CRACI

What is the Cyber Resilience Act?

Understanding the EU's comprehensive cybersecurity regulation for digital products

The Cyber Resilience Act (CRA) is a comprehensive European Union regulation designed to establish mandatory cybersecurity requirements for products with digital elements (hardware and software). Passed in 2024, it aims to improve the security of digital products throughout their entire lifecycle, from design to end-of-life.

The CRA addresses the growing cybersecurity threats by ensuring that manufacturers, importers, and distributors take responsibility for the security of their products before they enter the EU market. This landmark legislation will fundamentally change how digital products are developed, marketed, and maintained across Europe.

Key obligations include:

  • Vulnerability disclosure
  • Mandatory security updates for the product's supported lifetime
  • Conformity assessment process

CRACI automatically helps you meet these obligations โ€” continuously scanning your CI/CD pipeline for vulnerabilities, automatically sending vulnerability disclosures to the relevant authorities, generating audit-ready compliance reports, and keeping your security documentation up to date throughout your product's lifecycle.

Key Aspects of the CRA

Mandatory Security Requirements

Products must meet minimum cybersecurity standards throughout their lifecycle.

Risk-Based Classification

Products are classified into different risk categories with corresponding obligations.

Vulnerability Handling

Manufacturers must actively monitor, report, and address security vulnerabilities.

CE Marking

Compliant products must carry CE marking to enter the EU market.

Documentation & Transparency

Comprehensive technical documentation and security information must be maintained.

Market Surveillance

Authorities can enforce compliance and impose penalties for violations.

The CRA timeline is ticking

Key milestones you need to prepare for under the Cyber Resilience Act.

We are here
National auditors chosen
June 2026
Vulnerability reporting enforcement
September 2026
Full application of the CRA act
December 2027
600,000+
companies across the globe must comply with the CRA to operate in the European market
โ‚ฌ15M
maximum fine, or 2.5% of global annual turnover
24 hours
to report actively exploited vulnerabilities to ENISA

Who Does the CRA Affect?

Manufacturers

Companies designing, developing, or manufacturing products with digital elements for the EU market must ensure their products meet CRA requirements.

Importers & Distributors

Those bringing products into the EU market or making them available must verify that products comply with the CRA before distribution.

Open Source Software

While open source developed in a non-commercial manner is exempt, commercial entities using or distributing OSS may still have obligations.

Software Providers

SaaS providers, software developers, and digital service providers must assess whether their offerings are covered under the regulation.

Essential Requirements

The CRA establishes essential cybersecurity requirements that products must meet, including:

  • Security by design and by default principles
  • Protection against unauthorized access and data breaches
  • Secure software updates and patches
  • Vulnerability disclosure and handling procedures
  • Minimum technical documentation requirements
  • Risk assessment and mitigation measures
  • Incident response capabilities
  • Support period obligations for security updates

Ready to Ensure CRA Compliance?

Discover how CRACI helps you navigate the Cyber Resilience Act requirements

Join waitlist