The Cyber Resilience Act: Everything You Need to Know
The EU's landmark cybersecurity law is now in force. If you manufacture, import, or distribute any connected product sold in Europe, the CRA applies to you. The December 2027 enforcement deadline is closer than it looks.
Check your CRA readinessTalk to a CRA expert
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is the European Union's mandatory cybersecurity framework for all products with digital elements, for any hardware or software that connects to a network or another device. Adopted in 2024, it is the most significant piece of product security legislation ever introduced in the EU, and it applies regardless of where a product is manufactured.
The CRA requires products to be secure by design, not patched into compliance after release. It introduces mandatory vulnerability handling, Software Bills of Materials (SBOMs), ongoing security update obligations, incident reporting, and a Declaration of Conformity with CE marking, before a product can legally be placed on the EU market.
Compliance is mandatory. Penalties are up to 15% of global annual turnover or €2.5M, whichever is higher.
CRA Enforcement Timeline
CRA enters into force
Conformity assessment window opens; notified bodies begin designations
Vulnerability and incident reporting obligations become mandatory
Full enforcement, all in-scope products must comply or exit the EU market
The window to act is narrowing. Conformity assessment for Class II products requires third-party certification, and the queue for notified body assessment will grow rapidly as the December 2027 deadline approaches. Companies that engage early secure faster turnaround times, better pricing, and a meaningful competitive advantage.
Who Does the CRA Apply To?
The CRA applies to any manufacturer, importer, or distributor placing a connected product on the EU market, regardless of where the company is based.
By product class
Default Class
The broadest category. Covers most commercial software, mobile apps, SaaS tools with connected clients, desktop software, browsers, development tools, and embedded firmware. Self-assessment route available, but full SBOM, vulnerability reporting, and Declaration of Conformity are required.
Class I
Higher-risk connected products including smart home devices, routers, wearables, identity management software, password managers, and network monitoring tools. Mandatory third-party involvement in conformity assessment.
Class II
Critical infrastructure-adjacent products: industrial control systems, PLCs, SCADA sensors, smart grid equipment, and operating systems for industrial use. Full third-party CAB assessment mandatory.
Critical Products
Hardware security modules, smartcard ICs, and products underpinning EU critical infrastructure. Subject to European Cybersecurity Scheme certification requirements.
By company type
UK and non-EU manufacturers
Any company outside the EU placing a CRA product on the European market must appoint an EU Authorised Representative, a legally mandated role. MVC provides this service from Malta, an English-speaking EU member state, making us the most accessible gateway into the European market for UK and non-EU businesses.
Enterprise software teams and government contractors
If you hold existing ISO 27001 or other quality management certifications, CRA compliance builds on that foundation. MVC integrates your existing systems with CRA requirements rather than starting from scratch.
Importers and distributors
Distributors who rebrand or substantially modify CRA products are treated as manufacturers under the regulation. Importers bear liability if the original manufacturer is non-compliant. Both need a clear compliance position before December 2027.
What the CRA Requires
Secure by design
Products must meet essential cybersecurity requirements from the outset, not retrofitted after release. This includes minimising attack surfaces, operating with least-privilege principles, and protecting against unauthorised access.
Software Bill of Materials (SBOM)
Manufacturers must identify and document all software components, including open source dependencies, throughout the product lifecycle. SBOMs must be maintained and made available to market surveillance authorities on request.
Vulnerability handling
A documented process for receiving, assessing, and remediating reported vulnerabilities, including a public disclosure policy and the ability to issue security updates throughout the product's supported lifetime.
Incident and vulnerability reporting
From September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of discovery, with a detailed notification to follow within 72 hours.
Declaration of Conformity and CE marking
Before placing a product on the EU market, manufacturers must produce a Declaration of Conformity demonstrating that all CRA essential requirements have been met, and affix the CE mark accordingly.
Technical documentation
A complete technical file, covering product design, security architecture, threat modelling, test results, SBOM, and vulnerability handling procedures, must be maintained for 10 years after the product is placed on the market.
The September 2026 reporting deadline is approaching
From 11 September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours and provide full notification within 72 hours. This is not a future problem. Your reporting process, dependency visibility, and evidence chain need to be in place before the deadline hits.
Fleet gets you ready
Fleet is the on-premises evidence automation layer built specifically for CRA reporting readiness. Deployed on your own infrastructure, Fleet monitors your full dependency tree, generates SBOMs, alerts your team when vulnerabilities hit, and supports the evidence and reporting workflow you will need when the September deadline arrives, without changing how your developers work.
Learn about FleetHow MVC Helps
MVC is the only platform that covers every stage of the CRA compliance lifecycle under one roof.
Talk to us