(EU) 2024/2847
Phasing inCyber Resilience Act
Horizontal cybersecurity requirements for 'products with digital elements' — connectable hardware and software. In force since 10 December 2024; vulnerability/incident reporting duties start 11 September 2026 and the main obligations (including CE marking against the CRA) apply from 11 December 2027.
Applies to
Hardware and software products with digital elements that can be connected directly or indirectly to a device or network — from baby monitors and smart watches to apps and firmware — including their remote data processing solutions. Sector-specific regimes (e.g. medical devices, vehicles) are carved out.
Key obligations
- 01Design, develop and produce the product in line with the essential cybersecurity requirements of Annex I, based on a documented cybersecurity risk assessment ('security by design').source
- 02Handle vulnerabilities for the product's support period, which must reflect the time the product is expected to be in use — generally no less than five years — including providing security updates.source
- 03From 11 September 2026: report actively exploited vulnerabilities and severe incidents — early warning within 24 hours of awareness, full notification within 72 hours, and a final report within 14 days (vulnerabilities) or one month (incidents) — via the CRA Single Reporting Platform to your CSIRT coordinator and ENISA.source
- 04Carry out a conformity assessment, draw up technical documentation and an EU Declaration of Conformity, and affix the CE marking before placing the product on the market (from 11 December 2027).source
- 05Products of particular cybersecurity relevance — 'important' products (Annex III, classes I and II) and 'critical' products (Annex IV) — face stricter conformity assessment, potentially requiring a notified body; the categories are detailed in Implementing Regulation (EU) 2025/2392.source
Conformity routes
- Self-assessment — internal control (Module A)The default route for products that are not listed as important or critical.source
- Third-party assessment via notified bodyRequired for important products (Annex III) unless they fully apply relevant harmonised standards (class-dependent — verify against Annex III class I vs II rules); options include EU-type examination or full quality assurance.source
- European cybersecurity certificationCritical products (Annex IV) may be required to obtain a European cybersecurity certificate under a designated certification scheme.source
Documentation
- Cybersecurity risk assessmentDocumented and kept up to date; feeds design decisions and the technical documentation.source
- Technical documentation + EU Declaration of ConformityCovering Annex I essential requirements and the vulnerability handling processes.source
- User information and instructionsIncluding the support period end date and how users receive security updates.source
Marking requirements
- Products in scope will bear the CE marking to indicate compliance with the CRA's requirements (applies with the main obligations from 11 December 2027).source
Key dates
- 2024-12-10CRA entered into force.source
- 2026-06-11Chapter IV (notification of conformity assessment bodies / notified bodies) applies.source
- 2026-09-11Article 14 reporting obligations apply — manufacturers must report actively exploited vulnerabilities and severe incidents (24h early warning / 72h notification / 14-day or 1-month final report).source
- 2027-12-11Main obligations apply — essential requirements, conformity assessment and CE marking for all products with digital elements placed on the market.source
Penalties
Administrative fines of up to 2.5% of the manufacturer's global annual turnover (the regulation also cites a EUR 15 million ceiling, whichever is higher) for non-compliance with essential requirements; lower tiers apply to other breaches. Member States handle enforcement.sourceUnverified — check source
Further guidance
Applies to these product types
- Audio / video equipmentEU
- Baby and nursery productEU
- Batteries and power banksEU
- Cameras and opticsEU
- Candles and home fragranceEU
- Chargers and power suppliesEU
- Children's product (non-toy)EU
- Computer peripheralEU
- Consumer electronics (mains-powered)EU
- Drone / UASEU
- E-mobility (e-bikes, e-scooters)EU
- Food-contact productsEU
- FurnitureEU
- Garden and outdoor equipmentEU
- General consumer productEU
- Household applianceEU
- Jewellery and accessoriesEU
- LightingEU
- Machinery and industrial equipmentEU
- Pet productsEU
- Power toolEU
- PPE and safety gearEU
- Smart home productEU
- Sports and fitness equipmentEU
- Textiles and apparelEU
- ToyEU
- Wearable deviceEU
- Wireless / IoT deviceEU
Frequently asked
When do I actually have to comply with the Cyber Resilience Act?+
Two dates matter: from 11 September 2026 you must report actively exploited vulnerabilities and severe incidents (24-hour early warning), and from 11 December 2027 every product with digital elements placed on the EU market must meet the full requirements and carry CE marking against the CRA.
Does the CRA apply to a simple IoT gadget or only to software companies?+
Both. Any connectable hardware or software product with digital elements is in scope — smart plugs, baby monitors, wearables, apps and their remote data processing. Sector regimes like medical devices are excluded because they have their own cybersecurity rules.
How long must I provide security updates?+
For the product's support period, which must reflect how long the product is expected to be used — generally no less than five years, unless the product's own lifetime is shorter. The support period end date must be communicated to buyers.
Will I need a notified body?+
Most products can self-assess (internal control). 'Important' products listed in Annex III (e.g. certain security and network products) face stricter routes that can require a notified body, and 'critical' Annex IV products may need European cybersecurity certification.
How does the CRA relate to the RED cybersecurity requirements?+
They overlap: the RED delegated regulation has required cybersecurity for internet-connected radio equipment since 1 August 2025, while the CRA's broader regime applies fully from 11 December 2027. Until then, radio products must meet the RED requirements; plan for the CRA to become the comprehensive baseline.
Check how this applies to your product
Run the full checker to see which regulations apply to your exact product, market and features.