What the CRA Means for Your Products
The Cyber Resilience Act introduces a fundamental change in how cybersecurity is regulated in the European Union. For the first time, cybersecurity becomes a mandatory requirement for all products with digital elements placed on the EU market.
Vulnerability reporting obligations start on September 11, 2026. Full application of all CRA requirements, including CE marking conformity, begins on December 11, 2027.
What the Cyber Resilience Act Requires
The CRA establishes horizontal cybersecurity obligations that apply throughout the product lifecycle, from design and development to deployment, updates, and end‑of‑life.
Key legal references include:
Article 6 – Obligations of manufacturers
Annex I, Part I – Essential cybersecurity requirements, including security‑by‑design
Annex I, Part II – Vulnerability handling, updates, and incident management
Annex II – Technical documentation requirements
Article 10 – Vulnerability reporting obligations
Taken together, these provisions require manufacturers not only to implement cybersecurity measures, but also to demonstrate and document compliance in a structured and repeatable way.
Who the Cyber Resilience Act Applies To
The CRA applies to multiple sectors. Any product with digital elements – including connected hardware, embedded software, and software‑only products – placed on the EU market may fall within scope.
Applicability is determined by the characteristics and functionality of the product, rather than the industry in which it is used.
Relationship to Other Regulations & Standards
The CRA is designed to align and consolidate cybersecurity requirements across the EU. Many products subject to the CRA are also affected by other regulatory frameworks or standards, depending on their connectivity and intended use.
In practice, CRA compliance often intersects with:
The Radio Equipment Directive (RED) for internet‑connected radio equipment
ETSI EN 303 645 for consumer IoT devices
IEC 62443 for industrial automation and control system components
QIMA helps manufacturers align cybersecurity efforts so that one coherent approach can support compliance across multiple frameworks.
How QIMA Supports CRA Compliance
QIMA supports manufacturers at every stage of CRA preparation, from early scoping through to conformity support.
Our services include readiness and gap analysis against CRA requirements, cybersecurity testing and evaluation, support with technical documentation, and guidance on conformity assessment under Module A (Internal Production Control). We also help organizations establish and validate vulnerability handling and update processes that meet CRA expectations over the product lifecycle.
Ready to Prepare for the Cyber Resilience Act?
Vulnerability reporting obligations start on September 11, 2026. Full application of all CRA requirements, including CE marking conformity, begins on December 11, 2027.
Talk to our cybersecurity experts
Resources
Explore practical guidance to help you understand and prepare for CRA compliance.
FAQs
When does the Cyber Resilience Act apply? The CRA entered into force in December 2024 and becomes fully applicable after a transition period, starting in December 2027.
Can manufacturers self‑declare compliance under the CRA? In many cases, yes. Manufacturers may use Module A (Internal Production Control), provided all applicable requirements are met and properly documented.
How does the CRA relate to RED cybersecurity requirements? From December 2027, the CRA will replace the RED Delegated Act (EU) 2022/30, creating a single, horizontal cybersecurity framework for products with digital elements