Your CRA resource hub
Make sense of the EU Cyber Resilience Act, fast.
Plain-English answers, free tools, and updates you can trust, for any company that makes or sells products with digital elements. We read the regulation so you don't have to.
Find your way through the EU Cyber Resilience Act.
Confirmed deadlines
Notified-body rules apply.
The rules on conformity assessment bodies start, so notified bodies can be designated and begin assessing higher-risk (Important Class II and Critical) products ahead of full application.
Reporting obligations live.
Manufacturers must notify ENISA of actively exploited vulnerabilities and severe incidents via the Single Reporting Platform - 24-hour early warning, 72-hour notification, 14-day final report.
Full compliance required.
All essential cybersecurity requirements, SBOM, CE marking, EU Declaration of Conformity and technical documentation must be in place for every product with digital elements placed on the EU market.
These dates are set in Regulation (EU) 2024/2847, in force since 10 December 2024. They are not moving unless Brussels amends the text, and if that happens, we'll tell you.
What applies to me? →Got a customer questionnaire asking if your product is CRA-compliant? Start here.
A procurement team, a security assessor, or your biggest EU customer just asked whether your product meets the Cyber Resilience Act, whether you have an SBOM, or what class your software falls under - and you have no idea where to begin. You don't have a dedicated compliance function, and the regulation runs to hundreds of pages.
Take a breath. Most of this is more manageable than it looks once someone explains it plainly. The CRA sets baseline cybersecurity requirements for products with digital elements sold in the EU. Whether you're a manufacturer, importer or distributor, the duties differ. We'll help you work out whether you're in scope, which class applies, and what you actually have to do. No jargon, no sales pitch.
Not sure if any of this is even your problem yet? Check in two minutes →
Start here
Start where you are
Four routes through the CRA, depending on what you need right now.
Free tools
Free tools, no email wall
Use them on the page. We'll only ask for your email if you want your result or a PDF sent to you.
Why use this hub
Why use this hub
Independent
We're not selling you compliance software, and there's no demo to book. That means no pressure to "request a quote" at the bottom of every answer. We just explain the rules.
Always current
The CRA is still being implemented: notified-body rules, ENISA reporting guidance and product-class clarifications are all in motion. Every page carries the sources we used and the date we last checked them, and we update when things change.
Plain English, free tools
A scope and class checker, an obligations checker, an SBOM tool, a glossary and a product-class browser - written for people without a legal team. Terms are explained the first time we use them, then linked to the glossary.
The CRA Brief
We watch Brussels so you don't.
The CRA implementation keeps moving. One email, plain English, tells you what changed, what it means for your product, and what to do about it. So you can stop refreshing EUR-Lex and get back to building.
- A monthly issue rounding up what moved in Brussels and what's coming next.
- Breaking-change alerts the moment something material lands: a deadline update, new ENISA guidance, a product-class clarification or a delegated act.
- Plain-English summaries with a link to the official source, every time.
The CRA Brief
Enter your email to subscribe
Free, and you can unsubscribe in one click. No spam, no selling your address.
No spam. Unsubscribe anytime.
By the numbers
The CRA by the numbers
The figures worth keeping in your head. Each one is set in Regulation (EU) 2024/2847 or in official ENISA guidance.
Maximum fine for breaching essential cybersecurity requirements - €15 million or 2.5% of global annual turnover, whichever is higher.
Reporting obligations go live: manufacturers must notify ENISA of actively exploited vulnerabilities via the Single Reporting Platform.
Early-warning window. Manufacturers have 24 hours to send an initial notification to ENISA after discovering an actively exploited vulnerability.
Share of in-scope products that fall into the Default class and can self-assess conformity without a notified body.
Full compliance deadline: all essential requirements, SBOM, CE marking and technical documentation must be in place.
Software Bill of Materials - mandatory for every product with digital elements, listing all software components and dependencies.
Sources: Regulation (EU) 2024/2847 (EUR-Lex) and the European Commission CRA policy page. Fines are the higher of the fixed amount or the percentage of global annual turnover.
From the Brief
From the CRA Brief
The latest updates and explainers. New entries land here as the implementation moves.
The CRA and Open Source: What Maintainers, Foundations, and Integrators Actually Need to Know
The EU Cyber Resilience Act treats open source carefully. Individual contributors are generally out of scope. Foundations may be "stewards" with lighter duties. Integrators carry the compliance weight.
The CRA Is Not Just the Manufacturer's Problem: What Importers and Distributors Must Do
Importers and distributors have their own legal duties under the EU Cyber Resilience Act - not just manufacturers. Here's exactly what each role must verify before a product reaches the EU market.
Security by Design Under the CRA: What Annex I, Part I Actually Requires
Security by design isn't a slogan under the EU Cyber Resilience Act - it's a set of concrete legal requirements in Annex I, Part I. Here's what they mean in practice.
FAQ
Cyber Resilience Act: quick answers
The questions people ask first. Each links into a deeper, sourced explainer.
What is the EU Cyber Resilience Act (CRA)?
The CRA (Regulation (EU) 2024/2847) is an EU law that sets baseline cybersecurity rules for almost any product that contains software or can connect to a network. It tells manufacturers how secure a product must be, what they must document, and how they must handle vulnerabilities over its life. It entered into force on 10 December 2024 and applies in full from 11 December 2027.
Who does the CRA apply to?
Anyone who makes, imports or sells a "product with digital elements" in the EU: manufacturers carry most duties, while importers and distributors must verify CE marking and documentation. Open-source software stewards have lighter, tailored duties. Pure cloud/SaaS is generally out of scope (it falls under NIS2 instead).
When are the CRA deadlines?
Three dates matter: 11 June 2026 (rules on notified bodies apply), 11 September 2026 (vulnerability and incident reporting obligations start, via ENISA's Single Reporting Platform), and 11 December 2027 (full application - all essential requirements, SBOM and CE marking).
What is a "product with digital elements"?
It is any software, or hardware containing software, that can connect to a device or network - apps, operating systems, smart devices, routers, sensors, even components sold separately, plus the manufacturer's own remote data-processing services. Most such products fall in the "default" category and can be self-assessed.
What are the penalties for non-compliance?
Up to €15 million or 2.5% of worldwide annual turnover (whichever is higher) for breaching the essential requirements; lower caps apply to other obligations. Micro and small enterprises are not fined for missing the 24-hour reporting deadline, and open-source stewards are not fined.
Does the CRA require a Software Bill of Materials (SBOM)?
Yes. Manufacturers must create and maintain a machine-readable SBOM (e.g. CycloneDX or SPDX) covering at least the top-level dependencies, and keep it in the technical documentation. It does not have to be public, but authorities can request it.
Stay ahead of the next CRA change.
Free, plain-English updates. We watch Brussels so you don't.