Cyber Resilience Act

The EU Cyber Resilience Act (CRA): A Practical Guide for Product Teams

Regulation (EU) 2024/2847 sets mandatory cybersecurity requirements for products with digital elements. This guide explains who is in scope, what the essential requirements cover, your SBOM and vulnerability-reporting duties, when the rules apply, and what the penalties are.

By the NormScout Compliance Team · Updated July 2026 · 9 min read

Reviewed against the official EUR-Lex texts.

← Back to Blog

The Cyber Resilience Act, Regulation (EU) 2024/2847, is the first EU law to put baseline cybersecurity obligations on the manufacturers of connected products, rather than leaving security to sector rules and customer contracts. If you make hardware or software that connects to anything and sell it in the EU, the default assumption should be that it reaches you. It also reaches the product for as long as it is supported, not just at the point of sale.

The scoping test: a product is in scope if it has digital elements with a direct or indirect data connection to a device or network (Article 3), is made available on the EU market, and isn't carved out by sector law. Most connected products clear that bar.

What counts as a product with digital elements

The definition is deliberately broad: any software or hardware product, together with its remote data-processing components, whose intended or reasonably foreseeable use involves a data connection to a device or network. That takes in IoT hardware, desktop and mobile applications, operating systems, network equipment and connected components alike. The connection can be indirect — a sensor that only ever talks to a hub is still in scope.

The main carve-outs are products already governed by equivalent sector regimes, such as medical devices, motor vehicles and civil aviation, and open-source software supplied outside the course of a commercial activity.

Product classes

Scope tells you the Act applies. The product class tells you how heavy the conformity route is — and whether you can self-assess or need a notified body.

ClassExamplesAssessment route
DefaultThe majority of connected productsManufacturer self-assessment
Important, Class IPassword managers, VPNs, network-management tools, browsersSelf-assessment against harmonised standards, or a third party
Important, Class IIOperating systems, firewalls, microcontrollersThird-party (notified body) assessment
CriticalHardware security modules, smart-meter gatewaysStricter conformity, with potential mandatory EU certification

The essential requirements

Annex I is the heart of the Act. A product must ship configured securely by default and free of known exploitable vulnerabilities, and the manufacturer must be able to push security updates — free, and for a support period that reflects how long the product is reasonably expected to be in use. Around the product itself sit the process obligations: keep a software bill of materials covering the top-level dependencies, run a coordinated vulnerability disclosure process with a published contact point, apply the expected data-minimisation and access controls, and pass a conformity assessment before affixing CE marking.

Reporting

Two duties bite earlier than the rest. From 11 September 2026, a manufacturer must notify ENISA and the relevant CSIRT of any actively exploited vulnerability and any severe incident: an early warning within 24 hours, then fuller reporting (European Commission — CRA). This is the obligation teams most often underestimate, because it assumes the monitoring and the incident process are already running by the time they need them.

Deadlines

DateWhat applies
December 2024Regulation enters into force
11 September 2026Vulnerability- and incident-reporting duties apply
11 December 2027Essential requirements and CE marking apply in full

Penalties

Breaching the essential requirements or the core manufacturer obligations carries the top tier: up to €15 million or 2.5% of worldwide annual turnover, whichever is higher (Article 64). Other obligations fall to €10 million or 2%, and supplying incorrect, incomplete or misleading information to notified bodies or authorities to €5 million or 1%.

Where NormScout fits

The two questions that decide most of the work — is this in scope, and which class — turn on connectivity and function rather than on a single line of a spec sheet. NormScout settles both, then assesses the product against the CRA requirements, from the SBOM and update mechanism to the disclosure policy and documentation, and shows where the gaps are. Run the free assessment to map your obligations.

Frequently asked questions

What is the EU Cyber Resilience Act (CRA)?

Regulation (EU) 2024/2847. It sets mandatory cybersecurity requirements for products with digital elements, essentially any connected hardware or software, and makes the manufacturer responsible for security across the product's supported life: secure defaults, security updates, a software bill of materials, a vulnerability-disclosure process, and reporting of exploited vulnerabilities.

Does the Cyber Resilience Act apply to my product?

If the product has digital elements and can connect, directly or indirectly, to a device or network, and you make it available in the EU, assume it is in scope. The connection can be indirect: a device that only reaches a hub still counts. Products under equivalent sector law such as medical devices and vehicles, and genuinely non-commercial open-source, are the main exceptions.

What are the main obligations under the CRA?

Ship secure by default with no known exploitable vulnerabilities; provide free security updates for the support period; keep a software bill of materials; run and publish a coordinated vulnerability disclosure policy; apply data-minimisation and access controls; complete a conformity assessment and affix CE marking; and report actively exploited vulnerabilities and severe incidents to ENISA.

When does the Cyber Resilience Act take effect?

It entered into force in December 2024. The vulnerability- and incident-reporting duties apply from 11 September 2026; the full set of obligations, including the essential requirements and CE marking, from 11 December 2027. The reporting duties are the ones to plan for first, because they assume monitoring is already in place.

What are the penalties for breaching the CRA?

Up to €15 million or 2.5% of worldwide annual turnover, whichever is higher, for breaching the essential requirements or the core manufacturer obligations. Other breaches are capped at €10 million or 2%, and incorrect information to authorities at €5 million or 1%.

How do I check whether my product is CRA-compliant?

NormScout's free assessment determines whether the CRA applies, identifies your likely product class, and checks the product against each requirement, from the SBOM and update mechanism to the disclosure policy and documentation, with the gaps and the relevant article references laid out.

Sources & references

  1. Regulation (EU) 2024/2847, Cyber Resilience Act (full text, EUR-Lex)
  2. European Commission, The Cyber Resilience Act
  3. European Commission, CRA conformity assessment and product categories

This guide draws on the official regulation texts and European Commission guidance linked above. It is general information, not legal advice.