CRA GUIDE

The Cyber Resilience Act, in plain language

What the CRA is, who it affects, and what you actually have to do — for manufacturers, importers and distributors, not lawyers.

updated 2026-06-23 · v1.4 · Reg (EU) 2024/2847

What the CRA is

Regulation (EU) 2024/2847 is the EU's horizontal cybersecurity law for products with digital elements — essentially any software or connected hardware on the EU market. It puts binding cybersecurity obligations on the products themselves, across their lifecycle, with CE marking as the proof.

Key dates

11 September 2026 — Article 14 reporting applies, including to products already on the market. 11 December 2027 — full application: essential requirements, conformity assessment, CE marking.

Not sure if the CRA applies to you, or which role you are?Run the free scope check →

Does it apply to you?

It covers products whose use involves a data connection to a device or network — a wide net. Main carve-outs: products under their own regimes (medical devices, vehicles, aviation, marine) and national-security/defence. Pure SaaS is generally outside, except "remote data-processing solutions" integral to a product.

Which role are you?

Obligations turn on your role — manufacturer (full duties), importer (verify the manufacturer's conformity, keep records), distributor (due care, check the basics). Rebranding or substantially modifying a product makes you the manufacturer.

What manufacturers must do

Product properties (Annex I Part I): no known exploitable vulnerabilities at release, secure-by-default, data confidentiality and integrity, access control, attack-surface minimisation, logging, secure updates. Processes (Part II): SBOM, vulnerability handling, regular testing, a CVD policy, secure update distribution — all evidenced in technical documentation and an EU Declaration of Conformity.

Importers & distributors

The roles everyone forgets. Importers verify the manufacturer did their part before placing on the market, add their own identification, and keep records. Distributors check the visible basics with due care. Both act without undue delay on a vulnerability.

The reporting obligation

From 11 September 2026, manufacturers report actively exploited vulnerabilities and severe incidents via the ENISA platform: early warning within 24 hours, notification within 72, a final report after. The clock starts at awareness.

How to get ready

Confirm scope and role; classify the product; stand up secure development and vulnerability handling; build the technical file; set the support period; ready the reporting runbook before September 2026. If you'd rather start from the artifacts, the CRA kit is these documents by role, and the free scope check tells you which apply.

Ready to act? The CRA kit is the documents, split by your role.See the CRA kit →

General information, not legal advice. Classification and several obligations are fact-specific; confirm against the current text and take advice on the high-stakes calls.