Regulations · CRA

Cyber Resilience Act

Regulation (EU) 2024/2847Mandatory cybersecurity for products with digital elements placed on the EU market.

Days until enforcement
557days
Atomic obligations
34
Max exposure
€15M
or 2.5% global turnover
Run free CRA readiness assessmentSee full timeline

Who is concerned?

The CRA applies to anyone placing a product with digital elements on the EU market — manufacturers, importers, distributors. "Digital elements" is broad : it includes :

  • Hardware with embedded software (IoT devices, industrial controllers, medical devices)
  • Standalone software products (desktop, mobile, server-side SaaS shipped as a product)
  • Connected devices with remote data processing
  • Components and remote data processing solutions integrated into products

If your product talks to the internet, has firmware, or processes data remotely — CRA likely applies to you.

What it requires (high-level)

The CRA imposes obligations across the full product lifecycle :

  • Essential cybersecurity requirements (Annex I) : secure by design, secure defaults, vulnerability handling, no exploitable known vulnerabilities at the time of placement on the market.
  • Vulnerability handling and SBOM (Article 13) : maintain a Software Bill of Materials, monitor known vulnerabilities, deliver security updates for the support period.
  • Conformity assessment (Module A/B+C/H) : self-assessment for default category, Notified Body audit for "important" and "critical" products.
  • CE marking : required before placing on the market.
  • Importer and distributor obligations (Articles 19, 20) : verify CE marking, retain documentation, support traceability.
  • Reporting : actively exploited vulnerabilities and severe incidents to ENISA within 24h.

Penalty exposure

Up to €15M or 2.5% of global annual turnover, whichever is higher.

Beyond fines : market withdrawal, recall obligations, reputational damage, importer/distributor liability cascading up the supply chain.

How NexCyber helps with CRA

NexCyber automates CRA readiness end-to-end :

  • SBOM as a compliance artifact — auto-mapped to Article 13. Accepted formats : SPDX 2.3, CycloneDX 1.5. Versioned, signed, downloadable.
  • Article-by-article readiness — every claim traces back to the article that produced it. EUR-Lex links live.
  • CE-marking workflow — conformity dossier ready for Notified Body review. No more "what do I show them?".
  • MRCC issuance — Machine-Readable Compliance Certificate signed cryptographically, verifiable by auditors and procurement teams in seconds.

Get started

Run a free CRA readiness assessment — 5 minutes, no credit card, EU-hosted.

See your CRA readiness in 5 minutes.

Free assessment. No credit card. EU-hosted. Auditable engine.

Run free assessment