Cyber Resilience Act in 5 minutes

How it works, what it requires, and 3 steps to take now

The EU Cyber Resilience Act enters into force on Dec 11, 2024 and will apply from Dec 11, 2027.

The Cyber Resilience Act (CRA) is EU regulation (2024/2847) making cybersecurity requirements mandatory for all “products with digital elements”. Products with digital elements process digital data and are connectable to other digital products. This is a huge scope covering virtually all of IT, IoT, industrial control systems / OT, embedded devices, and machinery — and both hardware and software.

The CRA was published in the EU Official Journal on November 20, 2024. As it is an EU regulation and not an EU directive, the CRA will now enter into force in all member states on December 11, 2024 without any detours — no translation into national law is necessary.

From December 11, 2027, anyone who wants to sell a “product with digital elements” in the EU must ensure the requirements of the CRA are met. Conformity is demonstated by affixing a CE mark to the product. That’s the exact same mark that is already used for other products with safety aspects: sunglasses, children’s toys, pressure vessels, radio equipment…and now products with digital elements.

How the CE marking works

The fundamental idea behind the CE marking is that there are the same requirements for products in the entire EU. That’s why the legislation defining the mechanisms around the CE marking is also known as “EU product harmonization legislation”. It has last been updated in 2008, and this update is known as “New Legislative Framework” (NLF).

The NLF defines the basic vocabulary to understand the Cyber Resilience Act:

• at the core of all product harmonization legislation (like the CRA!) are EU-wide (ergo “harmonized”) requirements for certain products (yellow in the above image).
• The European standardization bodies (CEN, CENELEC, ETSI) are asked by the EU commission to write “harmonized European Norms” (hENs) to concretize these requirements for selected products,
• Economic operators (anybody who sells a product in the EU) make sure a conformity assessment is carried out, create a declaration of conformity with the EU-wide requirements, draw up a technical documentation substantiating their declaration, and affix a CE mark to demonstrate conformity,
• “Notified bodies” (accredited by “accreditation bodies”) can carry out conformity assessments that involve a third party (well-known examples are companies of the TÜV group),
• Market surveillance authorities (“notifying bodies”) monitor (with random checks or following incidents or reports of nonconformity) if products comply with the EU-wide requirements.

The “Blue Guide” (last updated 2022) provides guidance for the implementation of the NLF and answers many practical questions around these structures.

What the CRA requires

The CRA means that from 11 December 2027, the CE marking is needed for a larger product group (products with digital elements) and for those products, the harmonized, EU-wide requirements now include several cybersecurity requirements.

The essential requirements of the CRA are listed in its Annex I. They can be summarized as follows (yellow in the below image):

1. Incident prevention & design principles: Design principles and (regular) measures to develop secure products by design (the teeth-brushing of product development, so to speak).
2. Incident readiness & resilience: Anything that helps to mitigate the effects if a vulnerability is found and exploited (could be regarded as a tire stack).
3. Incident & Vulnerability handling: The process that ensures that a security incident is professionally addressed and quickly resolved (like a fire hose would do).
   The reporting obligations in case of exploited vulnerabilities (article 14) apply earlier than the rest of the requirements: Already from Sep 11, 2026.

And because the CRA uses the mechanisms of the CE marking, all the NLF vocabulary from above applies, which means that there are three documents product manufacturers (or integrators, or importers) need to create:

1. the EU declaration of conformity stating conformity with the essential requirements. It is provided with the product.
2. the technical documentation containing everything to substantiate conformity. For the CRA, this means: a description of the product and its design, development, and production processes, a description of the vulnerability handling process, a cybersecurity risk assessment, and a description of cybersecurity solutions adopted to meet the essential requirements. Also: Test reports to prove the conformity assessments has been carried out.
   The technical documentation is not public. It must be provided to the entity carrying out the conformity assessment (for example a notified body / TÜV). The market surveillance authority can also request to see the technical documentation.
3. the information and instructions to the user. Think of it as a cybersecurity manual provided with the product that contains everything a user needs to know about cybersecurity. It contains user-relevant excerpts from the technical documentation.
   The information and instructions to the user are especially important for anyone selling a B2B product, and especially if the customers are themselves subject to cybersecurity regulation (NIS-2, for example). Here is a good-practice example.

Roadmap to CRA compliance

By the end of 2027, all products with digital elements sold in the EU must comply with the CRA. It doesn’t matter when the product was developed or first put on the market — if it is still being sold in 2027 an onwards, it needs to comply.

Also, all components of the product need to comply to CRA, regardless if built in-house or purchased. For third-party components, due diligence is required (which at least consists of making sure purchased components carry a CE mark themselves).

So if you’re selling a digital product in the EU, you will need to do something until end of 2027.

Here’s a possible roadmap to CRA compliance:

Step 1: Categorize products

First, categorize your products. See if they are mentioned in the “important” or “critical” products in Annex III or IV of the CRA.

If yes, you may need a third-party conformity assessment and there will probably soon be harmonized standards for these products.

It also makes sense to cluster similar products to find synergies to speed up step 2.

Step 2: Set up three security processes

This is where the beef is: There are three processes you need to set up (or at least review and document) to comply with the CRA.

• A cybersecurity risk assessment for your product from the product users’ point of view. Depending on the products, you may want to consider different installation environments. When describing risk mitigation measures, make sure to reference the CRA’s essential requirements.
• Integrate security into the design, development and production processes for your product. Make sure you include all mitigation measures from the risk assessment, and comply with essential requirements. Depending on your product and your existing processes, it can be helpful to follow existing standards like NIST 800–218 or ISA/IEC 62443–4–1.
• A vulnerability handling process including a responsible disclosure policy and a mechanism to distribute security advisories and updates in case a vulnerability is found. You’ll also need a software bill of materials (SBOM) so you and your customers can quickly find out if your product is affected by a vulnerability in your supply chain.

As soon as you have not only implemented but also documented these three processes well, your technical documentation for the CRA has a good maturity.

Step 3: Conformity assessment

Unless your product is “critical” or “important”, it’s probably enough to carry out a conformity assessment following module A (internal control). This does NOT mean you can skip the conformity assessment, but you can carry it out yourself. Make sure to document your tests, because this also needs to go into the technical documentation.

Then all you have left to do is paperwork: Excerpts from the technical documentation to draw up the information and instructions to the user, create the EU declaration of conformity (there are templates for that), and — finally — affix the CE mark to your product.

Reading list

Do you need more details? Here’s a reading list:

• CRA text (Regulation 2024/2847, Official Journal of the EU)
• Longer introduction to the CRA, CE marking, and the regulatory ecosystem around it (my blog, 2022)
• “Blue Guide” explaining the mechanisms around the CE marking and conformity assessments (EU, 2022)
• Explanation how harmonised European norms (hENs) are defined (my blog, 2023)
• Mapping of existing standard requirements to CRA requirements (ENISA, 2024)
• TR-03183 “Cyber Resilience Requirements” of the German Federal Ministry of Information Security (BSI) — details the CRA requirements, especially for SBOMs (BSI, 2024)
• Overview of the essential requirements outlined in the CRA (my blog, 2024)
• Overview of the global product security regulation landscape and how the CRA fits into it (my blog, 2024)
• Good-practice example for the “information and instructions to the user (my blog, 2024)