If you make, sell, or update connected devices or software in the EU—you probably fall under the Cyber Resilience Act (CRA).
The CRA is the EU’s new horizontal regulation setting mandatory cybersecurity requirements for all products with digital elements. That means hardware and software that can connect to a device or network, directly or indirectly.
Who must comply?
- Manufacturers of connected devices and apps
- SaaS providers and software vendors
- Importers and distributors placing digital products on the EU market
- Developers of embedded systems, edge devices, and cloud-connected platforms
Core obligations include:
- Designing secure-by-default systems (Annex I)
- Maintaining vulnerability handling processes
- Providing a Software Bill of Materials (SBOM)
- Declaring a support period
- Completing a conformity assessment (self-declared or 3rd party depending on risk level)
Enforcement kicks in December 11th 2027, but work starts now for compliance-ready architectures, and an initial reporting is mandatory on September 2026.