Your CRA maturity evaluation will appear here.
Cyber Resilience Act compliance simplified
Manufacturers of products with digital elements must comply with the requirements of the EU Cyber Resilience Act by December 2027.
CRA Basics is the reference to understand this new regulation, ensure compliance, and build trust with customers.
What is the EU CRA?
The Cyber Resilience Act is a new EU regulation aimed at improving the cybersecurity of digital products.
The scope covers a wide range of products including smart home devices, industrial control systems, network components and all associated services such as Cloud and applications.
Note that reporting requirements apply from the 11th of Septembre 2026, and all other requirements from the 11th of December 2027.
Why does it matter?
Manufacturers, importers and distributors of products with a digital element must comply with the CRA to sell their products in the EU.
For that purpose, they must follow specific requirements to maintain an appropriate level of cyber security across the product lifecycle, aligned with the risks involved.
By implementing CRA Basics, manufacturers can demonstrate their commitment to product security and increase consumer trust.
CRA Basics: core principles of the regulation
1. Create secure products
- Evaluate threats and risks applicable to products
- Identify cyber security requirements to protect products
- Use secure design principles and resilient architectures
- Implement secure hardware and software components
2. Make the installation of products secure
- Reduce the attack surface by removing unused code and interfaces
- Implement a secure default configuration
- Make users aware of any pre-requisites for a secure installation
- Avoid insecure or hardcoded default passwords
3. Keep products secure once on the market
- Define a support period (5 years by default)
- Continuously identify and manage vulnerabilities in the product and its components
- Be prepared to handle cyber security incidents
- Develop and publish security updates
4. Produce relevant documentation at all stages
- Document risks, mitigations and residual risks
- Track dependencies with SBOM and HBOM
- Write user manual and cyber security documentation
- Prepare a security assessment report
- Inform users and regulators
5. Don't release products with known security issues
- Identify known exploitable vulnerabilities
- Remediate cyber risks to an acceptable level
- Deploy remediation into the manufacturing process
- Ensure that products placed on the market receive remediation
Practical Resources
Top 3 Priorities for Immediate Action
- Publish a VDP Create a clear Vulnerability Disclosure Policy and make it publicly accessible, usually with a link on the footer of your website. This shows commitment and allows researchers to report issues responsibly.
- Create an HBOM / SBOM to secure your supply chain Identify all third-party components and software you use, and formalise your Hardware / Software Bill of Materials. These documents are mandatory for compliance and vulnerability management.
- Manage risks related to exploitable vulnerabilities and incidents Define and implement processes with clear roles, responsibilities and SLAs to identify, assess and remediate risks to the product. These processes are mandatory and support a faster resolution of cyber security issues.
Possible Compliance Roadmap
Your journey to CRA compliance in 4 steps:
- Gap Analysis (3-6 months) Compare your current practices against CRA requirements.
- Remediation Planning (3 months) Develop a detailed plan to address identified gaps, including budget and timeline.
- Implementation (6-12 months) Execute the plan, integrating security processes into your development lifecycle.
- Operational security (Continuous) Establish a system for continuous monitoring, documentation, and reporting to maintain compliance.
Vulnerability Management and SBOMs Explained
A Vulnerability Management process is a systematic approach to identifying, prioritizing, and remediating security weaknesses. The CRA requires you to have a proactive system in place to handle vulnerabilities after your product is on the market.
A Software Bill of Materials (SBOM) is a complete, formally structured list of ingredients that make up your software. It is a key tool for transparency and for understanding your product's potential security risks. The CRA makes providing an SBOM a mandatory requirement.
The CRA has 8 high-level requirements concerning Vulnerability Management and SBOMs:
- Identify new vulnerabilities and address them throughout the product lifecycle.
- No known exploitable vulnerabilities in new products. This means that the vulnerabilities are remediated to an acceptable risk level (e.g., with a patch).
- A single point of contact is publicly available to receive vulnerability reports from external stakeholders.
- Report vulnerabilities to upstream suppliers including Open Source stewards so that they can fix them.
- Develop, release and share remediation with your customers and with regulators (ENISA and the national CSIRT).
- Keep security updates available for 10 years after they are published. This means that customers can still update their products later.
- Notify the national CSIRT and ENISA of actively exploited vulnerabilities. Prefer machine-readable formats such as CSAF.
- Notify users when their product is at risk.
Requirements for CRA Compliance Assessment
The CRA requires manufacturers to assess the cyber security of their products. The assurance level depends on the product category.
✪ Recommended assurance level
✓ Possible to use
✕ Not allowed by CRA: insufficient assurance level
Default
Class I
Class II
Critical
Basic self-assessment
- The manufacturer verifies its own conformity against any appropriate standard
- Example: the manufacturer verifies that the product implements EN 303 645 requirements
✪
✕
✕
✕
Self-assessment with the CRA harmonised European Standard (hEN)
- Identical to basic self-assessment but with a standard developed specifically for the CRA
- Example: the manufacturer ensures that the product aligned with the CRA hEN
✓
✪
✕
✕
Conformity assessment validated by a Notified Body
- The manufacturer submits its self-assessment and other documents to a Notified Body
- The Notified Body verifies them and gives its conclusions
- Example: submit EN 303 645 ICS, IXIT and mandatory documentation to a Notified Body
✓
✪
✕
✕
3rd-party assessment
- Use an accredited "conformity assessment body" to test the product for security
- Example: a manufacturer procures a security audit of its product (device, backend, etc.)
✓
✓
✪
✓
EU certification scheme
- Implement an existing EU certification scheme (Cyber Security Act): EUCC, EUCS, EU5G, etc.
- Example: a smart metering gateway manufacturer implements EUCC
✓
✓
✓
✪
Mandatory if Delegated Act published
CRA Maturity Evaluation
Evaluate your current maturity level and identify areas for improvement.
About CRA Basics
CRA Basics is an joint-initiative by cetome and RS Strategy, two leading consultancy on EU cyber security regulations.
Our goal is to provide simple, clear, and comprehensive explanations to help manufacturers understand their requirements and prepare for compliance without getting lost in legal jargon. We believe that raising awareness on this new regulation is an important way to make our digital ecosystem and our society safer for everyone.
Contact us
Do you have questions about the CRA or need help with compliance? Fill out the form below and we'll get back to you.
Copyright Notice
CRA Basics and its content belong to cetome and RS Strategy.
Any usage or reference to it by any agency of the European Union or its subcontractors, past, present, or future, is prohibited in perpetuity.
For any other organisation, this website and its content is licensed under the CC BY-NC-SA license.