CRACI
← Back to Glossary

CRA

The Cyber Resilience Act (CRA) is a European Union regulation establishing cybersecurity requirements for products with digital elements.

Last updated: February 6, 2026

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is a comprehensive European Union regulation that introduces mandatory cybersecurity requirements for products with digital elements. Adopted in 2024, the CRA aims to improve the security of hardware and software products throughout their lifecycle.

Key Objectives

  • Ensure products with digital elements are secure by design and default

  • Create a framework for continuous security updates and vulnerability management

  • Establish transparency requirements including SBOMs (Software Bill of Materials)

  • Hold manufacturers accountable for the security of their products

Who Does it Apply To?

The CRA applies to manufacturers, importers, and distributors of products with digital elements that are placed on the EU market. This includes software, hardware, and IoT devices. Organizations selling or distributing such products in the EU must comply with CRA requirements.

Timeline

The CRA includes a transition period for compliance. Organizations should begin preparing now to meet the requirements before the deadlines. Key dates include conformity assessment obligations and reporting requirements that phase in over time.