The EU Cyber Resilience Act: what you actually need to do

Q: What are the penalties for CRA non-compliance?

Fines for non-compliance can reach up to EUR 15 million or 2.5% of global annual turnover, whichever is higher. Products can also be recalled or banned from the EU market.

A practical guide for software manufacturers. No legal jargon, no filler — just the deadlines, requirements, and steps to get compliant.

Does this apply to you?

If you answer yes to any of these, the CRA affects your business:

You sell software, firmware, or connected hardware in the EU
Your product connects to a network or processes data
You distribute IoT devices, embedded systems, or smart products in EU markets
You build components (libraries, SDKs) used in commercial products sold in the EU
You import or distribute digital products made outside the EU

Non-commercial open source and standalone SaaS are generally exempt. But if your cloud backend is integral to a physical product, it's in scope.

Key deadlines

Dec 2024

CRA enacted

Regulation 2024/2847 published in the Official Journal of the EU.

Sep 11, 2026

Reporting obligations begin

Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours.

Dec 11, 2027

Full compliance required

All products with digital elements must meet every CRA requirement before being placed on the EU market.

What the CRA requires

The regulation is broad, but the practical obligations boil down to five areas:

1. Security by design

Products must be designed, developed, and maintained with cybersecurity in mind from day one. You need to perform risk assessments, apply secure defaults, minimize attack surfaces, and ensure data confidentiality and integrity. This isn't aspirational — it's auditable.

2. Vulnerability handling

You must have a documented process for receiving, triaging, and fixing vulnerabilities. Security patches must be provided free of charge for the product's expected lifetime (minimum 5 years). You also need a coordinated vulnerability disclosure policy.

3. SBOM and documentation

Article 13 requires technical documentation that includes a Software Bill of Materials identifying components and dependencies. SBOMs in machine-readable formats (CycloneDX, SPDX) are the practical standard. You must also document your risk assessment and conformity procedures.

4. Incident and vulnerability reporting

Starting September 2026, actively exploited vulnerabilities and severe incidents must be reported to ENISA. The timeline is strict: early warning within 24 hours, detailed notification within 72 hours, final report within 14 days.

5. Conformity assessment

Most products can self-assess using harmonised standards. "Important" products (Class I and II, such as firewalls, OS kernels, HSMs) require third-party audits. All compliant products carry the CE marking.

What happens if you don't comply

The CRA has real teeth:

Up to EUR 15 million or 2.5% of global annual turnover for failing to meet essential cybersecurity requirements
Up to EUR 10 million or 2% of turnover for other obligations (reporting, documentation)
Products can be recalled or banned from the EU market by national authorities

How Security2Center helps

Security2Center is a security trust center built specifically for CRA compliance. Here's what maps to what:

CRA requirement SBOM documentation (Article 13)

What S2C does Publish and manage SBOMs in CycloneDX and SPDX formats. Customers and auditors access them directly from your trust center.

CRA requirement Vulnerability disclosure (Article 13)

What S2C does CSAF advisories and VEX documents, machine-readable. Public vulnerability disclosure page with access controls.

CRA requirement Incident reporting to ENISA (Article 14)

What S2C does Built-in ENISA incident workflow with 24h/72h/14d timeline tracking. Generates reports in the required format.

CRA requirement Conformity and transparency

What S2C does Branded compliance portal on your subdomain. Customers verify certifications, security practices, and documentation in one place. CRA readiness scoring shows what's missing.

3 months free. No credit card. Full access.

Start your free trial

Frequently asked questions

What is the EU Cyber Resilience Act?

The CRA (Regulation 2024/2847) is an EU regulation requiring all products with digital elements sold in the EU to meet baseline cybersecurity requirements throughout their lifecycle. It covers software, firmware, IoT devices, and connected hardware.

When does the CRA take effect?

The CRA was enacted in December 2024. Vulnerability and incident reporting obligations begin September 11, 2026. Full compliance with all requirements is mandatory by December 11, 2027.

What are the penalties for non-compliance?

Fines can reach up to EUR 15 million or 2.5% of global annual turnover, whichever is higher. Products can also be recalled or banned from the EU market.

Do I need an SBOM under the CRA?

Yes. Article 13 requires manufacturers to identify and document components and vulnerabilities in their products, including a Software Bill of Materials listing at minimum the top-level dependencies.

Does the CRA apply to open source software?

Non-commercial open source projects are generally exempt. However, if you integrate open source components into a commercial product sold in the EU, you are responsible for ensuring those components meet CRA requirements.

Does the CRA apply to SaaS products?

Standalone SaaS is generally excluded. However, if your cloud service is integral to the functionality of a physical product (e.g., an IoT device's backend), it falls under the CRA's scope as a "remote data processing solution."