Jump to

Cyber Resilience Act (CRA)

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the EU’s horizontal regulation on cybersecurity requirements for “products with digital elements” — covering hardware, software, IoT, and connected services placed on the EU market. The CRA aims to address the patchy security landscape of consumer and B2B digital products by setting essential cybersecurity requirements throughout the product lifecycle. Entered into force November 2024; main obligations apply from December 2027.

Scope: products with digital elements

  • Hardware: connected devices, sensors, routers, smart appliances.
  • Software: consumer applications, B2B software, embedded systems.
  • Critical category: identity management, browsers, password managers, antivirus, VPN, smart-meter components — face stricter conformity assessment.
  • Excluded: medical devices, motor vehicles, civil aviation (covered by sector-specific regulation).

Core requirements

  • Security by design and by default: minimised attack surface from initial release.
  • Vulnerability management: coordinated disclosure, security updates throughout support period.
  • Documentation: technical documentation evidencing compliance.
  • Conformity assessment: CE marking after self-assessment or third-party audit (for critical products).
  • Incident reporting: actively exploited vulnerabilities to ENISA within 24/72/14-day windows.
  • Support period: manufacturer must provide security updates for the expected product use period (minimum 5 years for many categories).

CRA compliance planning

The Cyber Resilience Act turns product security into market-access law for anything with “digital elements” sold in the EU: security-by-design obligations, vulnerability handling and reporting duties (actively exploited vulnerabilities reported to ENISA on tight clocks), CE marking against essential requirements, and support-period commitments. For Turkish hardware and software exporters the practical sequence is: classify products against the CRA’s importance categories, stand up a vulnerability-disclosure and PSIRT process now (the operational long pole), align technical files and conformity routes, and push the obligations into the supply chain — component and SDK vendors must contractually carry their share of the security file. CRA-readiness is becoming an RFP question well before its full application dates.