CRA - Cyber Resilience Act
An EU regulation imposing cybersecurity requirements on products with digital elements placed on the European market.
What is the Cyber Resilience Act?
CRA (Cyber Resilience Act) is a European Union regulation introducing mandatory cybersecurity requirements for products with digital elements - both hardware and software - sold on the EU market. CRA complements existing regulations (NIS2, DORA) with a product dimension - it applies not to technology users, but to its manufacturers.
The regulation imposes obligations on manufacturers throughout the entire product lifecycle: from the design phase (security by design), through market placement (conformity assessment, CE marking), to post-production support (security updates for a minimum period of 5 years). Manufacturers must also maintain vulnerability management processes and report actively exploited vulnerabilities to ENISA within 24 hours.
CRA classifies products into three categories based on risk level: default (self-assessment), important class I (e.g., routers, firewalls, IDS systems) and important class II (e.g., operating systems, industrial firewalls, security chips). Class II products require third-party certification.
Why does it matter?
CRA shifts responsibility for the security of digital products - from the user to the manufacturer. For companies developing software or devices with digital components, this means new obligations: security documentation, vulnerability management, regular updates and potentially certification.
For organisations purchasing technology, CRA means a higher baseline security level for products available on the European market. In the OT context, this is particularly significant - manufacturers of controllers, sensors and industrial software will need to meet the same security standards.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.