The text below summarises the main provisions of Regulation (EU) 2024/2847, in order to support the general understanding of the Regulation in an accessible way.
This summary has been prepared by the Commission services and is not meant to systematically cover the full scope of the Regulation. This summary is not representative of the European Commission’s official position. Natural or legal persons who may be subject to the Cyber Resilience Act (CRA) should refer to the text of the Regulation published in the Official Journal of the European Union.
What is the Cyber Resilience Act?
The Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), is a horizontal regulatory framework of the European Union (EU), which applies to hardware and software products (“products with digital elements”) that are made available on the Union market. Such products include both final products and components placed separately on the market.
It aims to set the conditions for the development of secure hardware and software in the Union, in order to strengthen the EU approach to cybersecurity and improve the functioning of the internal market. It also empowers users to take cybersecurity into account when buying and using such products by ensuring that adequate information is made available to them.
The CRA entered into force on 10 December 2024. It will be fully applicable as of 11 December 2027 with some provisions starting to apply earlier: Chapter IV on the notification of conformity assessment bodies will apply from 11 June 2026, whereas reporting obligations set out in Article 14 apply from 11 September 2026.
This webpage summarises the main provisions of the CRA, to support the general reading of the text. Further details on these concepts can also be found in the FAQs published contextually to this summary.
Glossary
A software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.
Data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions.
The manufacturer, the authorised representative, the importer, the distributor, or other natural or legal person who is subject to obligations in relation to the manufacture of products with digital elements or to the making available of products with digital elements on the market in accordance with this Regulation.
A natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge.
A legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products.
A natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks.
A natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union.
A natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties.
The first making available of a product with digital elements on the Union market.
The supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.
The process of verifying whether the essential cybersecurity requirements set out in Annex I have been fulfilled.
A conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation.
A standard adopted by a European standardisation organisation adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation.
Chapter I
Chapter I sets out the scope of the Regulation, defines key terms and concepts and explains the interplay between the CRA and other Union legislation.
The CRA establishes rules that economic operators need to respect if they want to make available on the Union market products with digital elements. In particular, it establishes essential cybersecurity requirements that manufacturers need to comply with during the design, development and production of their products with digital elements, as well during the time those products are expected to be in use. Products with digital elements fall in scope of the CRA when they are made available on the market and their intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
Products with digital elements that are not made available on the market, i.e. not supplied in the course of a commercial activity, are not subject to the CRA. Recital 18 further clarifies when free and open-source software is made available on the market.
Additionally, certain products with digital elements are excluded from the scope of the CRA, particularly when they are covered by other Union legislation.
Chapter II
Manufacturer obligations
The main obligations of the CRA are directed at manufacturers, i.e. the natural or legal persons that place a product with digital elements on the market under their name or trademark. Such obligations are set out in Article 13, which is complemented by various Annexes (and notably Annex I on the essential cybersecurity requirements).
When designing, developing and producing the product with digital elements, the manufacturer needs to ensure that it meets the essential cybersecurity requirements. To this end, the manufacturer is required to perform a cybersecurity risk assessment, which informs the implementation of the essential requirements and needs to be taken into account during the planning, design, development, production, delivery and maintenance phases of the product.
If the manufacturer integrates third-party components, it needs to exercise due diligence so that those components do not compromise the cybersecurity of its product with digital elements.
The cybersecurity risk assessment, as well as the means that the manufacturer chooses to implement the essential requirements (e.g. standards or other technical measures), need to be included in the technical documentation. The manufacturer is required to keep the documentation at the disposal of market surveillance authorities, as they can request it as part of their enforcement activities.
Before placing the product with digital elements on the market, the manufacturer needs to carry out the chosen conformity assessment procedure (see Chapter III for further details on conformity assessment) and, if successful, draw up the EU declaration of conformity and affix the CE marking to its product.
The following information should also be provided together with the product with digital elements:
- a type, batch or serial number or other element allowing its identification;
- its name, registered trade name or registered trademark;
- postal address, email address or other digital contact details;
- where applicable, the website where the manufacturer can be contacted;
- information and instructions to the user as set out in Annex II, including the end-date of the support period.
The manufacturer needs to determine a support period for its product with digital elements, during which the manufacturer will ensure that vulnerabilities of that product are handled effectively, in line with the vulnerability handling requirements (see Annex I). The end date of the support period (including month and year) needs to be clearly and understandably specified at the time of purchase.
Reporting obligations
After the product is placed on the market, the manufacturer is required to notify actively exploited vulnerabilities and severe incidents having an impact on the security of the product that it becomes aware of.
The manufacturer needs to submit to notifications to the Computer Security Incident Response Team (CSIRT) of the Member State in which it has its main establishment and to ENISA, within the following deadlines:
- 24 hours for an early warning notification;
- 72 hours for the "main" notification;
- a final report no later than 14 days after a corrective or mitigating measure is available for actively exploited vulnerabilities;
- a final report within one month from the 72h submission for severe incidents.
The manufacturer submits the notifications via the CRA Single Reporting Platform, established and maintained by the European Union Agency for Cybersecurity, ENISA. The CSIRT initially receiving the notification will further disseminate the notification to the CSIRTs of other Member States on the territory of which the product with digital elements has been made available.
Reporting obligations apply to all products with digital elements that have been made available on the Union market, including those already placed on the market before 11 December 2027.
It is also possible for any natural or legal person to notify vulnerabilities, cyber threats, incidents and near misses on a voluntary basis through the CRA Single Reporting Platform.
Authorised representative
The manufacturer may appoint, by written mandate, an authorised representative, to perform some of the tasks of the manufacturer. These may include, for example, tasks related to cooperation with the market surveillance authorities.
Importer
The importer is a natural or legal person established in the Union who places on the market a product with digital elements manufactured outside the Union. The importer needs to ensure that the product is in compliance with the CRA, by ensuring inter alia that the manufacturer has complied with the product-related essential cybersecurity requirements and has processes in place to comply with the vulnerability handling obligations; that the appropriate conformity assessment procedures have been carried out; that the technical documentation has been drawn up; and that the product bears the CE marking.
The importer also has specific obligations when it considers or has reason to believe that a product with digital elements is not in compliance with the CRA as well as upon becoming aware of a vulnerability (e.g. not placing that product on the market until it has been brought back into compliance; informing the manufacturer of such vulnerabilities). It is also required to cooperate with market surveillance authorities to eliminate the cybersecurity risks posed by a product with digital elements that it has placed on the market.
Distributor
The distributor is a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the market without affecting its properties. The distributor needs to verify that products with digital elements bear the CE marking and that manufacturers and importers have complied with certain obligations, including having added their contact details on the product, enclosed the information and instructions to users and indicated the support period.
The distributor also has specific obligations when it considers or has reason to believe that a product with digital elements is not in compliance with the CRA as well as upon becoming aware of a vulnerability (e.g. not making the product available until it has been brought back into compliance; informing the manufacturer of such vulnerabilities). It is also required to cooperate with market surveillance authorities to eliminate the cybersecurity risks posed by a product with digital elements which it has made available on the market.
Open-source software stewards
Taking into account the importance for cybersecurity of many products with digital elements qualifying as free and open-source software that are published, but not made available on the market within the meaning of the CRA, Article 24 introduces obligations for open-source software stewards. These are legal persons that systematically provide support on a sustained basis for the development of specific free and open-source software intended for commercial activities, and that ensure the viability of those software products.
Open-source software stewards are required to have a cybersecurity policy to foster the development of a secure product and effective handling of vulnerabilities; to cooperate with market surveillance authorities and take appropriate corrective actions; to report actively exploited vulnerabilities, to the extent that they are involved in the development of the products with digital elements, and severe incidents to the extent that they affect network and information systems provided by the open-source software stewards for the development of such products.
Open-source software stewards are not subject to penalties for infringements of the CRA.
Chapter III
Chapter III sets out additional provisions on how products with digital elements can benefit from a legal presumption of conformity if harmonised European standards are used; what the EU declaration of conformity (and its simplified version) looks like; how to affix the CE marking; the content of the technical documentation to be drawn up; and on the applicable conformity assessment procedures.
As aforementioned, the manufacturer needs to perform a conformity assessment procedure to check that its product complies with the essential requirements before it can sign the EU declaration of conformity, affix the CE marking and place the product on the market.
Generally, the manufacturer can choose between a self-assessment procedure (the so-called internal control procedure based on module A), a third-party conformity assessment procedure via a notified body or, where available and applicable, a European cybersecurity certification scheme. Such schemes may only be used for demonstrating conformity with the CRA where this possibility has been specified by the European Commission. However, where a product with digital elements has the core functionality of an important or critical product category, the manufacturer may not be allowed to make use of the self-assessment procedure. The product categories of important and critical products with digital elements are listed in Annexes III and IV, and their technical descriptions are included in a separate legal act adopted in accordance with the CRA.
When a product is an important product with digital elements of class I, the manufacturer can make use of the self-assessment procedure only if it has applied harmonised standards, common specifications (where available) or made use of a European cybersecurity certification scheme (where available and applicable); otherwise, it needs to undergo third-party assessment via a notified body.
Manufacturers of important products of class II and critical products are required to undergo third-party assessment or, where available and applicable, make use of a European cybersecurity certification scheme.
As an exception, manufacturers of important products with digital elements of class I and II that are free and open-source software can make use of self-assessment, provided that they make available to the public the technical documentation.
Chapter IV
Conformity assessment bodies are bodies that perform conformity assessment activities. In order to carry out conformity assessment procedures in line with the CRA, a Member State needs to notify to the Commission and to other Member States of bodies authorised to carry out conformity assessments. The notification is sent through the New Approach Notified and Designated Organisations information system.
A conformity assessment body that wishes to be notified needs to meet requirements related to a range of aspects, e.g. being established under national law and having legal personality; being independent from the products that they assess and impartial; having personnel with the requisite technical competence.
Member States are required to designate, by 11 June 2026, notifying authorities responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies. Member States may choose accreditation to assess the competence of such bodies. Notifying authorities shall notify only conformity assessment bodies which have satisfied the applicable requirements.
Once the notification has been submitted in accordance with Article 43, the conformity assessment body is considered to be a notified body. It shall ensure that conformity assessments are carried out in a proportionate manner, avoiding unnecessary burdens for economic operators. They shall perform their activities taking due account of the size of undertakings, in particular as regards microenterprises and small and medium-sized enterprises, including in relation to fees.
Chapter V
Each Member State is required to designate one or more market surveillance authorities that are responsible to ensure the effective enforcement of the CRA.
The procedures related to market surveillance are set out both in Chapter V as well as in Regulation (EU) 2019/1020 on market surveillance and compliance of products, which applies to products with digital elements in scope of the CRA.
Market surveillance authorities can provide guidance and advice to economic operators, including manufacturers, on the implementation of the CRA, with the support of the Commission and, where appropriate, CSIRTs and ENISA.
They can make use of a series of procedures, both at national level and at European level, to evaluate products with digital elements presenting a significant cybersecurity risk and to ensure that corrective or restrictive actions are put in place by the relevant economic operators. Market surveillance authorities are required to keep the Commission and other Member States informed of measures that they ask economic operators to take. Market surveillance authorities of different Member States cooperate with each other and can carry out joint activities and simultaneous coordinated control actions (such as sweeps) of particular products with digital elements.
An Administrative Cooperation Group (ADCO) composed of representatives of the various market surveillance authorities is also established, for the uniform application of the CRA.
Chapter VI
Chapter VI empowers the Commission to adopt additional legal acts (delegated and implementing acts) to supplement the CRA or to lay down uniform conditions for its application (e.g. by further specifying certain concepts). Read more about implementing and delegated acts.
The Commission has already adopted two additional acts, namely:
- Commission Delegated Regulation (EU) 2025/1535 of 29 July 2025 supplementing Regulation (EU) 2024/2847 of the European Parliament and of the Council with regard to an exclusion from the application of that Regulation for certain products with digital elements falling within the scope of Regulation (EU) No 168/2013 of the European Parliament and of the Council
- Commission Implementing Regulation (EU) 2025/2392 of 28 November 2025 on the technical description of the categories of important and critical products with digital elements pursuant to Regulation (EU) 2024/2847 of the European Parliament and of the Council
Chapter VII
Chapter VII establishes rules on confidentiality that all parties involved in the application of the CRA need to respect, as well as on penalties applicable to infringements, to be laid down at national level.
Notably, manufacturers that qualify as microenterprises or small enterprises may not be fined for failures to meet the 24h deadline for reporting vulnerabilities and severe incidents; and open-source software stewards for any infringements of the CRA.
Chapter VIII
The CRA entered into force on 10 December 2024. Its main provisions will start applying from 11 December 2027. Chapter IV on the notification of conformity assessment bodies will apply from 11 June 2026, whereas reporting obligations set out in Article 14 apply from 11 September 2026.
EU type-examination certificates and approval decisions issued regarding cybersecurity requirements remain valid until 11 June 2028, unless they expire before that date.
Products with digital elements that have been placed on the market before 11 December 2027 are subject to the CRA only if, from that date, they are subject to a substantial modification. Reporting obligations apply to all products with digital elements that have been made available on the Union market, including those already placed on the market before 11 December 2027.
Annex I
Annex I lists the essential cybersecurity requirements and is split in two sections.
Part I relates to the properties of products with digital elements: when placing a product with digital elements on the market, manufacturers shall ensure that it has been designed, developed and produced in accordance with such requirements.
Part II relates to the vulnerability handling requirements: manufacturers shall ensure, when placing a product with digital elements on the market, and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with such requirements.
Annex II
Manufacturers need to ensure that products with digital elements are accompanied by the information and instructions to the user, to be provided in a language which can be easily understood by users and market surveillance authorities. They shall be clear, understandable, intelligible and legible. They shall allow for the secure installation, operation and use of products with digital elements.
Annexes III and IV
When a product with digital elements has the core functionality of a product category set out in Annexes III and IV, it is considered an important or critical product with digital elements and is subject to the corresponding conformity assessment procedures.
Read Annex III to learn which products are important
Annexes V and VI
Where compliance of the product with digital elements with the essential cybersecurity requirements has been demonstrated by the applicable conformity assessment procedure, manufacturers shall draw up the EU declaration of conformity. Annexes V and VI provide the model structure for such declaration, including a simplified version.
See Annex V for the EU declaration of conformity
See Annex VI for the simplified EU declaration of conformity
Annex VII
Before placing a product with digital elements on the market, manufacturers shall draw up the technical documentation and subsequently keep it at the disposal of market surveillance authorities. Annex VI contains the minimum elements that the technical documentation needs to contain.
Annex VIII
Before placing a product with digital elements on the market, manufacturers shall carry out the chosen conformity assessment procedures as referred to in Article 32 or have them carried out.
Annex VIII specifies the various procedure which may be available to the manufacturer depending on Article 32. These are:
- the internal control procedure (based on module A);
- the EU-type examination procedure (based on module B) followed by conformity to EU-type based on internal production control (based on module C);
- a conformity assessment based on full quality assurance (based on module H) set out in Annex VIII.
The FAQs also provide a simplified explanation of the various conformity assessment modules.
Related Content
Big Picture