Cyber Resilience Act compliance simplified

Manufacturers of products with digital elements must comply with the requirements of the EU Cyber Resilience Act by December 2027.

CRA Basics is the reference to understand this new regulation, ensure compliance, and build trust with customers.

Evaluate Your CRA Maturity

Download Your Free CRA Checklist

CRA Countdown

Loading CRA countdown...

What is the EU CRA?

The Cyber Resilience Act is a new EU regulation aimed at improving the cybersecurity of digital products.

The scope covers a wide range of products including smart home devices, industrial control systems, network components and all associated services such as Cloud and applications.

Note that reporting requirements apply from the 11^th of September 2026, and all other requirements from the 11^th of December 2027.

Why does it matter?

Manufacturers, importers and distributors of products with a digital element must comply with the CRA to sell their products in the EU.

For that purpose, they must follow specific requirements to maintain an appropriate level of cyber security across the product lifecycle, aligned with the risks involved.

By implementing CRA Basics, manufacturers can demonstrate their commitment to product security and increase consumer trust.

CRA Basics: core principles of the regulation

1. Create secure products

Evaluate threats and risks applicable to products
Identify cyber security requirements to protect products
Use secure design principles and resilient architectures
Implement secure hardware and software components

2. Make the installation of products secure

Reduce the attack surface by removing unused code and interfaces
Implement a secure default configuration
Make users aware of any pre-requisites for a secure installation
Avoid insecure or hardcoded default passwords

3. Keep products secure once on the market

Define a support period (5 years by default)
Continuously identify and manage vulnerabilities in the product and its components
Be prepared to handle cyber security incidents
Develop and publish security updates

4. Produce relevant documentation at all stages

Document risks, mitigations and residual risks
Track dependencies with SBOM and HBOM
Write user manual and cyber security documentation
Prepare a security assessment report
Inform users and regulators

5. Don't release products with known security issues

Identify known exploitable vulnerabilities
Remediate cyber risks to an acceptable level
Deploy remediation into the manufacturing process
Ensure that products placed on the market receive remediation

Practical Resources

Top 3 Priorities for Immediate Action

Implement vulnerability management Keep up-to-date with the latest vulnerabilities to ensure your product remains secure throughout its lifecycle.
Create an HBOM / SBOM to secure your supply chain Identify all third-party components and software you use, and formalise your Hardware / Software Bill of Materials. These documents are mandatory for compliance and vulnerability management.
Manage risks related to exploitable vulnerabilities and incidents Define and implement processes with clear roles, responsibilities and SLAs to identify, assess and remediate risks to the product. These processes are mandatory and support a faster resolution of cyber security issues.

Possible Compliance Roadmap

Your journey to CRA compliance in 4 steps:

Gap Analysis (3-6 months) Compare your current practices and evaluate your maturity against CRA requirements.
Remediation Planning (3 months) Develop a detailed plan to address identified gaps, including budget and timeline.
Implementation (6-12 months) Execute the plan, integrating security processes into your development lifecycle.
Operational security (Continuous) Establish a system for continuous monitoring, documentation, and reporting to maintain compliance.

Vulnerability Management and SBOMs Explained

A Vulnerability Management process is a systematic approach to identifying, prioritizing, and remediating security weaknesses. The CRA requires you to have a proactive system in place to handle vulnerabilities after your product is on the market.

A Software Bill of Materials (SBOM) is a complete, formally structured list of ingredients that make up your software. It is a key tool for transparency and for understanding your product's potential security risks. The CRA makes providing an SBOM a mandatory requirement.

The CRA has 8 high-level requirements concerning Vulnerability Management and SBOMs:

Identify new vulnerabilities and address them throughout the product lifecycle.
No known exploitable vulnerabilities in new products. This means that the vulnerabilities are remediated to an acceptable risk level (e.g., with a patch).
A single point of contact is publicly available to receive vulnerability reports from external stakeholders.
Report vulnerabilities to upstream suppliers including Open Source stewards so that they can fix them.
Develop, release and share remediation with your customers and with regulators (ENISA and the national CSIRT).
Keep security updates available for 10 years after they are published. This means that customers can still update their products later.
Notify the national CSIRT and ENISA of actively exploited vulnerabilities. Prefer machine-readable formats such as CSAF.
Notify users when their product is at risk.

Requirements for CRA Compliance Assessment

The CRA requires manufacturers to assess the cyber security of their products. The assurance level depends on the product category.

✪ Recommended assurance level

✓ Possible to use

✕ Not allowed by CRA: insufficient assurance level

Basic self-assessment

The manufacturer verifies its own conformity against any appropriate standard
Example: the manufacturer verifies that the product implements EN 303 645 requirements

✪

Self-assessment with the CRA harmonised European Standard (hEN)

Identical to basic self-assessment but with a standard developed specifically for the CRA
Example: the manufacturer ensures that the product aligned with the CRA hEN

✓

✪

Conformity assessment validated by a Notified Body

The manufacturer submits its self-assessment and other documents to a Notified Body
The Notified Body verifies them and gives its conclusions
Example: submit EN 303 645 ICS, IXIT and mandatory documentation to a Notified Body

✓

✪

3rd-party assessment

Use an accredited "conformity assessment body" to test the product for security
Example: a manufacturer procures a security audit of its product (device, backend, etc.)

✓

✪

✓

EU certification scheme

Implement an existing EU certification scheme (Cyber Security Act): EUCC, EUCS, EU5G, etc.
Example: a smart metering gateway manufacturer implements EUCC

✓

✪

Mandatory if Delegated Act published

Presentations

Introduction to CRA Compliance

AIoTHub

Date: 18/11/2025

Page: /

Our comments on prEN 40000-1-3 (draft standard for vulnerability handling requirements)

CRABasics comments on prEN 40000-1-3

Showing of entries

GE: General TE: Technical ED: Editorial

Page / Section	Type	Comment	Proposed Change

No results found matching your criteria.

Download Your Free CRA Checklist

CRA Maturity Evaluation

Evaluate your current maturity level and identify areas for improvement. This is a first step towards compliance.

Product Cybersecurity Questionnaire

1. Are product cyber security risks evaluated?

No Yes

2. Is there a list of cyber security requirements implemented in the product?

No Yes

3. For how long will the product receive security updates? support period

4. Is there a public-facing Vulnerability Disclosure Policy?

No Yes

5. Do you produce an SBOM?

No Yes

6. Who manages vulnerabilities in the product?

To receive bespoke advice, please enter your email

Results

Your CRA maturity evaluation will appear here.

About CRA Basics

CRA Basics is an joint-initiative by cetome and RS Strategy, two leading consultancies on EU cyber security regulations.

Our goal is to provide simple, clear, and comprehensive explanations to help manufacturers understand their requirements and prepare for compliance without getting lost in legal jargon. We believe that raising awareness on this new regulation is an important way to make our digital ecosystem and our society safer for everyone.

Contact us

Do you have questions about the CRA or need help with compliance? Fill out the form below and we'll get back to you.

Copyright Notice

CRA Basics and its content belong to cetome and RS Strategy.

This website and its content is licensed under the CC BY-NC-SA license.