Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/Cybersecurity/CRA
🛡️Cybersecurity & IT

Cyber Resilience Act (CRA) — Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements

Analysis from 17 April 20263 sourcesOriginal version of Regulation (EU) 2024/2847, supplemented by Art. 104 of (EU) 2025/327 of 11 February 2025 — separate conformity pathway for EHR systems; EHDS staggered application from 26 March 2027.EUR-Lex Original

Which of our connected products need a cybersecurity overhaul before the Cyber Resilience Act kicks in — and what happens if we miss the deadline?

Any product with digital elements sold in the EU must meet mandatory cybersecurity-by-design requirements by 11 December 2027 — non-compliance exposes manufacturers to fines of up to EUR 15 million or 2.5% of global turnover; Regulation (EU) 2025/327 (EHDS) amends CRA via Art. 104 so that EHR systems demonstrate conformity through the EHDS conformity procedure (Chapter III EHDS) rather than the standard CRA pathway [Art. 32(5a) CRA, inserted by (EU) 2025/327 Art. 104 (EU) 2025/327 paragraph 3].

Short Answer

The Cyber Resilience Act (CRA) introduces horizontal cybersecurity obligations for all products with digital elements placed on the EU market, covering both hardware and software including their remote data processing solutions [Art. 2(1)]. Manufacturers must conduct cybersecurity risk assessments, deliver products without known exploitable vulnerabilities, provide security updates for at least five years, and maintain a software bill of materials [Art. 13, Annex I]. Actively exploited vulnerabilities must be reported to ENISA and the relevant CSIRT within 24 hours [Art. 14(2)(a)]. Important products (Annex III) and critical products (Annex IV) face stricter conformity assessment procedures involving third-party audits [Art. 32(2), (3)]. Regulation (EU) 2025/327 of 11 February 2025 (European Health Data Space, EHDS) amends the CRA through Art. 104 (EU) 2025/327 on three points: (1) for products subject to multiple Union acts, the cybersecurity risk assessment may form part of the assessment required by those other acts [new Art. 13(4) CRA]; (2) a single set of technical documentation may be drawn up [new Art. 31(3) CRA]; (3) manufacturers of EHR systems with digital elements demonstrate conformity with the CRA essential requirements through the conformity-assessment procedure in Chapter III of the EHDS [Art. 32(5a) CRA, inserted by (EU) 2025/327 Art. 104 (EU) 2025/327 paragraph 3]. The main CRA obligations remain unchanged.

Who is affected

All economic operators — manufacturers, importers, and distributors — placing products with digital elements on the EU market, whether for payment or free of charge [Art. 3(13)]. This includes standalone software, hardware with embedded software, and components. Excluded: medical devices (Reg. 2017/745, 2017/746), motor vehicles (Reg. 2019/2144), aviation products (Reg. 2018/1139), marine equipment (Dir. 2014/90/EU), and products developed exclusively for national security or defence [Art. 2(2)-(7)]. Open-source software stewards have lighter obligations and are exempt from administrative fines [Art. 25, Art. 64(10)(b)]. Additionally in scope under the EHDS amendment: manufacturers of electronic health record systems (EHR systems) with digital elements — they use the EHDS conformity procedure instead of the standard CRA route.

Deadline

Vulnerability and incident reporting obligations (Art. 14) apply from 11 September 2026. Notified body framework (Chapter IV, Art. 35-51) applies from 11 June 2026. Full application of all remaining obligations from 11 December 2027 [Art. 71(2)]. Products placed on the market before 11 December 2027 are only subject to new requirements if substantially modified, except that Art. 14 reporting applies to all in-scope products regardless [Art. 69(2), (3)]. The EHDS amendments to the CRA are formally in force with publication of the EHDS; their practical effect follows the staggered EHDS application from 26 March 2027 (EHR systems) and 26 March 2029/2031 for individual data categories [Art. 105 (EU) 2025/327].

Risk

Ceiling: EUR 15 million or 2.5% of worldwide annual turnover for non-compliance with essential cybersecurity requirements (Annex I) and manufacturer obligations (Art. 13, 14) [Art. 64(2)]. Secondary tier: EUR 10 million or 2% for other regulatory obligations [Art. 64(3)]. Providing misleading information to authorities: EUR 5 million or 1% [Art. 64(4)]. Micro- and small enterprises are exempt from fines for late early-warning notifications [Art. 64(10)(a)]. Market surveillance authorities may additionally order withdrawal or recall of non-compliant products [Art. 54].

Proof

Legal status

  • In force
  • as of 2026-05-12
  • Original version of Regulation (EU) 2024/2847, supplemented by Art. 104 of (EU) 2025/327 of 11 February 2025 — separate conformity pathway for EHR systems; EHDS staggered application from 26 March 2027.

Primary sources

What to do now

Legal / DPO

  • Map every product with digital elements in your portfolio against the scope exclusions in Art. 2(2)-(7) and the important/critical product lists in Annexes III and IV to determine which conformity assessment route applies [Art. 32].
  • Review and update supply chain contracts to include cybersecurity risk assessment obligations and vulnerability handling requirements for third-party components, as required by the manufacturer's due diligence duty [Art. 13(5), (6)].
  • Prepare the EU declaration of conformity (Art. 28, Annex V) and ensure technical documentation (Art. 31, Annex VII) will be retained for at least 10 years or the full support period [Art. 13(13)].

Compliance

  • Establish a vulnerability reporting workflow that can deliver early-warning notifications to the relevant CSIRT and ENISA within 24 hours of discovering an actively exploited vulnerability, with follow-up within 72 hours and a final report within 14 days [Art. 14(2)].
  • Define and document the support period for each product — minimum five years — taking into account expected product lifetime, third-party component support, and ADCO guidance [Art. 13(8)].
  • Set up a coordinated vulnerability disclosure policy and a single point of contact for vulnerability reporting, as required by Annex I Part II and Art. 13(17).

IT / Security

  • Implement secure-by-default configurations, ensure products ship without known exploitable vulnerabilities, and enable automatic security updates that users can disable [Annex I, Part I(2)(a)-(c)].
  • Generate and maintain a software bill of materials (SBOM) covering all components, including open-source dependencies, in a machine-readable format [Annex I, Part II(1)].
  • Build a vulnerability handling process that covers identification, documentation, remediation, and timely delivery of security patches throughout the entire support period [Annex I, Part II].

Product / Engineering

  • Classify each product against Annex III (Class I and II for important products) and Annex IV (critical products) to determine whether self-assessment or third-party conformity assessment is required [Art. 7, Art. 8, Art. 32].
  • Integrate cybersecurity risk assessment into the product development lifecycle — from design through production, delivery, and maintenance — and document the outcome in the technical file [Art. 13(2)-(4), Annex VII].
  • Ensure user-facing documentation (Annex II) includes the support period end-date, instructions for secure installation and decommissioning, and information on how to report vulnerabilities [Art. 13(18), (19)].

Interactive checks for this legal act

Initial assessment based on the regulation. Not legal advice.

Start CRA product-scope check

Key Terms

Product with digital elements
Any software or hardware product and its remote data processing solutions, including components placed on the market separately, that has a direct or indirect data connection to a device or network [Art. 3(1)].
Software bill of materials (SBOM)
A formal, machine-readable record detailing the components and supply chain relationships within the software elements of a product with digital elements [Art. 3(39)].
Actively exploited vulnerability
A vulnerability for which reliable evidence exists that a malicious actor has exploited it in a system without the system owner's permission [Art. 3(42)].
Support period
The time during which a manufacturer must ensure effective vulnerability handling in accordance with Annex I Part II — at least five years unless the expected product lifetime is shorter [Art. 3(20), Art. 13(8)].
Open-source software steward
A legal person, other than a manufacturer, that systematically provides sustained support for the development of specific free and open-source products intended for commercial activities [Art. 3(14)].
Substantial modification
A change to a product with digital elements after its placing on the market that affects compliance with the essential cybersecurity requirements in Annex I Part I, or that changes the product's intended purpose [Art. 3(30)].
Conformity assessment
The process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled, carried out through self-assessment or third-party evaluation depending on the product category [Art. 3(27), Art. 32].
?

Frequently Asked Questions

Does the CRA apply to pure SaaS products?
The CRA applies to products with digital elements, defined as software or hardware and their remote data processing solutions [Art. 3(1)]. Pure SaaS that does not form part of a product with digital elements falls outside the CRA's scope. However, if the SaaS component is a 'remote data processing solution' without which the product cannot perform one of its functions, it is covered [Art. 3(2)].
Are open-source projects affected?
Free and open-source software made available outside the course of a commercial activity is not subject to manufacturer obligations [Recital 18]. However, 'open-source software stewards' — legal persons systematically supporting commercial open-source products — must put in place cybersecurity and vulnerability handling policies, though they are exempt from administrative fines [Art. 25, Art. 64(10)(b)].
What qualifies as an 'important' or 'critical' product?
Important products are listed in Annex III across two classes: Class I includes items such as identity management systems, browsers, VPNs, operating systems, and routers; Class II includes hypervisors, firewalls, and tamper-resistant microprocessors [Art. 7]. Critical products (Annex IV) include hardware security boxes, smart meter gateways, and smartcards [Art. 8]. Classification determines the applicable conformity assessment route.
What are the reporting deadlines for actively exploited vulnerabilities?
Manufacturers must submit an early-warning notification within 24 hours, a detailed vulnerability notification within 72 hours, and a final report within 14 days after a corrective measure is available [Art. 14(2)]. For severe incidents, the final report is due within one month of the incident notification [Art. 14(4)(c)]. All reports go through ENISA's single reporting platform [Art. 16].
How long must security updates be provided?
Manufacturers must handle vulnerabilities for the entire support period, which must be at least five years unless the product's expected use time is shorter [Art. 13(8)]. Each security update must remain available for at least 10 years or the remainder of the support period, whichever is longer [Art. 13(9)].
What happens to products already on the market when the CRA applies?
Products placed on the market before 11 December 2027 only become subject to CRA requirements if they undergo a substantial modification after that date [Art. 69(2)]. However, the vulnerability and incident reporting obligations under Art. 14 apply to all in-scope products already on the market, regardless of modification [Art. 69(3)].
Is a software bill of materials (SBOM) mandatory to share with customers?
Manufacturers must generate an SBOM covering at minimum the top-level dependencies of the product [Annex I, Part II(1)]. The SBOM must be included in the technical documentation but does not have to be shared with end-users — sharing is optional, though the manufacturer must inform users where to access it if they choose to make it available [Annex II, point 9].
3

Assessment Factors & Checklist

Premium
Try for free
4

Questions for Your Lawyer

Premium
Try for free
5

Conclusion & Summary

Premium
Try for free

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. Kostenlos prüfen mit Scout.

Try for free

Keine Kreditkarte. 50 Recherchen + 5 KI-Analysen frei.