POLO
  • Products
    • M2351
    • M2354
  • Contact us
  • Buy
  • Introduction
    • Introduction
    • Solutions
    • Nuvoton Experts
    • Partners
  • Technologies
  • Applications
  • Compliance/Standards
    • EU CRA Overview
    • Nuvoton EU CRA Compliance Statement
    • PSA Certification
  • Development
  • Learning Center
    • Tech Blog
    • Video Center
  • Award
  • Tech Forum
    • 2023 Tech Forum
    • 2022 Tech Forum

CRA

Cyber Resilience Act

What is EU CRA? Impacted Products Timeline Impact of Non-Compliance Security Issue Reporting

What is the EU Cyber Resilience Act (CRA) ?

The EU Cyber Resilience Act (CRA) is a regulation that sets mandatory cybersecurity requirements of products with digital elements. Its goal is to ensure that products are secure from design to deployment, and continuously protected throughout their lifecycle.

Impacted Products

Products covered by the EU Cyber Resilience Act (CRA) include software and hardware products with digital elements. These products can store, process, and transmit digital data, and they usually can connect to other devices or networks, either directly or indirectly, through logical or physical connections. A logical connection is commonly seen when an operating system provides Application Programming Interfaces (APIs) for other software to use, while a physical connection is often seen when a product connects to other devices through wired or wireless networks. After the CRA fully applies on 11 December 2027, all related digital products sold or offered on the European market must comply with the CRA requirements. Otherwise, they may face administrative penalties, including fines and product withdrawal from the market.

However, the CRA also excludes certain types of products, such as those in the automotive, medical, maritime, and aviation sectors. These products are already governed by their respective industry-specific regulations and managed under existing regulatory frameworks, so they are not included in the scope of the CRA. In other words, the CRA mainly applies to digital products that are not covered by other cybersecurity or product regulations. When a manufacturer evaluates whether a product is affected by the CRA, they should consider not only the product’s function and usage but also whether the product is already covered by other specific regulations.

The CRA divides products into three main categories: Default, Important, and Critical. The Important category is further divided into two subcategories: Class I and Class II. Different categories of products use different methods and standards to show compliance, based on their level of risk. Therefore, the product category directly affects the type of conformity assessment required and the supporting documentation that must be prepared. Annex III and Annex IV of the CRA list some Important and Critical products, respectively. While most products not listed in these annexes belong to the Default category. The following figure shows some example products for reference.

Default
Important
Critical
  • Smart home devices
  • Printers
  • Bluetooth speakers
  • Media player software application
Products not listed in Annex III or Annex IV

Class I

  • Standalone and embedded browsers
  • Microcontrollers and microprocessor with security-relevant functions
  • Password managers
  • Operating systems
  • Network management systems

Class II

  • Operating systems supporting virtualized execution
  • Firewalls
  • Tamper-resistant microprocessors & microcontrollers
  • Hardware devices with security boxes
  • Smart meter gateways
  • Smart cards or similar devices including secure elements
  • Other devices for advanced security purposes, including secure crypto processing

Figure: Product Category Examples

The CRA not only focuses on whether a product has security features, but also on whether the manufacturer can manage vulnerabilities, provide updates, and maintain technical documentation over time. Therefore, the scope of the CRA covers not only the final product, but may also extend to the software, operating systems, modules, and hardware components used within it. Therefore, both product manufacturers and related supply chain vendors need to pay attention to CRA requirements.

Timeline

2024.12
Formally
Published
2026. Q3
Standardization deliverables (horizontal & product-specific standards)
Vulnerability
Reporting Obligation
2026.9.11
2026.Q4
Delegated act will be issued to clarify that products certified under EUCC (Common Criteria) can be considered compliant with certain CRA requirements.
2027.12
Full application of
the Cyber
Resilience Act

Transitional Provisions

  • Products placed on the market before 2027.12.11 are not subject to CRA requirements unless substantially modified.
  • Reporting obligations still apply to all products, including legacy devices.


Why It Matters - Impact of Non-Compliance

The CRA makes cybersecurity a legal requirement, not just a product feature.
Non-compliant products may be restricted or removed from the EU market.

Financial Penalties
  • Critical cybersecurity requirements violation
    • Up to €15 million or 2.5% of worldwide annual turnover (whichever is higher)
  • Other regulatory violations
    • Up to €10 million or 2% of worldwide annual turnover
  • Providing incorrect or misleading information
    • Up to €5 million or 1% of worldwide annual turnover

Security Support and Reporting

We are committed to ensuring the cybersecurity of our products with digital elements throughout their lifecycle. If you discover a potential vulnerability or a severe security incident affecting our products, please report it to us immediately.

Security Issue Reporting
Copyright ©2008-2026 Nuvoton Technology Corporation