Understanding the EU Cyber Resilience Act (CRA): Scope, Classifications, and Compliance
The European Union Cyber Resilience Act (CRA) is a landmark regulation that introduces mandatory, harmonized cybersecurity requirements for all "products with digital elements" (PDEs) placed on the internal EU market. This applies to both physical hardware devices (like routers, industrial control systems, and consumer IoT) and standalone digital software products. The law aims to protect consumers and organizations by placing security-by-design and lifecycle support obligations squarely on manufacturers and developers.
Scope and Exclusions
While the reach of the Cyber Resilience Act is incredibly broad, several sectors are deliberately excluded because they are already covered by robust equivalent regulations. Exclusions include:
- Medical Devices: Regulated separately under the Medical Device Regulation (EU) 2017/745 and In Vitro Diagnostic Medical Device Regulation (EU) 2017/746.
- Motor Vehicles: Covered by specialized UNECE R155/156 framework rules.
- Civil Aviation: Governed by EASA safety regulations.
- Pure-Play SaaS: Standalone cloud services with no hardware data processing link are generally exempt, although they are heavily impacted by the parallel NIS2 Directive.
CRA Risk Tiers & Conformity Assessment
The regulation structures products into three core classification brackets depending on their function, vulnerability profile, and systemic impact on consumer or industrial safety:
Default / Unclassified
Covers approximately 90% of in-scope hardware and software. Requires self-assessment (Module A) to ensure compliance with essential requirements before applying the CE mark.
Class I (Important)
Includes web browsers, identity management systems, and VPNs. Requires adherence to harmonized standards. If standards are not used, mandatory third-party assessment is required.
Class II (Highly Important)
Includes critical operating systems, hypervisors, and industrial automation components (IACS). Undergoes mandatory, non-negotiable Third-Party Notified Body examinations.
Mandatory Steps for Manufacturers
If your product is deemed in-scope, your engineering and product teams must prepare several technical, organizational, and operational items:
- Implement Security-by-Design: Turn off unnecessary services, enforce strong, non-generic default passwords, encrypt static and transient data, and build dynamic secure update frameworks.
- Generate and Maintain an SBOM: Ensure automated creation of a Software Bill of Materials (SBOM) listing direct and transitive third-party dependencies, particularly open-source libraries, to track zero-day threats.
- Establish Vulnerability Monitoring: Set up a continuous reporting window. If your product experiences a severe security incident or actively exploited vulnerability, you must notify ENISA and the corresponding CSIRT within 24 hours of discovery.
- Declare a Lifetime Support Guarantee: Inform buyers of the specific support lifespan. This must match market expectations and cover security updates for at least five years or the duration of product use, whichever is shorter.
Disclaimer: This diagnostic tool is intended for information and educational purposes only. It does not constitute official legal advice. For detailed market authorization, please consult a certified EU notified compliance body or localized cybersecurity legal expert.