Cyber Resilience Act: Key Concepts for Implementation
If your organization places products with digital elements on the European Union market, you need to understand the Cyber Resilience Act (CRA)—and what it requires of you. This guide is written for security, engineering, and product leaders responsible for building and maintaining those products. This is a practical crash course on the CRA and its core requirements. It focuses on security and technical professionals but is useful for anyone who needs to understand the essentials.
You’ll learn:
Essential CRA concepts and timelines
Four practical implications of the CRA for technical teams
How the CRA applies in scenarios like:
Using open-source software dependencies in your product
Maintaining and updating a legacy product sold in the EU
Key Cyber Resilience Act Concepts
The most important things you need to know about the CRA.
| Concept | Description |
|---|---|
| What is the Cyber Resilience Act (CRA)? | The CRA is a regulation passed by the EU that specifies cybersecurity requirements that all organizations (regardless of sector) must meet. |
| What technological and geographic scopes are affected? | The CRA applies to anyone creating or distributing “products with digital elements”, e.g., hardware and software products (and certain associated remote data processing solutions) placed on the EU market. Note that the scope has carve-outs/exclusions in the Regulation for certain regulated product areas. |
| Who implemented the CRA? | The European Commission proposed the CRA, and it was adopted by the European Parliament and Council. It is a “regulation,” which means it has binding authority over all member nations and doesn’t require local laws to translate or apply it to their jurisdiction. |
| Who enforces the CRA? | Enforcement will be carried out by the Market Surveillance Authorities (MSAs) in each member nation, with technical and operational support from the EU Agency for Cybersecurity (ENISA). |
| Why has it been implemented? | With the explosion of products with digital elements comes greater digital dependence and greater security risks. CRA is designed to protect consumers and to reduce the cost of security flaws in these products. |
| What is the timeline for implementation? | Now: CRA is adopted and in force; most obligations apply from 11 Dec 2027, with reporting obligations applying from 11 Sep 2026 June 11, 2026: CRA conformity-assessment infrastructure provisions begin to apply (Chapter IV), enabling formal conformity assessment and related processes September 11, 2026: Organizations must report “exploited vulnerabilities and severe incidents” (paragraph 126) to the appropriate Computer Security Incident Response Team (CSIRT) and ENISA within 24 hours. December 11, 2027: Law is in full effect. |
| How does this affect products already on the EU market? | As described in Article 69, products on the EU market before December 11, 2027, are only subject to the vulnerability reporting requirements described in Article 14. However, any “substantial modification” to these products requires them to be brought into compliance with the CRA. |
The Official Source of Truth on the Cyber Resilience Act
The summary table above provides essential details about the Cyber Resilience Act. The regulation’s official requirements are detailed in Regulation-2024/2847-EN-EUR-Lex, which should be regarded as the source of truth for all CRA requirements, enforcement, and consequences.
This article highlights the essential requirements and implications for technical professionals, but the regulation is subject to change, and you are responsible for adhering to it as appropriate for your context. The sections that follow frequently link to and quote from the CRA’s official document, so you can learn more directly from the official source of truth on the subject.
Practical Implications of the Cyber Resilience Act
So, what does the CRA actually require of technical professionals?
There are four primary implications for those creating a product with digital elements:
Risk assessments
“Secure by default” requirements
Vulnerability handling and response
CE marking requirements
Anyone involved in importing and/or distributing a relevant product also has obligations to verify / ensure compliance conditions are met before placing/making it available on the EU market (you can find more details on this responsibility here).
Risk Assessments
The CRA requires manufacturers to conduct a risk assessment before making a product publicly available in any capacity, including pre-release versions (e.g., alpha/beta releases). This risk assessment must be provided as part of the technical documentation the CRA requires (see Article 31).
Risk assessments must consider how the cybersecurity risks in Part I of Annex 1 apply to “the intended purpose and reasonably foreseeable use...” of the product. If some risks in Annex 1 don’t apply, you must document why they aren’t applicable. This assessment must also consider the risks associated with third-party integrations, including those involving free and open-source software.
So what might a risk assessment look like for a team planning a product that communicates with a third-party API? For the sake of brevity, we’ll walk through a couple of the criteria in Part I of Annex 1 to illustrate what this should look like:
Products with digital elements shall be made available on the market without known exploitable vulnerabilities
The team will start a risk assessment by analyzing whether any of its software (used in the product that communicates with the third-party API) has known exploitable vulnerabilities. For example, if a product uses the requests library, the team would have to consider vulnerabilities related to said library.
Additionally, the risk assessment must consider the third-party API to ensure that there are no documented vulnerabilities in the third-party system that could present a vulnerability to the product (see Article 13, Section 5 for more details on the responsibilities of manufacturers as it relates to third-party systems).
(e) Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means
A risk assessment must ensure that data processed by the device/system is appropriately protected throughout its lifetime in the system. A risk assessment would need to answer questions related to this criterion, like these:
Is there any data that isn’t being protected?
Are the planned or implemented protection mechanisms up to date?
Is data protected through the entire system (in transit and at rest)?
“Secure by Default” Requirements
Under the CRA, products with digital components must be “secure by default” (see 2b of Annex 1). This means it is not enough to have a security feature that addresses one of the requirements listed in Annex 1 that is merely “available”—it must be enabled in the product’s initial state. The CRA also requires that products be able to be reset to their original state, allowing users to confidently return to a secure state if needed.
For example, if a product accesses a third-party API, it must do so in a manner that is secure and poses no risk to the product owner, the third party, or any other party. The data and authentication (if present) must be securely stored and processed. The product can support user configurability under the CRA, and such configurability may even allow modifications that could make the product slightly less secure, but users must be able to reset the system to its original, secure state.
Vulnerability Handling/Response
Another practical implication of the Cyber Resilience Act is that you must have a process for handling vulnerabilities that you find or are reported to you. The process of reporting “actively exploited vulnerabilities” is laid out in Article 14, Section 2, with this timeline:
Hour zero: You become aware of an “actively exploited vulnerability.”
Within 24 hours: You must send an early warning notification to the appropriate CSIRT and ENISA.
Within 72 hours: You must send a vulnerability notification with general details about the vulnerability and exploit to the same.
Within 14 days: The final report (detailing what happened and what you did to fix/mitigate the issue.) must be submitted no later than 14 days after a corrective measure is available.
You also have to report any “severe incidents” as described in sections 3-5 of Article 14. Severe incidents have the same timeline as vulnerabilities, except the final report isn’t due until a month after the early warning notification.
For practical purposes, the key takeaway here is to develop a plan for handling this kind of incident now. Having even a basic reporting process documented can save a lot of time and headaches later. A vulnerability reporting process can be as simple as a document describing the following:
The required reporting timeline (as detailed above)
What has to be reported at each stage of the timeline
Who needs to be contacted and how to get a hold of them
Documenting this process now will ensure that you don’t have to do it later while also handling an actively exploited vulnerability.
Importers and distributors of a product are responsible for reporting any vulnerabilities they discover or become aware of to the manufacturer and ensuring that they are addressed as required by the CRA.
CE Marking Requirements
The last significant implication of the CRA that you should be aware of is the “CE” symbol, which you’ve probably seen before.
The CE marking indicates the manufacturer’s declared conformity (following the applicable conformity assessment route) with EU requirements, including CRA where applicable. It indicates that the marked product meets the necessary requirements to be sold in the EU. Keep in mind that a product may need to meet multiple requirements, one of which may be the CRA, depending on the type of product. Until now, some products with digital elements haven’t needed the “CE” logo, but they will once the CRA goes into full effect.
You can read more about these requirements in Recital 89 and Article 30.
How the Cyber Resilience Act Impacts Common Scenarios
Let’s walk through some common scenarios and examine how they should be handled under the CRA.
Using an Open-Source Dependency
Let’s say your product uses an open-source software library. Before the CRA, you could use this library without considering its dependencies or vulnerabilities. After the CRA goes into effect, you will be responsible for keeping a software bill of materials (SBOM), which is “a formal record containing details and supply chain relationships of components included in the software elements of a product with digital elements” (Article 3, point 39). The CRA expects an SBOM in a commonly used, machine-readable format covering at least top-level dependencies. It may be requested by authorities, and it isn’t necessarily required to be public.
CRA regulators and reviewers generally expect an SBOM to be in a standard format, such as CycloneDX. Many tools can automatically generate an SBOM. To illustrate this, assume you want to create an SBOM for a Python application with the following requirements.txt:
requests==2.32.5
In this case, you would use cyclonedx-python to generate your SBOM. To set up an environment where you can test this locally, run the following commands in your terminal (keep in mind you may have to change the Python version, depending on which you have installed):
python3.13 -m venv venv # Create a virtual env
. venv/bin/activate # Activate it
echo "requests==2.32.5" > requirements.txt # Create the requirements.txt with a demo requirement
pip install -r requirements.txt # Install the requirements (and dependencies)
pip freeze > requirements.txt # Capture all of the dependencies in the requirements.txt
pip install cyclonedx-bom==7.2.1 # Install https://github.com/CycloneDX/cyclonedx-python
Now you can create an SBOM by running this in your terminal:
cyclonedx-py requirements
This command will output your SBOM. You can write it to a file with:
cyclonedx-py requirements > sbom.json
This command pulls the requirements from requirements.txt and captures them in the SBOM. You may want to capture requirements differently, and there are more options available through cyclonedx-python that you can view by running:
cyclonedx-py
The SBOM starts with content that looks like this (example output—versions will vary):
{
"components": [
{
"bom-ref": "requirements-L1",
"description": "requirements line 1: certifi==2025.10.5",
"externalReferences": [
{
"comment": "implicit dist url",
"type": "distribution",
"url": "https://pypi.org/simple/certifi/"
}
],
"name": "certifi",
"purl": "pkg:pypi/[email protected]",
"type": "library",
"version": "2025.10.5"
},
...
}
The value of this is that it is machine-readable, in a standardized format, and easy to auto-generate.
There’s a lot more to learn about SBOMs (you can read more here), but the critical thing to know is that you are responsible for maintaining one under the CRA if you use other software libraries.
Maintaining/Updating a Legacy Product
As mentioned earlier, Article 69 notes that any products on the EU market before December 11, 2027 are only subject to the vulnerability reporting requirements described in Article 14. However, they must comply with the CRA if they have a “substantial modification.” As noted in Article 3, point 30, a “substantial modification” is one that affects either the compliance of the product with the requirements laid out in Part I of Annex 1 or the intended purpose of the product.
Practically speaking, this means you need to be proactive about planning updates to legacy products because they may also require you to work on making the product compliant with the CRA. Additionally, even if you want to release a new minimum viable product (MVP) or alpha/beta feature to test market fit, you must still comply with the CRA.
Final Thoughts on the Cyber Resilience Act
The Cyber Resilience Act is a reality that has significant implications for businesses operating in the EU. While it can feel like a regulatory burden, the CRA also reinforces many strong security practices and creates an opportunity to strengthen your security posture through clear planning, risk assessment, and operational discipline.
Drata helps you operationalize regulations like the CRA by turning requirements into tracked controls, owners, and evidence. You can model the CRA as a custom framework in Drata, map Annex I requirements to your internal controls, and continuously monitor whether those controls are working—alongside other frameworks such as SOC 2 or ISO 27001. This gives security and GRC teams a single system to manage risk assessments, control testing, and reporting as CRA obligations come into force.