Question 1

What is the EU Cyber Resilience Act (CRA)?

Accepted Answer

The CRA (Regulation EU 2024/2847) is EU legislation requiring manufacturers of products with digital elements to meet essential cybersecurity requirements, including vulnerability handling, secure updates, and SBOM generation.

Question 2

When does the CRA take effect?

Accepted Answer

Vulnerability reporting obligations begin September 11, 2026. Full compliance with all essential requirements is required by December 11, 2027.

Question 3

What products does the CRA cover?

Accepted Answer

The CRA covers all products with digital elements placed on the EU market — any software or hardware product with a direct or indirect data connection to a device or network.

Question 4

What are the penalties for CRA non-compliance?

Accepted Answer

Fines can reach up to €15 million or 2.5% of worldwide annual turnover, whichever is higher, for non-compliance with essential cybersecurity requirements.

Is your product ready for the
EU Cyber Resilience Act?

Free tools

CRA Readiness Assessment

Annex I Checklist

Compliance Templates

Latest articles

CRA Annex I Checklist for Firmware Engineers

CRA Article 14: Embedded Vulnerability Reporting

CRA Compliance for Zephyr RTOS Projects

CRA Compliance for FreeRTOS Firmware Projects

Is your product ready for the EU Cyber Resilience Act?