The EU Cyber Resilience Act (CRA) is a regulation that sets mandatory cybersecurity requirements of products with digital elements. Its goal is to ensure that products are secure from design to deployment, and continuously protected throughout their lifecycle.
Products covered by the EU Cyber Resilience Act (CRA) include software and hardware products with digital elements. These products can store, process, and transmit digital data, and they usually can connect to other devices or networks, either directly or indirectly, through logical or physical connections. A logical connection is commonly seen when an operating system provides Application Programming Interfaces (APIs) for other software to use, while a physical connection is often seen when a product connects to other devices through wired or wireless networks. After the CRA fully applies on 11 December 2027, all related digital products sold or offered on the European market must comply with the CRA requirements. Otherwise, they may face administrative penalties, including fines and product withdrawal from the market.
However, the CRA also excludes certain types of products, such as those in the automotive, medical, maritime, and aviation sectors. These products are already governed by their respective industry-specific regulations and managed under existing regulatory frameworks, so they are not included in the scope of the CRA. In other words, the CRA mainly applies to digital products that are not covered by other cybersecurity or product regulations. When a manufacturer evaluates whether a product is affected by the CRA, they should consider not only the product’s function and usage but also whether the product is already covered by other specific regulations.
The CRA divides products into three main categories: Default, Important, and Critical. The Important category is further divided into two subcategories: Class I and Class II. Different categories of products use different methods and standards to show compliance, based on their level of risk. Therefore, the product category directly affects the type of conformity assessment required and the supporting documentation that must be prepared. Annex III and Annex IV of the CRA list some Important and Critical products, respectively. While most products not listed in these annexes belong to the Default category. The following figure shows some example products for reference.
Figure: Product Category Examples
The CRA not only focuses on whether a product has security features, but also on whether the manufacturer can manage vulnerabilities, provide updates, and maintain technical documentation over time. Therefore, the scope of the CRA covers not only the final product, but may also extend to the software, operating systems, modules, and hardware components used within it. Therefore, both product manufacturers and related supply chain vendors need to pay attention to CRA requirements.
The CRA makes cybersecurity a legal requirement, not just a product feature.
Non-compliant products may be restricted or removed from the EU market.
