What the CRA is
Regulation (EU) 2024/2847 is the EU's horizontal cybersecurity law for products with digital elements — essentially any software or connected hardware on the EU market. It puts binding cybersecurity obligations on the products themselves, across their lifecycle, with CE marking as the proof.
Key dates
11 September 2026 — Article 14 reporting applies, including to products already on the market. 11 December 2027 — full application: essential requirements, conformity assessment, CE marking.
Does it apply to you?
It covers products whose use involves a data connection to a device or network — a wide net. Main carve-outs: products under their own regimes (medical devices, vehicles, aviation, marine) and national-security/defence. Pure SaaS is generally outside, except "remote data-processing solutions" integral to a product.
Which role are you?
Obligations turn on your role — manufacturer (full duties), importer (verify the manufacturer's conformity, keep records), distributor (due care, check the basics). Rebranding or substantially modifying a product makes you the manufacturer.
What manufacturers must do
Product properties (Annex I Part I): no known exploitable vulnerabilities at release, secure-by-default, data confidentiality and integrity, access control, attack-surface minimisation, logging, secure updates. Processes (Part II): SBOM, vulnerability handling, regular testing, a CVD policy, secure update distribution — all evidenced in technical documentation and an EU Declaration of Conformity.
Importers & distributors
The roles everyone forgets. Importers verify the manufacturer did their part before placing on the market, add their own identification, and keep records. Distributors check the visible basics with due care. Both act without undue delay on a vulnerability.
The reporting obligation
From 11 September 2026, manufacturers report actively exploited vulnerabilities and severe incidents via the ENISA platform: early warning within 24 hours, notification within 72, a final report after. The clock starts at awareness.
How to get ready
Confirm scope and role; classify the product; stand up secure development and vulnerability handling; build the technical file; set the support period; ready the reporting runbook before September 2026. If you'd rather start from the artifacts, the CRA kit is these documents by role, and the free scope check tells you which apply.
General information, not legal advice. Classification and several obligations are fact-specific; confirm against the current text and take advice on the high-stakes calls.