What The EU Cyber Resilience Act Means For Digital Product Makers

The EU Cyber Resilience Act (CRA) is set to become a defining regulation for all manufacturers and developers of digital products that touch the EU market. It introduces strict requirements for cybersecurity practices, risk management, and compliance procedures, affecting a wide range of stakeholders from software developers to hardware vendors. This article unpacks what the CRA is, who it affects, and how to get ready.

What is the CRA and what does it cover?

At its core, the CRA applies to any “Product with Digital Elements” (PDE). That includes hardware, software, firmware, and even cloud components that are essential to a product’s functionality. Common examples:

• Standalone apps and software
• Devices with embedded firmware
• Cloud-based systems that support a physical product
• SDKs and software libraries distributed for integration

Even products not directly connected to the internet can fall under the CRA if they are likely to be used in connected environments. A USB stick, for instance, or a smart TV that connects once set up, would both be in scope. Note that CRA does not include non-commercial open-source software, media files, and other non-executable data.

Risk classification: Default, important, or critical?

The CRA separates products into four classes based on cybersecurity risk:

• Default (low risk)
• Important Class I
• Important Class II
• Critical (high risk)

These classifications guide the required level of oversight, from self-assessment to third-party evaluations. Lists of product types are included in CRA Annexes III and IV, but manufacturers must ultimately assess their own classification based on intended use and cybersecurity impact.

When do you need to comply?

The CRA will roll out in phases:

• Enters into force: 12 November 2024
• Incident and vulnerability reporting starts: 12 November 2025
• Full compliance required: 11 December 2027

If a product is still being sold after the 2027 deadline, it must comply—even if it was launched years earlier. Updates to legacy products might also trigger a reassessment.

Who must comply?

CRA obligations fall on a broad range of players:

• Manufacturers (hardware and software)
• Authorized Representatives within the EU
• Importers and Distributors
• Developers of applications, SDKs, and operating systems
• Startups building smart devices or digital tools

The regulation holds these stakeholders accountable for secure development and product lifecycle management.

What are the core requirements?

To comply with the CRA, manufacturers must:

• Conduct a Threat Analysis and Risk Assessment (TARA)
• Follow secure-by-design and secure-by-default principles
• Establish a vulnerability handling process with:
  • 24-hour notification to ENISA for active exploits
  • Detailed follow-ups within 72 hours and final reports within 14–30 days
• Provide technical documentation proving compliance
• Deliver security updates for at least five years or the expected product lifetime

Technical documentation should include:

• Risk assessment and design rationale
• Software Bill of Materials (SBOM)
• Update delivery plans
• Vulnerability handling records
• Declaration of Conformity (DoC)

How compliance is evaluated

Assessment requirements depend on your product’s classification:

• Default: Internal self-assessment
• Important Class I: Self-assessment or optional third-party validation
• Important Class II / Critical: Third-party assessment by a Notified Body is mandatory

Even if a product has existing certifications like EUCC or SESIP, these may support but do not replace CRA-specific evaluations.

What happens if you don’t comply?

Non-compliance isn’t just a paperwork issue. It can lead to:

• Fines up to €15 million or 2.5% of global revenue
• Product recalls or bans from the EU market
• Damaged reputation and loss of customer trust

CE marking is directly tied to CRA compliance. If your product doesn’t meet CRA requirements, you cannot legally apply the CE mark or sell in the EU.

Non-EU manufacturers are also required to comply. They must appoint a local representative and fulfill all CRA obligations before entering the EU market.

How to prepare now

Getting ready for CRA isn’t a quick fix. Here are four steps to start:

1. Classify your product under the correct risk category and define the relevant threat profile.
2. Run a gap analysis to assess current development practices against CRA requirements.
3. Build a compliance roadmap aligned with product development cycles.
4. Leverage toolkits and templates for SBOMs, secure development, and vulnerability handling. ENISA and national authorities will provide official guidance, templates, and checklists.

Conclusion

The CRA is reshaping how digital products are built, shipped, and maintained in the EU. With enforcement coming in 2027, now is the time to harden your cybersecurity practices and build CRA compliance into your development pipeline.

If you’re unsure about your product’s classification or risk exposure, consult with Keysight specialists. We offer expert guidance through every stage of the CRA compliance process. Our team helps streamline approvals and manage your product’s complete security lifecycle. Our state-of-the-art tools further support security testing to address and minimize vulnerabilities effectively.

The Keysight team hosted an expert-led webinar to walk you through classification, documentation, testing, and certification strategies. Register for the webinar here. Learn more about our CRA evaluation services on this page.