(EU) 2024/2847

Phasing in

Cyber Resilience Act

Horizontal cybersecurity requirements for 'products with digital elements' — connectable hardware and software. In force since 10 December 2024; vulnerability/incident reporting duties start 11 September 2026 and the main obligations (including CE marking against the CRA) apply from 11 December 2027.

Read the official text

Applies to

Hardware and software products with digital elements that can be connected directly or indirectly to a device or network — from baby monitors and smart watches to apps and firmware — including their remote data processing solutions. Sector-specific regimes (e.g. medical devices, vehicles) are carved out.

Key obligations

  1. 01Design, develop and produce the product in line with the essential cybersecurity requirements of Annex I, based on a documented cybersecurity risk assessment ('security by design').source
  2. 02Handle vulnerabilities for the product's support period, which must reflect the time the product is expected to be in use — generally no less than five years — including providing security updates.source
  3. 03From 11 September 2026: report actively exploited vulnerabilities and severe incidents — early warning within 24 hours of awareness, full notification within 72 hours, and a final report within 14 days (vulnerabilities) or one month (incidents) — via the CRA Single Reporting Platform to your CSIRT coordinator and ENISA.source
  4. 04Carry out a conformity assessment, draw up technical documentation and an EU Declaration of Conformity, and affix the CE marking before placing the product on the market (from 11 December 2027).source
  5. 05Products of particular cybersecurity relevance — 'important' products (Annex III, classes I and II) and 'critical' products (Annex IV) — face stricter conformity assessment, potentially requiring a notified body; the categories are detailed in Implementing Regulation (EU) 2025/2392.source

Conformity routes

  • Self-assessment — internal control (Module A)The default route for products that are not listed as important or critical.source
  • Third-party assessment via notified bodyRequired for important products (Annex III) unless they fully apply relevant harmonised standards (class-dependent — verify against Annex III class I vs II rules); options include EU-type examination or full quality assurance.source
  • European cybersecurity certificationCritical products (Annex IV) may be required to obtain a European cybersecurity certificate under a designated certification scheme.source

Documentation

  • Cybersecurity risk assessmentDocumented and kept up to date; feeds design decisions and the technical documentation.source
  • Technical documentation + EU Declaration of ConformityCovering Annex I essential requirements and the vulnerability handling processes.source
  • User information and instructionsIncluding the support period end date and how users receive security updates.source

Marking requirements

  • Products in scope will bear the CE marking to indicate compliance with the CRA's requirements (applies with the main obligations from 11 December 2027).source

Key dates

  • 2024-12-10CRA entered into force.source
  • 2026-06-11Chapter IV (notification of conformity assessment bodies / notified bodies) applies.source
  • 2026-09-11Article 14 reporting obligations apply — manufacturers must report actively exploited vulnerabilities and severe incidents (24h early warning / 72h notification / 14-day or 1-month final report).source
  • 2027-12-11Main obligations apply — essential requirements, conformity assessment and CE marking for all products with digital elements placed on the market.source

Penalties

Administrative fines of up to 2.5% of the manufacturer's global annual turnover (the regulation also cites a EUR 15 million ceiling, whichever is higher) for non-compliance with essential requirements; lower tiers apply to other breaches. Member States handle enforcement.sourceUnverified — check source

Further guidance

Applies to these product types

Frequently asked

When do I actually have to comply with the Cyber Resilience Act?+

Two dates matter: from 11 September 2026 you must report actively exploited vulnerabilities and severe incidents (24-hour early warning), and from 11 December 2027 every product with digital elements placed on the EU market must meet the full requirements and carry CE marking against the CRA.

Does the CRA apply to a simple IoT gadget or only to software companies?+

Both. Any connectable hardware or software product with digital elements is in scope — smart plugs, baby monitors, wearables, apps and their remote data processing. Sector regimes like medical devices are excluded because they have their own cybersecurity rules.

How long must I provide security updates?+

For the product's support period, which must reflect how long the product is expected to be used — generally no less than five years, unless the product's own lifetime is shorter. The support period end date must be communicated to buyers.

Will I need a notified body?+

Most products can self-assess (internal control). 'Important' products listed in Annex III (e.g. certain security and network products) face stricter routes that can require a notified body, and 'critical' Annex IV products may need European cybersecurity certification.

How does the CRA relate to the RED cybersecurity requirements?+

They overlap: the RED delegated regulation has required cybersecurity for internet-connected radio equipment since 1 August 2025, while the CRA's broader regime applies fully from 11 December 2027. Until then, radio products must meet the RED requirements; plan for the CRA to become the comprehensive baseline.

Check how this applies to your product

Run the full checker to see which regulations apply to your exact product, market and features.

Open the checker