The Cyber Resilience Act introduces EU-wide cybersecurity requirements for products with digital elements. This article explains what changes, when key obligations apply, and which organisations across the EU need to act.

Contents

1. Summary
2. Who is affected?
3. Assess and implement
4. Timeline
5. CRA requirements
6. Difference to NIS2

Summary: what the Cyber Resilience Act regulates

The Cyber Resilience Act (CRA) is an EU regulation. It sets common cybersecurity requirements for products with digital elements, including software and connected devices, that are made available on the EU market.

These requirements apply across the product lifecycle. That includes design, development, placing products on the market, vulnerability handling and security updates. To place in-scope products on the EU market, economic operators need to demonstrate conformity with the regulation’s requirements, typically through conformity assessment procedures and CE marking.

Responsibilities are shared across the supply chain. Manufacturers need to design and maintain products in line with the CRA’s requirements. Importers and distributors need to check that the necessary conformity steps have been completed before products are made available on the market.

The CRA also requires structured vulnerability management. For example, manufacturers need processes to identify, document and address vulnerabilities, and the CRA introduces EU-level reporting deadlines for actively exploited vulnerabilities and severe incidents. Reporting obligations start on 11 September 2026, while the main obligations apply from 11 December 2027.For a reliable starting point, theEuropean Commission’s overview of the Cyber Resilience Act, thelegal text on EUR-Lex and ENISA’s cybersecurity policy resources are all useful reference points. As of March 2026, they remain the most relevant EU-level sources for understanding the CRA.

FAQ for Cyber Resilience Act (CRA)

What changes will be made under the Cyber Resilience Act (CRA) in 2026 and 2027?

From 11 September 2026, key obligations begin to apply, including:

• Mandatory vulnerability reporting within defined timelines.
• Processes for handling and disclosing security issues.

From 11 December 2027, the CRA fully applies. Products with digital elements placed on the EU market must:

• Meet essential cybersecurity requirements (security by design and by default).
• Include vulnerability management and coordinated disclosure processes.
• Provide security updates where required.
• Be supported by technical documentation and conformity assessment.

What are best practices for cyber resilience?

Effective cyber resilience combines technical controls with operational discipline:

• Harden systems to reduce exposure.
• Apply updates and patches consistently.
• Prioritise and remediate high-risk vulnerabilities.
• Enable clear, fast incident reporting.

To make this work in practice:

• Define ownership across teams.
• Test response processes regularly.
• Support employees with ongoing awareness and reporting guidance.

What are “products with digital elements” under the CRA?

Products with digital elements are hardware or software that rely on software to function.

This includes:

• Operating systems and applications.
• Connected devices (e.g. routers, IoT, smart devices).
• Industrial control systems.
• Enterprise IT systems with software or firmware.

Most connected products placed on the EU market fall within scope.

How can organisations strengthen cyber resilience?

Organisations strengthen resilience by embedding security into daily operations:

• Establish structured processes for updates, vulnerabilities, and incidents.
• Test these processes regularly.
• Make reporting simple and accessible.

In parallel, strengthen the human layer:

• Provide ongoing, practical awareness training.
• Use realistic simulations.
• Support employees in making secure decisions in real time.

Understand your organisation’s cyber resilience with this quick test.

Who is affected by the Cyber Resilience Act?

The Cyber Resilience Act applies across the EU to the main economic operators that place products with digital elements on the market: manufacturers, importers and distributors. It covers hardware and software products whose intended purpose, or reasonably foreseeable use, includes a direct or indirect data connection to a device or network.

Manufacturers are responsible for designing, developing and placing products on the EU market under their name or trademark. Importers bring products into the EU from third countries and must check that the required compliance steps have been completed. Distributors make products available on the EU market and must verify key formal requirements, such as CE marking and required user information.

Typical examples of products with digital elements include:

• Operating systems
• Applications and software
• Firmware
• Routers, switches and firewalls
• Smart home and smart office devices
• Industrial control systems
• Wearables
• Enterprise IT, such as servers and storage systems with integrated software or firmware

For a quick reference, use your overview of products with digital elements under the Cyber Resilience Act.

How to assess your cyber resilience readiness and plan implementation

A quick self-assessment shows how well your organisation is prepared for cyber resilience, even if you do not develop software or manufacture digital products. It helps you review whether core measures are already in place across your organisation and supply chain, including policies, training, patch management, reporting channels and basic controls. The result is an initial view of gaps and priorities.

A more detailed cyber resilience assessment builds on that baseline. It turns early findings into a practical roadmap with clear responsibilities, milestones, awareness activities and regular reporting. Dashboards can then help teams track progress and maintain visibility over time.

Assess your cyber readiness in less than 5 minutes

Test your cyber
resilience now

How cyber resilient is your organisation? Answer a few quick questions and instantly see your cyber security readiness level — plus tailored tips to strengthen your defences.

Start assessment

Your results

Score:

Level 1Foundational

Level 2Proactive

Level 3Resilient

Want to reach the next level?

Get your full results, expert insights, and personalized steps to strengthen your security!

Get results

Cyber Resilience Act timeline: key dates for entry into force and implementation

The graphic highlights the key milestones in the Cyber Resilience Act timeline, from its adoption to full application across the EU. After publication in the Official Journal of the European Union, the Act entered into force and began a phased transition period. This gives organisations time to set up the processes, documentation and responsibilities needed for compliance before all obligations fully apply.

Cyber Resilience Act requirements at a glance

The Cyber Resilience Act sets out both technical and organisational requirements. These apply across the full product lifecycle, from design and development to maintenance, updates and vulnerability handling. Together, they create a common EU framework for cyber resilience in how products are built, maintained and supported.

Security by design and by default

Security requirements are built into product architecture, development and configuration from the start. Default settings must provide a secure baseline without requiring extra action from users.

Vulnerability management and updates

Organisations need processes to identify, assess and address vulnerabilities in a timely way. Security updates must be delivered securely, and coordinated vulnerability disclosure supports faster remediation.

Documentation and compliance

Technical documentation, risk assessments and the relevant conformity assessment procedure support access to the EU market. These records must be kept up to date and remain traceable over time.

Reporting channels and incident processes

Teams need clear responsibilities, internal reporting steps and escalation paths. This helps organisations record, assess and route security issues in a structured way.

Supply chain and components

Products should include clear documentation of components and dependencies, including open source software and, where relevant, a software bill of materials (SBOM). Changes must remain traceable across the product lifecycle.

Information for users

Users must receive clear information on security features, support and update periods, and relevant changes. This improves transparency and supports secure use in practice.

NIS2 vs the Cyber Resilience Act: what’s the difference?

NIS2 and the Cyber Resilience Act are both part of the EU’s current cybersecurity framework, but they apply to different parts of the risk landscape. NIS2 focuses on how organisations manage cybersecurity, while the Cyber Resilience Act focuses on the security of products with digital elements across their lifecycle. Comparing the two helps clarify where they overlap, where they differ and what each requires in practice.

Aspect	NIS2	Cyber Resilience Act (CRA)
Legal nature	EU Directive. Transposed into national law.	EU Regulation. Applies directly across the EU.
Focus	Cybersecurity risk management in organisations, including incident reporting obligations.	Security of products with digital elements across their lifecycle, including security by design and vulnerability management.
Addressees	Essential and important entities in defined sectors.	Manufacturers, importers and distributors of products with digital elements.
Duties	Risk management measures, incident handling and reporting obligations.	Security requirements for design, development, maintenance and updates, including conformity assessment and documentation.
Evidence	Policies, procedures, risk assessments and reporting processes.	Technical documentation, conformity assessment and CE marking.
Objective	Strengthen the cyber resilience of essential and important entities.	Ensure secure digital products in the EU internal market.
Practical role	Strengthens organisational security and governance.	Complements NIS2 by addressing product-level security requirements. Together, they cover both organisational and product-related risk.

Organisations already working on NIS2 can build on many of the same foundations when preparing for the Cyber Resilience Act. Both aim to strengthen cyber resilience across Europe, but they address different layers of risk. NIS2 focuses on organisational security, while the CRA focuses on product security. Together, they form a complementary framework for security and compliance.

For many organisations, this creates a clear structure for prioritising next steps.

Please note: This article is for general information only and does not constitute legal advice. It does not replace an individual legal assessment. For binding guidance on your obligations under the Cyber Resilience Act, consult qualified legal advisers or the relevant authorities.