The Cyber Resilience Act is a new European Union regulation designed to raise the baseline of cybersecurity for all products with digital elements. If you build, import or distribute a digital product in the EU, the CRA will likely apply to you. This first article offers a high-level introduction. In later articles, we will explore the specific obligations in more depth.
Disclaimer: This content is provided for informational purposes only. The official text remains the authoritative reference.
Cyber Resilience Act Summary and Goal
At its core, the CRA ensures that any product with digital elements placed on the EU market is secure by design, secure by default and supported with security updates throughout its intended lifetime. The goal is simple. Users in the European Union should be able to rely on digital products that minimise risk, withstand common attacks and receive timely fixes when vulnerabilities emerge.
To reach this goal, manufacturers must meet essential cybersecurity requirements and maintain an ongoing vulnerability handling process. This is where the CRA introduces a shift. Security becomes a continuous responsibility that spans planning, design, development, production and long-term support.
Which Products Fall Under the CRA
The CRA applies broadly to products with digital elements that are made available on the EU market. This category covers software, hardware and remote data processing components when they are essential to the product’s functioning. A key criterion from the CRA FAQ is that the intended purpose or reasonably foreseeable use of the product must involve a direct or indirect physical or logical data connection to a device or network. In other words, even offline software running on a connected device may fall under scope.
Some categories are exempt because they are regulated by other EU frameworks. Most general-purpose digital products remain in scope. Understanding whether your product qualifies as a product with digital elements, whether it is placed on the market and whether it connects directly or indirectly to a network are the first steps in determining applicability.
Economic Operators: Manufacturer, Importer, Distributor
The CRA defines three roles and assigns obligations accordingly. Manufacturers carry primary responsibility, but importers and distributors also have duties to ensure that only compliant products reach the EU market.
These distinctions matter because your responsibilities under the CRA depend on the role you fulfil. Later articles will look at this in detail. For now, what matters is recognising that each operator in the supply chain contributes to the product’s cybersecurity assurance.
Key CRA Timeline
The CRA entered into force on December 10, 2024. Compliance requirements roll out in two major phases that every organisation should plan for.
September 11, 2026: Reporting duties begin
This date activates one specific part of the CRA. Manufacturers must begin reporting actively exploited vulnerabilities and severe security incidents. The FAQ clarifies that this obligation applies even to products placed on the market before the broader compliance date. In practice, this creates the first major operational requirement and introduces regulatory expectations around real-time awareness of exploited risks.
December 11, 2027: Full CRA compliance becomes mandatory
From this date, the entire CRA becomes the new baseline for placing digital products on the EU market. This includes essential cybersecurity requirements, conformity assessment and CE marking, a defined support period with free security updates, vulnerability handling processes and the obligations that apply to importers and distributors.
Products already on the market do not need to be retroactively upgraded to meet the full CRA unless they undergo a substantial modification. However, reporting duties still apply to them.
Why This Matters Now
The CRA moves cybersecurity from an implied expectation to a demonstrable obligation. Organisations will need to prove that their products are secure, maintained and free from known exploitable vulnerabilities at launch. This includes having a clear risk assessment, a transparent vulnerability handling process, a support period that matches the product lifecycle and documentation that shows how essential requirements were met.
With these requirements approaching, having a centralised and accurate picture of your product security posture becomes essential for both compliance and customer trust. This is where modern ASPM platforms, such as ScanDog’s context-aware vulnerability prioritisation and reporting, can help teams prepare early and reduce the operational pressure that will build as the deadlines approach.
ScanDog is an AI-powered Application Security Posture Management (ASPM) platform that helps development teams build secure software faster. With advanced vulnerability prioritization, reachability analysis, and AI-assisted remediation, ScanDog cuts through the noise of false positives to focus on what truly matters.