The Cyber Resilience Act, Regulation (EU) 2024/2847, is the first EU law to put baseline cybersecurity obligations on the manufacturers of connected products, rather than leaving security to sector rules and customer contracts. If you make hardware or software that connects to anything and sell it in the EU, the default assumption should be that it reaches you. It also reaches the product for as long as it is supported, not just at the point of sale.
What counts as a product with digital elements
The definition is deliberately broad: any software or hardware product, together with its remote data-processing components, whose intended or reasonably foreseeable use involves a data connection to a device or network. That takes in IoT hardware, desktop and mobile applications, operating systems, network equipment and connected components alike. The connection can be indirect — a sensor that only ever talks to a hub is still in scope.
The main carve-outs are products already governed by equivalent sector regimes, such as medical devices, motor vehicles and civil aviation, and open-source software supplied outside the course of a commercial activity.
Product classes
Scope tells you the Act applies. The product class tells you how heavy the conformity route is — and whether you can self-assess or need a notified body.
| Class | Examples | Assessment route |
|---|---|---|
| Default | The majority of connected products | Manufacturer self-assessment |
| Important, Class I | Password managers, VPNs, network-management tools, browsers | Self-assessment against harmonised standards, or a third party |
| Important, Class II | Operating systems, firewalls, microcontrollers | Third-party (notified body) assessment |
| Critical | Hardware security modules, smart-meter gateways | Stricter conformity, with potential mandatory EU certification |
The essential requirements
Annex I is the heart of the Act. A product must ship configured securely by default and free of known exploitable vulnerabilities, and the manufacturer must be able to push security updates — free, and for a support period that reflects how long the product is reasonably expected to be in use. Around the product itself sit the process obligations: keep a software bill of materials covering the top-level dependencies, run a coordinated vulnerability disclosure process with a published contact point, apply the expected data-minimisation and access controls, and pass a conformity assessment before affixing CE marking.
Reporting
Two duties bite earlier than the rest. From 11 September 2026, a manufacturer must notify ENISA and the relevant CSIRT of any actively exploited vulnerability and any severe incident: an early warning within 24 hours, then fuller reporting (European Commission — CRA). This is the obligation teams most often underestimate, because it assumes the monitoring and the incident process are already running by the time they need them.
Deadlines
| Date | What applies |
|---|---|
| December 2024 | Regulation enters into force |
| 11 September 2026 | Vulnerability- and incident-reporting duties apply |
| 11 December 2027 | Essential requirements and CE marking apply in full |
Penalties
Breaching the essential requirements or the core manufacturer obligations carries the top tier: up to €15 million or 2.5% of worldwide annual turnover, whichever is higher (Article 64). Other obligations fall to €10 million or 2%, and supplying incorrect, incomplete or misleading information to notified bodies or authorities to €5 million or 1%.
Where NormScout fits
The two questions that decide most of the work — is this in scope, and which class — turn on connectivity and function rather than on a single line of a spec sheet. NormScout settles both, then assesses the product against the CRA requirements, from the SBOM and update mechanism to the disclosure policy and documentation, and shows where the gaps are. Run the free assessment to map your obligations.