Among the EU’s security-focused regulations, the CRA stands out as the broadest general security framework and requires action from every manufacturer, importer, and distributor of digital products in the EU.
Get free adviceReading time: 8 minutes
There is no legal definition of cyber resilience. The term can be defined as a company’s resistance to hacker attacks and preparation for the failure of system-relevant components. o establish a general resilience against cyber attacks within Europe in line with modern IT security and information security the EU has launched several security-focused regulations including the, including the Cyber Resilience Act (CRA), the Directive on the Security of Network and Information Systems (NIS2) and the Digital Operational Resilience Act (DORA).
Among these, the CRA stands out as the most broadly applicable, general security framework. The CRA aims to harden the security of digital products both produced and being sold across the EU. Under the CRA, all digital products must undergo a conformity assessment, and in some cases have the CE marking affixed, before reaching the market.
The Cyber Resilience Act is a new set of binding security requirements enacted by the EU Commission. The CRA aims to harden the security of digital products sold across the EU. Under the CRA, all products with digital elements must undergo a conformity assessment, and in some cases have the CE marking affixed before reaching the market.
The Cyber Resilience Act sets out three key requirements for all digital products on the EU market.
The CRA applies to all digital products sold to end consumers within the EU member states. This includes both final products, such as smartphones, and components, such as chips and operating systems. Furthermore, the CRA applies equally to all digital products placed on the EU market, there are no market-size-based exemptions. The CRA also mandates security assessment for IT infrastructure and software used in a company’s own IT operations as part of its “digital supply chain.”
For products being sold on the EU market, the CRA differentiates between digital products according to their criticality to consumer safety, enterprise cyber resilience, and national and regional security.
Four-tier illustration of CRA product classification (Standard, Important Class I, Class II, Critical).
The Cyber Resilience Act defines the following product classifications:
Examples include memory chips, mobile apps, smart speakers, and computer games among the broad list of all digital products.
This includes IT access management, browsers and operating systems, VPNs, as well as network management and smart home devices.
This includes hypervisors and container systems, firewalls and IDS/IPS, as well as tamper-resistant microcontrollers and processors.
This includes smart cards, secure card readers, tachographs, and HSMs, as well as smart meter gateways and cryptographic systems.
The European Commission estimates that most affected products will fall into the default category and only be subject to self-assessment by the product manufacturer. However, products listed in “Important” and “Critical” categories will be subject to stricter requirements with regard to conformity assessment. Manufacturers of products classified as critical could be required to obtain a special European cyber security certificate and compliance must be indicated by the CE marking on the product, with national post-market monitoring of products for proper implementation.
| Category | Conformity assessment | CE marking | Examples |
|---|---|---|---|
| Standard | Self-assessment by the manufacturer | Required | Memory chips, mobile apps, smart speakers, computer games |
| Class I | Stricter rules, third-party assessment possible | Required | IT access management, browsers, OS, VPNs, network management, smart home devices |
| Class II | Third-party assessment required | Required | Hypervisors, container runtime, firewalls, IDS/IPS, tamper-resistant microcontrollers |
| Critical | Mandatory certified body; EU cybersecurity certificate possible | Required | Smartcards, secure card readers, tachographs, HSMs, smart meter gateways |
The Cyber Resilience Act defines its scope through the concept of “economic operators.” These include manufacturers, authorized representatives, importers, distributors, as well as all natural or legal persons involved in the manufacture or distribution of digital products in the EU. This affects both producers of end devices such as smartphones and suppliers of individual components such as chips or operating systems. The regulation also applies regardless of where a company is headquartered. Manufacturers outside the EU must also comply if they offer their products on the European market.
The Cyber Resilience Act defines “economic operators” to include:
The Cyber Resilience Act places a range of responsibilities on economic operators involved in the manufacturing or distribution of digital products in the EU. Broadly, affected entities must take steps to strengthen product security during the entire lifecycle from design to retirement, implement processes for vulnerability handling and reporting, and enable end-user remediation.
Secure product design and lifecycle, security assessments and SBOM, vulnerability handling and reporting obligations.
Depending on severity, CRA violations may lead to significant penalties.
OPENVAS SECURITY INTELLIGENCE supports CRA compliance on premises or in the cloud. Contact us to learn more.
The CRA was adopted as EU law on October 23, 2024 and officially entered into force on December 10, 2024. Certain CRA compliance deadlines apply in stages and lead to full enforcement on December 11, 2027. The Commission will continuously monitor compliance with the EU’s new cybersecurity rules and may sanction violations where appropriate.
Timeline of the critical phases of CRA implementation:
From September 11, 2026, manufacturers must follow strict reporting deadlines for actively exploited vulnerabilities and severe incidents.
Initial notification to ENISA and the national CSIRT.
Affected products, vulnerability details and mitigation guidance.
Final remediation details after a security update or workaround.
Greenbone has helped prepare our customers to achieve the best possible security standard for 15+ years. We view the CRA as an opportunity to provide support and to build the strongest cyber resilience possible. The OPENVAS SECURITY INTELLIGENCE platform helps companies meet the CRA’s requirements on premise or in the cloud.
OPENVAS SECURITY INTELLIGENCE dashboard with vulnerability scan results, CVSS severity distribution, and asset inventory aligned with CRA reporting requirements.
Horizontal process flow: scan assets, assess SBOM, prioritize CVEs, generate report, notify ENISA.
What is cyber resilience?
There is no legal definition of cyber resilience. The term can be defined as an organization’s ability to withstand cyberattacks and prepare for the failure of critical system components.
What is the EU Cyber Resilience Act (CRA)?
The Cyber Resilience Act is a new set of binding security requirements issued by the European Commission. Its purpose is to strengthen the security of digital products sold throughout the EU. Under the CRA, all products with digital elements must undergo a conformity assessment and, in some cases, bear the CE marking before they can be placed on the market.
Which products are affected by the Cyber Resilience Act?
The Cyber Resilience Act applies to all digital products sold to end users within EU member states. This includes both end products such as smartphones and components such as chips and operating systems. There are no exemptions based on market size. The CRA also requires security assessments for IT infrastructure and software used within a company’s own IT operations as part of the “digital supply chain.”
Does the CRA also apply to manufacturers outside the EU?
Yes. The CRA is not limited to manufacturers headquartered in the EU. Manufacturers outside the EU are subject to the requirements of the CRA if they sell products in the EU. Importers and distributors are also responsible for verifying that the manufacturer has completed the required compliance steps before a product is made available on the EU market.
What is a conformity assessment under the CRA?
A conformity assessment is the procedure by which a manufacturer demonstrates that a product meets the essential security requirements of the CRA. Most products in the standard category are subject only to self-assessment by the manufacturer. Products in the Important Class I, Class II, and Critical categories are subject to stricter requirements. Manufacturers of critical products may be required to obtain a specific European cybersecurity certificate, with conformity indicated by the CE marking.
What vulnerability reporting obligations does the CRA define?
From September 11, 2026, affected manufacturers must report known vulnerabilities and known exploits to ENISA within 24 hours, report security incidents to product users together with the required remediation steps, and report identified vulnerabilities in third-party components to the respective third-party vendors.
What is a Software Bill of Materials (SBOM) and why does the CRA require it?
A Software Bill of Materials (SBOM) is a complete inventory of all software components in a digital product. The CRA requires manufacturers to conduct vulnerability scans, including SBOM assessments, to ensure that products are free of known vulnerabilities and to provide an SBOM covering a product’s software components to downstream customers.
Does the CRA apply to open-source software?
Commercially distributed open-source software can fall under CRA obligations. Non-commercial FOSS contributions are generally excluded.
Open-source software stewards may have lighter obligations, such as maintaining a cybersecurity policy, coordinating vulnerability disclosures and cooperating with market surveillance authorities.
When does the CRA become fully enforceable?
The CRA was adopted as EU law on October 23, 2024, and officially entered into force on December 10, 2024. Compliance deadlines apply in stages: Chapter IV provisions on conformity assessment bodies from June 11, 2025, vulnerability reporting obligations under Article 14 from September 11, 2026, and full enforcement of all remaining requirements from December 11, 2027.
How does the CRA relate to NIS2 and DORA?
The CRA, the Directive on Network and Information Security (NIS), and the Digital Operational Resilience Act (DORA) are all part of the EU’s security-focused regulatory framework. Among these, the CRA stands out as the broadest general security framework, covering all digital products made available on the EU market regardless of industry or company size.
How does Greenbone help with CRA compliance?
For more than 15 years, Greenbone has been helping customers prepare for the highest possible security standard. Greenbone’s OPENVAS SECURITY INTELLIGENCE platform supports organizations with the ongoing vulnerability assessments and external audits required by the CRA, on premises or in the cloud.
Full enforcement begins in December 2027, but the vulnerability reporting obligation takes effect as early as September 2026. Talk to us now and find out how OPENVAS SECURITY INTELLIGENCE supports your CRA compliance program on premises or in the cloud.
