The European Union is preparing another cybersecurity revolution. The Cyber Resilience Act (CRA) is a regulation that will introduce mandatory security requirements for virtually all products with digital elements sold on the European market. From smart refrigerators to home routers to enterprise software - everything will need to meet minimum cybersecurity standards.
For manufacturers, importers, and distributors of digital products, CRA means a fundamental business model change. This article explains what to expect and how to prepare.
What is the Cyber Resilience Act and what problems does it solve?
The Cyber Resilience Act is a regulation of the European Parliament and of the Council aimed at improving the cybersecurity of products with digital elements. Unlike directives (like NIS2), the regulation will apply directly in all member states without the need for transposition into national law.
The problem CRA aims to solve
The digital products market suffers from a fundamental problem: security is not a priority. Manufacturers compete on price and functionality, treating security as a cost to minimize. The results are visible:
Unsecured IoT devices:
- Routers with default admin/admin passwords
- IP cameras accessible without authentication
- Smart home devices without update capability
Software with vulnerabilities:
- Products released without security testing
- Known vulnerabilities unfixed for months or years
- No information about support and updates
Information asymmetry:
- Consumers don’t know if a product is secure
- No standard security labels
- Difficulty comparing products
Cost externalization:
- Manufacturer sells cheap, unsecured product
- Incident costs are borne by users and society
- No manufacturer responsibility after sale
How CRA changes these rules?
CRA introduces a model where:
- Security is a condition for market access
- Manufacturer is responsible for security throughout the product lifecycle
- Users have clear information about security level
- Market surveillance can remove unsafe products
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
What products does CRA cover?
CRA has a very broad scope - it covers “products with digital elements,” meaning practically anything that contains software or connects to a network.
Products covered by CRA
Hardware with software:
- Computers, laptops, tablets, smartphones
- Routers, switches, access points
- Cameras, recorders, alarm systems
- IoT devices (smart appliances, wearables, smart home)
- Industrial equipment (PLC controllers, SCADA systems)
- Medical devices
Software:
- Operating systems
- Office and business software
- Mobile applications
- Computer games
- Device firmware
Components:
- Processors, microcontrollers
- Communication modules (WiFi, Bluetooth, LTE)
- Software libraries and frameworks
Products excluded from CRA
Some categories are excluded because they’re subject to other regulations:
- Medical devices (MDR regulation)
- Vehicles (vehicle regulation)
- Aircraft (aviation regulations)
- Military and national security equipment
- Cloud services and SaaS (partially covered by NIS2)
Risk categories
CRA divides products into categories by risk:
Default products (no category):
- Most consumer products
- Self-assessment of conformity by manufacturer
- Examples: smart bulbs, simple applications
Class I products (important):
- Antivirus software
- Home routers
- Home automation systems
- Third-party assessment required or conformity with harmonized standards
Class II products (critical):
- Operating systems
- Industrial firewalls
- Microprocessors with security features
- Smart meters
- Mandatory assessment by notified body
What requirements does CRA introduce?
CRA introduces two main categories of requirements: product requirements and manufacturer process requirements.
Product requirements
Security by design:
- Product must be designed with security in mind from the start
- Minimal attack surface
- Limited incident impact
Secure default configuration:
- Secure default settings
- No default passwords or requirement to change on first use
- Unnecessary features disabled by default
Confidentiality protection:
- Encryption of sensitive data at rest and in transit
- Protection against unauthorized access
- Secure data deletion
Integrity protection:
- Software integrity verification
- Secure boot
- Modification protection
Availability protection:
- DoS attack resilience
- Ability to restore to secure state
- Monitoring and alerting features
Security updates:
- Software update capability
- Updates without unnecessary delays
- Informing users about available updates
Process requirements
- Vulnerability identification and documentation
- Timely patch delivery
- Coordinated vulnerability disclosure (CVD)
- Maintaining SBOM (Software Bill of Materials)
Technical documentation:
- Design and security architecture description
- Risk assessment
- Security test results
- Information about used libraries
User instructions:
- Safe use information
- Environment requirements
- Update procedures
- Contact for reporting vulnerabilities
Support period:
- Defined support time (minimum 5 years or expected usage time)
- Providing security updates throughout the period
- End of support notification
What must a manufacturer do to place a product on the EU market?
The product admission process depends on the risk category.
For default products (majority)
-
Conduct conformity assessment:
- Check CRA requirements for your product
- Conduct internal production control
- Document conformity
-
Prepare technical documentation:
- Product description and security features
- Cybersecurity risk assessment
- Security test results
- SBOM (software component list)
-
Prepare EU declaration of conformity:
- Formal statement of compliance with requirements
- Signed by authorized representative
-
Apply CE marking:
- Visible CE marking on product or packaging
- Link to declaration of conformity
-
Provide user information:
- Safe use instructions
- Support period information
- Contact for reporting vulnerabilities
For Class I products
Additionally to the above:
- Conformity assessment with harmonized standards, OR
- Assessment by notified body (third party)
For Class II products
- Mandatory assessment by notified body
- More rigorous documentation requirements
How will CRA affect the product lifecycle?
CRA changes the approach to the entire digital product lifecycle.
Design phase
Before CRA:
- Security as an add-on
- “We’ll fix it later”
- Priority: time to market
After CRA:
- Security by design
- Threat modeling at project start
- Security as a design requirement
Development phase
Before CRA:
- Security testing optional
- No dependency tracking
- “It works = it’s ready”
After CRA:
- Secure Development Lifecycle (SDLC)
- SBOM and dependency management
- Penetration tests before release
Market introduction phase
Before CRA:
- Minimal documentation
- No formal security assessment
- Quick introduction
After CRA:
- Technical documentation required
- Conformity assessment (internal or external)
- CE marking after meeting requirements
Operation phase
Before CRA:
- Support until stock runs out
- Updates “when there’s time”
- No responsibility after sale
After CRA:
- Minimum 5 years of support
- Obligation to provide security updates
- Continuous vulnerability monitoring
Withdrawal phase
Before CRA:
- Silence from manufacturer
- Users with unsecured equipment
- No migration plan
After CRA:
- Advance end of support announcement
- Final security update
- Information about alternatives
What penalties does CRA provide?
CRA introduces severe sanctions for non-compliance, modeled on GDPR.
Administrative penalties
For placing non-compliant product on market:
- Up to EUR 15 million or 2.5% of global turnover (higher amount)
For irregularities in documentation or marking:
- Up to EUR 10 million or 2% of global turnover
For lack of cooperation with supervisory authorities:
- Up to EUR 5 million or 1% of global turnover
Market surveillance actions
Market surveillance authorities may:
- Order product withdrawal from market
- Order recall (withdrawal from users)
- Prohibit market placement
- Order product destruction
- Publish consumer warnings
Civil liability
In addition to administrative penalties, manufacturers may bear civil liability for damages resulting from defective products (under the Product Liability Directive).
How to prepare for CRA now?
Although the exact CRA application date is not yet established, organizations should begin preparations.
Step 1: Product inventory
Compile a list of all products that may be subject to CRA:
- Products sold in the EU
- Products in development
- Planned products
For each product, determine:
- Risk category (default, Class I, Class II)
- Current security level
- Gaps relative to CRA requirements
Step 2: Process assessment
Analyze your product development processes:
Secure Development Lifecycle:
- Do you have a formal SDLC?
- Is security part of requirements?
- Do you conduct threat modeling?
Vulnerability management:
- Do you have a vulnerability identification process?
- Do you have SLAs for patch delivery?
- Do you have a CVD program (Coordinated Vulnerability Disclosure)?
Dependency management:
- Do you track external libraries and components?
- Do you generate SBOM?
- Do you monitor vulnerabilities in dependencies?
Testing:
- Do you conduct security tests?
- Do you use penetration tests?
- Do you test updates before release?
Step 3: Gap analysis
Compare current state with CRA requirements and identify gaps:
| Area | CRA requirement | Current state | Gap | Priority |
|---|---|---|---|---|
| Security by design | Yes | Partial | Process formalization | High |
| Default passwords | None or forced change | Default passwords | Design change | Critical |
| SBOM | Required | Missing | Tool implementation | High |
| Support period | Min. 5 years | 2 years | Policy change | High |
| OTA updates | Yes for many products | Missing | Feature addition | High |
| Documentation | Complete | Incomplete | Completion | Medium |
Step 4: Adjustment plan
Based on gap analysis, develop an action plan:
Short-term actions (3-6 months):
- Eliminate default passwords
- Implement SBOM generation
- Train development teams
Medium-term actions (6-12 months):
- Implement formal SDLC
- Implement OTA update mechanisms
- Establish CVD program
Long-term actions (12+ months):
- Process certification
- Adjust entire product portfolio
- Build long-term support infrastructure
Step 5: Budgeting
CRA means additional costs. Plan budget for:
- Tools (security scanners, SBOM generators, testing platforms)
- People (security specialists, testers, support staff)
- Processes (audits, certifications, training)
- Infrastructure (update systems, monitoring, helpdesk)
How will CRA affect importers and distributors?
CRA imposes obligations not only on manufacturers but also on importers and distributors.
Importer obligations
An importer placing a product on the EU market must:
- Verify that manufacturer has conducted conformity assessment
- Check technical documentation completeness
- Ensure product has CE marking
- Provide their contact details on product
- Inform manufacturer of non-compliance
- Cooperate with supervisory authorities
If the importer modifies the product or places it under their own brand, they assume manufacturer obligations.
Distributor obligations
A distributor must:
- Verify CE marking before placing in circulation
- Check that manufacturer/importer has provided contact details
- Not place products in circulation they suspect are non-compliant
- Inform manufacturer/importer of problems
- Cooperate with supervisory authorities
Supply chain implications
CRA will force greater transparency and responsibility throughout the supply chain. Distributors will need to verify product compliance, and importers - conduct due diligence on suppliers from outside the EU.
How does CRA connect with other regulations?
CRA doesn’t operate in a vacuum - it coexists with other cybersecurity regulations.
CRA and NIS2
NIS2 concerns entities (service operators), CRA concerns products. An entity covered by NIS2 will need to:
- Use CRA-compliant products
- Consider CRA compliance in supply chain management
- Report incidents related to product vulnerabilities
CRA and DORA
The financial sector covered by DORA will additionally be required to use CRA-compliant products. DORA requires ICT risk management, and CRA ensures ICT products meet minimum standards.
CRA and AI Act
High-risk AI products are subject to both regulations. CRA covers cybersecurity aspects, AI Act - AI-specific safety aspects.
CRA and CE marking
CRA joins the existing CE marking system. A CRA-compliant product will bear CE marking confirming cybersecurity requirements are met, analogous to electrical or electromagnetic safety.
Summary - CRA will change the digital products market
The Cyber Resilience Act is a groundbreaking regulation that will fundamentally change how digital products are designed, manufactured, and supported in Europe.
For manufacturers
- Security will become a market access condition
- Investment in processes and tools necessary
- Responsibility for entire product lifecycle
- Potentially severe penalties for non-compliance
For users
- Higher product security levels
- Clear information about support and updates
- Easier vulnerability reporting
- Greater protection against defective products
For the market
- Level playing field (everyone must invest in security)
- Elimination of cheapest, unsecured products
- Higher entry barriers for new players
- IoT market consolidation
Key actions to take
| Action | Timeline | Responsibility |
|---|---|---|
| Product inventory | Immediately | Product Management |
| SDLC process assessment | 1 month | Engineering |
| Gap analysis | 2 months | Security + Compliance |
| Adjustment plan | 3 months | Board |
| SBOM implementation | 6 months | Engineering |
| Default password elimination | 6 months | Engineering |
| CVD program | 6 months | Security |
| Full compliance | Before CRA application date | Entire organization |
CRA is not just a regulatory requirement - it’s an opportunity to build competitive advantage. Manufacturers who invest early in security will have a stronger position when CRA enters into force.
Need support preparing products for CRA? Contact us - we’ll help conduct gap analysis, implement SDLC processes, and prepare compliance documentation.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
- Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
Learn More
Explore related articles in our knowledge base:
- Amendment to the NSC Act (NIS2): What new obligations await Polish companies and how to prepare for them?
- Cyber Resilience Act (CRA): 3 vulnerability definitions you need to know
- National Security and Cyber Resilience - How will PLN 20 billion from the NIP change Polish defense and implement NIS2?
- Red Team, Blue Team, Purple Team: How do simulated attacks strengthen a company’s cyber resilience?
- CEO fraud (BEC): How to protect your company’s finances from the most expensive cyber attack?
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
