EU AI Act & Cyber Resilience Act — 2026/2027 Deadlines

Is your product compliant with
EU's new digital regulations?

The EU AI Act and Cyber Resilience Act affect nearly every tech product sold in Europe. Get a free AI-powered assessment in under 10 minutes — no account required.

Start Free EU AI Act + CRA Check Request a demo for full platform access →

No sign-up required for free check  ·  Results in minutes  ·  Free

EU AI Act high-risk obligations — Aug 2026 | CRA full enforcement — Dec 2027 | Penalties up to €35M or 7% global turnover
Two Ways to Use NormScout

Start free. Go deeper when you need to.

FREE — NO SIGN-UP

EU AI Act + CRA Check

The fastest way to see whether the two most urgent new EU regulations apply to your product, and what they require. Answer a few questions and get a structured report.

  • EU AI Act risk classification
  • CRA obligations + deadlines
  • Actionable next steps
  • No account required
Start Free Assessment

Full Compliance Workspace

Go beyond the new regulations. Identify every applicable norm across 68+ EU standards and global markets, and manage all your products in persistent AI-powered workspaces.

  • 68+ EU directives & standards
  • UK, US, Asia, Amazon marketplaces
  • Persistent workspaces per product
  • AI chat for follow-up questions
Request a Demo
The New Regulations

Two laws. Overlapping scope.

Most tech products sit at the intersection of both. Our wizard checks for both simultaneously and maps their overlap for your specific case.

EU AI ACT Reg. 2024/1689

AI system regulation

Classifies AI systems into four risk tiers, from minimal to unacceptable. High-risk AI (hiring, credit, biometrics, safety) requires conformity assessments and technical documentation.

  • → Affects developers and deployers of AI sold in the EU
  • → High-risk obligations from August 2026
CRA Reg. 2024/2847

Cyber Resilience Act

Covers any product with digital elements sold in the EU, including software, hardware, IoT, and apps. Mandates security-by-design, vulnerability handling, and SBOM documentation.

  • → Affects manufacturers of any product with software sold in the EU
  • → Full compliance required by December 2027
Start Free Assessment
SCANNED_STANDARDS
CE MARKING EU AI ACT CRA 2024/2847 RoHS DIRECTIVE 2011/65/EU REACH REGULATION EC 1907/2006 RED 2014/53/EU EMC DIRECTIVE 2014/30/EU GPSR 2023/988 MACHINERY 2006/42/EC LVD 2014/35/EU ATEX 2014/34/EU ISO 27001 EN 62368 UKCA FCC (USA) CCC (CHINA) PSE (JAPAN)
Inside the free check

See what you get

Built for hardware makers adding software, firmware, and AI to their products. You get a product-specific compliance picture in under 10 minutes, not a one-size-fits-all checklist.

Digital twin

Your product profile, built automatically

Paste a URL, datasheet, or firmware spec. NormScout builds a complete digital twin of your product, covering hardware configuration, embedded software, AI components, and intended use, then asks targeted follow-ups to fill any gaps.

  • Works from a URL, datasheet, firmware spec, or plain description
  • Adapts questions to your hardware, firmware, and software layers
  • No compliance expertise needed to start
normscout.ch/eu-compliance/check
Compliance wizard
NormScout AI
Does your system make decisions that could affect a natural person's health, safety, or fundamental rights?
Yes No Indirectly
5 / 11 questions
Product profile
Name
ConnectX Gateway
Type
Connected Device
Deployment
Embedded + Cloud
Users
Industrial
Jurisdiction
EU
Compliance report - ConnectX Gateway
Controls OK
57%
EU AI Act58%
Cyber Resilience Act71%
6 issues to remediate 8 controls OK
High-Risk Classification 0/1 OK
Risk Management System 2/3 OK
Transparency Obligations 3/3 OK
Vulnerability Handling 3/3 OK
Compliance dashboard

Every article, mapped to your product

AI cross-references your digital twin against every applicable article in EU AI Act 2024/1689 and CRA 2024/2847, then gives you a traceable, chapter-by-chapter verdict.

  • Overall compliance score with EU AI Act + CRA breakdown
  • Chapter-by-chapter readiness with legal requirement quoted verbatim
  • Direct EUR-Lex links for every finding
Remediation plan

A gap list your team can close

Every compliance gap is triaged by severity, assigned a specific required action, and tracked from open to resolved, so your team always knows what to do next.

  • Critical → major → minor severity triage
  • A specific action for every control gap
  • Track status, assign owners, export to CSV
Remediation - 6 gaps found
CRITICAL EU AI Act · Art. 9
Risk Management System
Implement a continuous risk management process per Annex VII.
CRITICAL CRA · Art. 13
Secure by Design
Conduct a threat modelling exercise (STRIDE) before next release.
MAJOR CRA · Art. 14
Vulnerability Disclosure
Publish a responsible disclosure policy and create a public security reporting channel.
+ 3 more gaps · Free account to see all
Start Free Assessment

No sign-up · Results in minutes · Free

The Full Platform

Compliance from first line of code

The EU AI Act and CRA are the entry point. NormScout supports compliance at every stage, from development-phase norm discovery and design decisions through to CE marking, global market access, and post-launch monitoring.

Explore the full NormScout platform →

68+ EU Standards

From CE marking directives to sector-specific norms (ATEX, RED, Machinery) — identify every applicable standard during development, not after launch.

Global Market Coverage

UK (UKCA), US, Canada, Japan, China, Korea, and more. Select the markets you're targeting and get a unified compliance map.

Persistent Workspaces

Save your analysis, ask follow-up questions, and track compliance across multiple products — all in one dashboard.

AI Follow-up Chat

Ask the AI why a norm applies, what testing labs to use, or how to write a Declaration of Conformity — in plain language.

Request a Demo

EU AI Act & Cyber Resilience Act — FAQ

Straight answers to the questions companies ask most about the EU AI Act (2024/1689) and the Cyber Resilience Act (2024/2847).

What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the European Union's comprehensive law regulating artificial intelligence. It classifies AI systems by risk — unacceptable, high, limited and minimal — and imposes obligations accordingly: prohibited practices are banned, and high-risk AI systems must meet strict requirements before being placed on the EU market.

What is the EU Cyber Resilience Act (CRA)?

The Cyber Resilience Act (Regulation (EU) 2024/2847) sets mandatory cybersecurity requirements for products with digital elements — hardware and software that can connect to a device or network. Manufacturers must ensure security by design, provide security updates, maintain a software bill of materials (SBOM) and report actively exploited vulnerabilities.

Does the EU AI Act apply to my product?

The EU AI Act applies if your product incorporates an AI system and is placed on or used in the EU/EEA market, regardless of where your company is based. If your product has no AI component, the AI Act does not apply. NormScout's free assessment determines applicability and your risk tier in minutes.

Does the Cyber Resilience Act apply to my product?

The CRA applies to products with digital elements that can connect directly or indirectly to a device or network and are made available on the EU market. Purely mechanical products with no connectivity, and certain sector-regulated products such as medical devices and motor vehicles, fall outside its scope.

When do the EU AI Act and CRA take effect?

The EU AI Act entered into force on 1 August 2024; bans on prohibited AI applied from 2 February 2025, general-purpose AI obligations from 2 August 2025, and most high-risk obligations from 2 August 2026. The Cyber Resilience Act's main obligations apply from 11 December 2027, with vulnerability-reporting duties from 11 September 2026.

What are the penalties for non-compliance with the EU AI Act or CRA?

Under the EU AI Act, prohibited practices can incur fines of up to €35 million or 7% of global annual turnover, whichever is higher. Under the Cyber Resilience Act, breaches of the essential requirements can reach €15 million or 2.5% of global annual turnover.

How can I check whether my product is compliant with the EU AI Act and CRA?

Run NormScout's free EU AI Act + CRA assessment. It asks a few targeted questions about your product, determines which regulations apply, and returns a per-article compliance breakdown traced to the official EUR-Lex text, with remediation steps for any gaps.

Start where you are.

New to NormScout? The free EU AI Act + CRA check takes under 10 minutes — no account needed. Want the full platform? Request a demo.

Start Free Assessment Request a Demo