Ciberseguridad legal

Cyber Resilience Act (CRA)

The Cyber Resilience Act requires manufacturers, importers and distributors of products with digital elements — hardware and software connected to a network or to another device — to build in cybersecurity from the design stage and to report actively exploited vulnerabilities. We help you work out whether your product falls within scope and prepare your compliance timeline before the obligations become enforceable.

RegulationRegulation (EU) 2024/2847
Vulnerability reportingenforceable from 11 September 2026
Full application and CE markingfrom 11 December 2027

Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), entered into force on 10 December 2024 and applies to any product with digital elements placed on the EU market: IoT devices, standalone software, hardware components and their remote data processing solutions.

It is not a sector-specific regulation. If you manufacture or distribute a product with a logical or physical connection, direct or indirect, to a device or a network, you are probably within scope.

The timeline is not uniform, and it pays to be clear about it so you are not caught out. From 11 September 2026, the obligations to report actively exploited vulnerabilities and severe incidents affecting the security of the product become enforceable (Article 14).

Those notifications follow tight deadlines: an early warning within 24 hours, a more detailed notification within 72 hours and a final report afterwards, through the single reporting platform operated by ENISA.

Full application of the Regulation — essential cybersecurity requirements, conformity assessment procedures and CE marking — arrives on 11 December 2027, thirty-six months after entry into force.

For a manufacturing or distributing SME, the substantive work lies in Article 13 (manufacturer obligations) and in Annex I: the essential cybersecurity requirements for the product and, separately, the vulnerability lifecycle management requirements throughout the support period.

This means technical documentation for the product, a genuine vulnerability handling process — not just a written policy — security updates available to the user, and clear criteria for deciding when a flaw must be reported to the authorities.

We help you assess whether your product falls within the scope of the CRA, identify the essential requirements that apply to it according to its risk category, and build the internal vulnerability handling process that the Regulation requires, with CE marking in view.

We work alongside whoever handles the design and development of the product: the CRA is not solved with a document, it is solved by embedding cybersecurity into the manufacturing process.

The Cyber Resilience Act (CRA) process.

The process · four stages
01

Scope assessment

We analyse whether your product has digital elements connected to a network or another device and whether it falls within the CRA.

02

Identification of essential requirements

We determine which requirements of Annex I apply to your product according to its risk category.

03

Vulnerability management process

We build with you the internal process to detect, document and report vulnerabilities throughout the product's support period.

04

Support towards CE marking

We work alongside whoever designs and develops the product to embed cybersecurity into the manufacturing process, with CE marking in view.

What is included

What Cyber Resilience Act (CRA) includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • CRA scope assessment

    Determination of whether your product with digital elements falls within the Regulation.

  • Essential requirements map

    List of the Annex I requirements that apply according to the product's risk category.

  • Vulnerability management process

    Internal procedure to detect, document and decide when to report a vulnerability.

  • Reporting criteria

    Definition of the criteria and deadlines (24-hour early warning, 72-hour notification) for alerting the authorities.

  • Product technical documentation

    Documentary support needed to demonstrate the essential cybersecurity requirements.

  • Coordination with the design team

    Joint work with the product's development team to embed cybersecurity into the manufacturing process.

Summum cluster

How it connects with its sisters.

Frequently asked questions about Cyber Resilience Act (CRA).

What counts as a 'product with digital elements' under the CRA?

Any hardware or software product, and its associated remote data processing solutions, whose intended or reasonably foreseeable use includes a logical or physical connection — direct or indirect — to another device or to a network. It covers both the physical product and the software that accompanies or controls it.

When do vulnerability reporting obligations become mandatory?

From 11 September 2026. From that date, the manufacturer must report any actively exploited vulnerability and any severe incident affecting the security of the product, with 24-hour and 72-hour deadlines (Article 14), through the single reporting platform operated by ENISA and the designated CSIRT.

When does the Regulation have to be met in full, including CE marking?

Full application, including the essential requirements of Annex I and CE marking, is enforceable from 11 December 2027. That is a thirty-six-month period from entry into force, intended to allow time to redesign manufacturing and development processes.

Is the CRA the same as NIS2 or DORA?

No. NIS2 governs the cybersecurity of the organisation operating essential or important services, and DORA the digital resilience of the financial sector. The CRA governs the product: it requires connected hardware and software placed on the market to be secure by design and to remain secure throughout their useful life. A single company may have to comply with several regulations at once if it manufactures connected products and also operates as an entity regulated by NIS2 or DORA.

What if my product already carries another CE marking, for example under machinery or radio equipment rules?

The CRA is coordinated with other EU harmonisation legislation to avoid duplicating conformity assessments, but the essential cybersecurity requirements of Annex I are specific to the Regulation and must be demonstrated in any case. It is worth reviewing case by case which conformity assessment procedure applies to your product according to its risk category.