RoutineMetric

EU Cyber Resilience Act (CRA) Class Evaluator

Evaluate your product's compliance pathway, risk tier, and regulatory scope under the EU Cyber Resilience Act (CRA). Ensure your hardware, software, or embedded components meet mandatory CE-marking cybersecurity standards before entering the EU market.

Quick Presets

Product Parameters

CRA covers "products with digital elements". Pure cloud SaaS is generally excluded unless it acts as a critical remote data processing pipeline for physical hardware.

Products already strictly regulated under equivalent EU cybersecurity regimes (like MDR or UNECE R155/156) are exempt from CRA.

Years (Max mandatory expectation is typically 5 years under CRA)

Evaluation Result

Scope Status: In-Scope

Your product meets the definition of a 'product with digital elements' placed on the EU market under the CRA.

CRA Risk Category:

Default (Unclassified)(Low to Standard Risk)

Annex III matches your product functionality with defined critical/important assets, influencing the required depth of your safety documentation.

Conformity Assessment Pathway:

Module A (Self-Assessment / Internal Control). The manufacturer assumes full responsibility and compiles technical documentation without mandatory third-party audits.

Core Compliance Mandates

  • SBOM (Software Bill of Materials): You must establish and regularly update a machine-readable SBOM containing inventory of open-source and proprietary components (e.g., CycloneDX / SPDX standard).
  • Vulnerability Reporting: Mandatory reporting of any actively exploited vulnerabilities to ENISA (European Union Agency for Cybersecurity) and national authorities within 24 hours of discovery.
  • Default Security: Standard integration of security-by-design principles (disable unused ports, secure interfaces, encryption at rest/transit, automated security updates, secure factory-reset capability).
  • Regulatory Lifespan: Guaranteed active security maintenance/updates for the declared product lifespan or at least 5 years, whichever is shorter.

Key CRA Timeline Milestones

CRA Formal Adoption (2024): Official entry into force after publication in the EU Official Journal.
21-Month Mark (~Mid 2026): Mandatory reporting of actively exploited vulnerabilities and cyber incidents comes into full force.
36-Month Mark (~Late 2027): Full CRA implementation. All new hardware and software must carry the CE mark & follow the prescribed conformity pathways.
Bottom Banner Ad (728x90)

Understanding the EU Cyber Resilience Act (CRA): Scope, Classifications, and Compliance

The European Union Cyber Resilience Act (CRA) is a landmark regulation that introduces mandatory, harmonized cybersecurity requirements for all "products with digital elements" (PDEs) placed on the internal EU market. This applies to both physical hardware devices (like routers, industrial control systems, and consumer IoT) and standalone digital software products. The law aims to protect consumers and organizations by placing security-by-design and lifecycle support obligations squarely on manufacturers and developers.

Scope and Exclusions

While the reach of the Cyber Resilience Act is incredibly broad, several sectors are deliberately excluded because they are already covered by robust equivalent regulations. Exclusions include:

  • Medical Devices: Regulated separately under the Medical Device Regulation (EU) 2017/745 and In Vitro Diagnostic Medical Device Regulation (EU) 2017/746.
  • Motor Vehicles: Covered by specialized UNECE R155/156 framework rules.
  • Civil Aviation: Governed by EASA safety regulations.
  • Pure-Play SaaS: Standalone cloud services with no hardware data processing link are generally exempt, although they are heavily impacted by the parallel NIS2 Directive.

CRA Risk Tiers & Conformity Assessment

The regulation structures products into three core classification brackets depending on their function, vulnerability profile, and systemic impact on consumer or industrial safety:

Default / Unclassified

Covers approximately 90% of in-scope hardware and software. Requires self-assessment (Module A) to ensure compliance with essential requirements before applying the CE mark.

Class I (Important)

Includes web browsers, identity management systems, and VPNs. Requires adherence to harmonized standards. If standards are not used, mandatory third-party assessment is required.

Class II (Highly Important)

Includes critical operating systems, hypervisors, and industrial automation components (IACS). Undergoes mandatory, non-negotiable Third-Party Notified Body examinations.

Mandatory Steps for Manufacturers

If your product is deemed in-scope, your engineering and product teams must prepare several technical, organizational, and operational items:

  1. Implement Security-by-Design: Turn off unnecessary services, enforce strong, non-generic default passwords, encrypt static and transient data, and build dynamic secure update frameworks.
  2. Generate and Maintain an SBOM: Ensure automated creation of a Software Bill of Materials (SBOM) listing direct and transitive third-party dependencies, particularly open-source libraries, to track zero-day threats.
  3. Establish Vulnerability Monitoring: Set up a continuous reporting window. If your product experiences a severe security incident or actively exploited vulnerability, you must notify ENISA and the corresponding CSIRT within 24 hours of discovery.
  4. Declare a Lifetime Support Guarantee: Inform buyers of the specific support lifespan. This must match market expectations and cover security updates for at least five years or the duration of product use, whichever is shorter.

Disclaimer: This diagnostic tool is intended for information and educational purposes only. It does not constitute official legal advice. For detailed market authorization, please consult a certified EU notified compliance body or localized cybersecurity legal expert.