Meet the Annex I essential requirements, classify your products, run the conformity assessment for CE marking, and report vulnerabilities and severe incidents under Article 14 — in one workspace.
Key dates
Reporting from 11 Sep 2026; main obligations from 11 Dec 2027
Who must comply
Manufacturers (and importers and distributors) of products with digital elements on the EU market
Maximum fines
Up to €15M or 2.5% of global annual turnover (Art. 64)
The CRA covers products with digital elements placed on the EU market. Products already governed by sectoral law — medical devices, motor vehicles, civil aviation — are excluded, and open-source software stewards have a lighter regime. This is guidance, not legal advice.
The CRA sets horizontal cybersecurity rules for products with digital elements across their lifecycle:
Design and build products to be secure by default, with no known exploitable vulnerabilities at release, and handle vulnerabilities throughout the support period (Annex I, Parts I and II).
Run a cybersecurity risk assessment, set a support period of at least five years, ship security updates, provide a software bill of materials, and operate a coordinated vulnerability disclosure policy.
Classify the product (default, important Class I or II, or critical), run the matching conformity-assessment procedure, draw up the EU declaration of conformity and affix the CE marking.
Notify actively exploited vulnerabilities and severe incidents to the coordinating CSIRT and ENISA — an early warning within 24 hours and a fuller notification within 72 hours.
Turn the regulation into a tracked conformity programme — from Annex I requirements to the CE-marking file.
Track every Annex I essential requirement — security properties and vulnerability handling — against your evidence, with clear gap visibility.
Classify each product against the CRA risk tiers (default, important, critical) to determine the conformity route it needs.
Record the chosen conformity-assessment procedure, assemble the technical documentation, and track the EU declaration of conformity and CE marking.
Draft the actively-exploited-vulnerability and severe-incident notifications to the CSIRT and ENISA on the 24-hour and 72-hour clock.
The CRA (Regulation (EU) 2024/2847) is the EU's horizontal cybersecurity law for products with digital elements — hardware and software with a data connection. It sets essential cybersecurity requirements, vulnerability-handling and reporting duties, and conformity assessment leading to CE marking.
The CRA entered into force in December 2024. Its reporting obligations (Article 14) start on 11 September 2026, and the main obligations — essential requirements, conformity assessment and CE marking — apply from 11 December 2027.
Any hardware or software product whose intended or reasonably foreseeable use includes a direct or indirect data connection to a device or network. Products already covered by sectoral law — such as medical devices, motor vehicles and civil aviation — are excluded.
Manufacturers must notify actively exploited vulnerabilities and severe incidents to the designated coordinating CSIRT and ENISA: an early warning within 24 hours and a fuller notification within 72 hours, followed by a final report (Article 14).
Non-compliance with the Annex I essential requirements or the Article 13 and 14 obligations can attract fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher; other breaches up to €10 million or 2%, and misleading information up to €5 million or 1% (Article 64).
Take the free self-assessment to map your CRA readiness in a few minutes — no account required.