Understand the Cyber Resilience Act

The Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that introduces mandatory cybersecurity requirements for products with digital elements (PDEs) placed on the EU market. It entered into force on 11 December 2024.

The CRA applies throughout the product lifecycle — from design and development through to end of support. It establishes essential security requirements (Annex I), documentation obligations, a vulnerability reporting regime, and conformity assessment procedures. The goal is to ensure that hardware and software products are secure by design and remain secure throughout their supported life.

The CRA applies to any economic operator that:

• Manufactures products with digital elements and places them on the EU market — including hardware with embedded software and standalone software products
• Imports products from non-EU manufacturers and places them on the EU market under their own name or trademark
• Distributes products on the EU market without altering them
• Open-source stewards who systematically provide free/open-source software intended for commercial use

Non-EU manufacturers who sell products into the EU are fully in scope. They must appoint an authorised representative established in the EU (Article 17).

A product with digital elements (PDE) is any software or hardware product and its remote data processing solution, that has a direct or indirect data connection to a device or network. This intentionally broad definition covers:

• Consumer IoT devices (smart home, wearables, routers)
• Industrial hardware with network connectivity
• Standalone software applications (desktop, mobile, server)
• Operating systems and hypervisors
• Software components and libraries placed on the market
• Cloud-connected devices where the manufacturer controls the backend

Certain sectors are partially or fully excluded, including medical devices under MDR/IVDR, motor vehicles under type-approval regulation, civil aviation, and marine equipment.

Not all PDEs are treated equally. The CRA divides in-scope products into four classes based on their cybersecurity risk profile, as set out in Annexes III and IV:

• Default — all in-scope products not listed in Annex III or IV. The vast majority of PDEs fall here.
• Important — Class I (Annex III, Class I) — products posing a significant cybersecurity risk, such as identity management software, browsers, password managers, and general-purpose operating systems.
• Important — Class II (Annex III, Class II) — higher-risk products including hypervisors, TPMs, industrial automation software, and smart meter gateways.
• Critical (Annex IV) — the highest-risk products, including hardware security modules (HSMs), smart cards, and hardware devices with security boxes.

Classification determines which conformity assessment route a manufacturer must follow before affixing the CE mark:

Class	Self-assessment (Module A)	Notified body (Module B+C / H)
Default	Always available	Optional
Important — Class I	If harmonised standards applied	Required if no harmonised standards
Important — Class II	Not available	Required
Critical	Not available	Required (or EU cybersecurity certification)

→ Use the product classification tool to find your class and conformity route

The CRA establishes a tiered system of administrative fines under Article 64. Market surveillance authorities in each EU member state can impose these fines on manufacturers, importers, distributors, and open-source software stewards.

Tier 1 — up to €15 000 000 or 2.5 % of worldwide annual turnover (whichever is higher):

Failure to meet the essential cybersecurity requirements in Annex I, or violations relating to CE marking, conformity assessment, technical documentation, or the authorised representative obligation (Articles 13, 16, 19–22, 24).

Tier 2 — up to €10 000 000 or 2 % of worldwide annual turnover (whichever is higher):

Violations of the vulnerability reporting and incident notification obligations under Article 14, failure to notify conformity assessment bodies, or failure to cooperate with market surveillance authorities (Articles 15, 17, 18, 23).

Tier 3 — up to €5 000 000 or 1 % of worldwide annual turnover (whichever is higher):

Supplying incorrect, incomplete, or misleading information to notified bodies or market surveillance authorities.

For large organisations with significant global revenue, the turnover-based cap will typically exceed the fixed maximum. Member states may also impose additional penalties under national law. Note that the Article 14 deadline of 11 September 2026 is the first point at which Tier 2 fines become enforceable.