: Measures to defend against denial-of-service attacks. Basic functions remain after a security incident. 
  9. Availability of connected devices: Product does not interfere with the availability of other services or devices within a network. 
  10. Small attack surface: Product has a small attack surface as per design and development. 
  11. Attack mitigation: Mechanisms in place to minimise the impact of an attack, such as memory protection or sandboxing. 
  12. Logging: Internal activity is logged efficiently, such as config changes or unauthorised data access. Users must have the option to opt out. 
  13. Option for data removal: Users must have the option to permanently delete all settings and data stored on the product.  

What “vulnerability handling” means under the CRA 

Under the Cyber Resilience Act, vulnerability handling is treated as an ongoing responsibility rather than a one-off response. Manufacturers are expected to have processes in place to identify vulnerabilities, fix them in a timely manner, communicate clearly with users and researchers, and support products securely throughout their supported lifetime. 

The requirements below describe what this looks like in practice. 

The 8 core vulnerability handling requirements 

Manufacturers of products with digital elements must: 

  1. Vulnerability identification: Vulnerabilities and components are identified and documented, including a software bill of commonly used materials.  
  2. Timely remediation: Identified vulnerabilities are addressed and remediated without delay, including through the provision of security updates, proportionate to the risks posed. 
  3. Security testing and review: Effective and regular testing and security reviews are performed to identify vulnerabilities in the product with digital elements. 
  4. Public vulnerability disclosure: Information on fixed vulnerabilities is publicly disclosed once updates are available, including affected products, impact, severity, and guidance to support remediation. 
  5. Coordinated vulnerability disclosure policy: A formal and enforced coordinated vulnerability disclosure policy is in place. 
  6. Vulnerability reporting channels: Measures exist to facilitate vulnerability reporting and information sharing, including a dedicated contact address for vulnerabilities in the product and its third-party components. 
  7. Secure update distribution: Secure mechanisms are implemented to distribute updates, ensuring exploitable vulnerabilities are fixed or mitigated in a timely manner. 
  8. Free and timely security updates: Security patches and updates addressing identified security issues are provided without delay, free of charge, and accompanied by advisory information for users. 

What consumers should expect

  • Products arriving secure by default, with fewer unsafe settings enabled out of the box 
  • Clearer security information from manufacturers, including update and support periods 
  • Regular, free security updates to address known vulnerabilities 
  • Greater transparency about vulnerabilities, including guidance on what action to take 
  • Defined end of support dates, requiring more informed purchasing and usage decisions 
  • A more active role in applying updates and following security guidance 

Fines and enforcement

The CRA introduces enforcement mechanisms comparable to other major EU regulations. 

Administrative fines can reach up to 15 million euros or 2.5 percent of global annual turnover, depending on the infringement. Authorities may also require corrective actions, restrict market access, or mandate the withdrawal of non-compliant products. 

Cybersecurity failures therefore represent not just technical risk, but legal, financial, and reputational risk.  Article 53 of the CRA details the penalties.

Conclusion 

In summary, the CRA will fully enforce the security of products distributed within the EU, when rolled out fully in 2027. This will benefit consumers and organisations through a heightened level of security to protect the confidentiality, integrity and availability of their data.Venders however, should be aware that these are rules that must be followed in order to sell and maintain their products in the EU. Otherwise, products may be removed from circulation or vendors may incur large fines. 

With our day-to-day life filled with a variety of IoT devices such as smart fridges, smart watches, smart this, smart that, the scope of cybersecurity attacks is higher than it has ever been. Compliance, not just with the CRA, ensures vendors and consumers are safe from threats imposed by bad actors.