Every obligation under Regulation (EU) 2024/2847 — traceable to the article, with plain-language explanations and evidence guidance.
Products with digital elements may be placed on the EU market only where they meet the essential cybersecurity requirements set out in Part I of Annex I, provided they are properly installed, maintained, and used for their intended purpose, and where applicable, the necessary security updates have been installed.
Products with digital elements may be placed on the EU market only where the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Part II of Annex I, covering how the manufacturer identifies, handles, and discloses vulnerabilities throughout the support period.
Products whose core functionality falls within a category listed in Annex III are "important products with digital elements" and must undergo a more stringent conformity assessment procedure than default products. Class I important products may use Module A self-assessment only if harmonised standards or common specifications are applied; otherwise a notified body is required. Class II always requires a notified body.
Products whose core functionality falls within Annex IV (hardware security boxes, smart meter gateways, and smartcards/secure elements) are "critical products with digital elements". Once the Commission adopts the relevant delegated act, they must obtain a European cybersecurity certificate at assurance level 'substantial' or higher under a relevant EUCC scheme. Until that delegated act applies, Module B+C or Module H conformity assessment is required.
Manufacturers must design, develop, and produce products with digital elements so that they provide an appropriate level of cybersecurity based on the risks. Security must be addressed throughout the product's lifecycle — from design through decommissioning.
Before placing a product with digital elements on the market, manufacturers must carry out an assessment of the cybersecurity risks associated with the product. The risk assessment must inform the product's design, development, and production, and must be documented as part of the technical file.
Manufacturers must draw up technical documentation containing all information necessary to demonstrate that the product conforms to the CRA essential requirements. The documentation must be kept up to date and retained for ten years from placing on the market (or the product's expected lifetime if longer).
Manufacturers must demonstrate conformity using the procedure appropriate to their product class. Default products may self-certify (Module A). Important Class I products may self-certify if harmonised standards are applied; otherwise a notified body must be involved. Important Class II and Critical products always require a notified body.
Where a software component incorporated in a product with digital elements is not developed by the manufacturer, the manufacturer must exercise appropriate due diligence to ensure that the component does not compromise the product's security. A software bill of materials (SBOM) must be prepared and maintained as part of the technical documentation.
When placing a product with digital elements on the market, manufacturers must ensure the product does not contain any known exploitable vulnerabilities. This obligation applies at the time of distribution and to each subsequent update that is released.
Manufacturers must put in place a policy for coordinated vulnerability disclosure (CVD) and make it publicly accessible. The policy must provide a contact point for reporting vulnerabilities and describe how the manufacturer will handle reports, including acknowledgement timelines and the process for coordinating disclosure with researchers.
Manufacturers must declare the support period for their product and make that information available to users before purchase. The support period must be at least five years, unless the expected use period of the product is shorter. The support-period end date must appear in product documentation and at the point of sale.
Manufacturers must provide security updates free of charge for at least five years (or the expected use period if shorter). Updates must be delivered promptly, separately from functionality updates, and the support-period end date must be disclosed.
Manufacturers must have processes to identify, analyse, and address vulnerabilities in their products throughout the entire support period. Annex I Part II specifies detailed requirements including CVE assignment, CVSS scoring, coordinated disclosure, and timely remediation.
Manufacturers must draw up an EU Declaration of Conformity in accordance with Article 28 and Annex V, stating that the product meets all applicable CRA requirements. The EU DoC must be kept up to date and made available to market surveillance authorities and, where applicable, to users.
Manufacturers must affix the CE marking to their products before placing them on the EU market, as evidence that the product conforms to all applicable CRA requirements. The CE marking must be visible, legible, and indelible, and must not be affixed before the EU Declaration of Conformity is drawn up.
Manufacturers must ensure that each product with digital elements bears a type, batch number, serial number, or other element that allows its identification. For software-only products, the version number serves this purpose.
Manufacturers must indicate their name, registered trade name or trademark, and postal address on the product or its packaging. An electronic contact address (website or email) must also be indicated where available. This enables market surveillance authorities, importers, distributors, and users to contact the manufacturer.
Manufacturers must accompany the product with the information and instructions listed in Annex II, in a language easily understood by users. This includes the product identity, security capabilities, contact for reporting vulnerabilities, the support period end date, and guidance on secure use.
Where a manufacturer has reason to consider that a product placed on the market does not conform with CRA requirements, they must immediately take corrective measures — including withdrawal or recall if necessary. Manufacturers must also cooperate with market surveillance authorities and provide all requested information and documentation.
Manufacturers must report any actively exploited vulnerability in their product to ENISA via the single reporting platform within 24 hours (early warning) and 72 hours (notification). A final report is due within 14 days. This obligation applies from 11 September 2026.
Within 72 hours of becoming aware of an actively exploited vulnerability in a product, manufacturers must submit a detailed vulnerability notification to ENISA via the single reporting platform. This follows the 24-hour early warning (OBL-ART14-01) and must include technical details about the vulnerability and the product affected.
Within 14 days of becoming aware of an actively exploited vulnerability, manufacturers must submit a final report to ENISA containing a complete description of the vulnerability, the corrective measures taken, and whether the vulnerability has been publicly disclosed or a CVE has been assigned.
When a vulnerability is actively exploited, manufacturers must notify affected users without undue delay. The notification must include information sufficient for users to take protective action, including mitigating measures available before a patch is released.
A manufacturer may appoint an authorised representative (AR) by written mandate. The mandate must allow the AR to perform at least three minimum statutory tasks: keeping the EU DoC and technical documentation available to market surveillance for at least 10 years or the support period; providing conformity information on request; and cooperating with market surveillance on corrective measures. Core design and production obligations cannot be delegated to the AR.
Before placing a product with digital elements on the EU market, importers must verify that the manufacturer has carried out the appropriate conformity assessment, drawn up technical documentation, affixed the CE marking, and made the EU declaration of conformity or declaration of performance available.
Where an importer considers or has reason to believe that a product with digital elements is not in conformity with the essential cybersecurity requirements, the importer must not place the product on the market until conformity is achieved.
Importers must indicate their name, registered trade name or trademark, postal address, and where available their website or email address, on the product itself, on its packaging, or in a document accompanying the product.
While a product with digital elements is under the importer's responsibility, the importer must ensure that storage and transport conditions do not jeopardise its conformity with the essential cybersecurity requirements.
If an importer learns that a product they have placed on the market is not in conformity, they must immediately take corrective action — including withdrawal or recall if necessary. Where the product poses a significant cybersecurity risk, the importer must immediately notify the relevant national competent authority.
Importers must keep a copy of the EU declaration of conformity or declaration of performance for 10 years after the product is placed on the market, and ensure that technical documentation can be made available to market surveillance authorities upon request.
Upon a reasoned request from a competent authority, importers must provide all information and documentation — in paper or electronic form — necessary to demonstrate the conformity of a product with digital elements. They must also cooperate on any corrective action required.
When making a product with digital elements available on the market, distributors must act with due care and verify that the product bears the CE marking, is accompanied by the required documentation and information, and that the manufacturer and importer (if applicable) have complied with their labelling and identification obligations.
Where a distributor considers or has reason to believe that a product is not in conformity with the CRA's essential requirements, the distributor must not make the product available on the market until conformity is achieved, and must notify the manufacturer and, where applicable, the market surveillance authority.
Distributors must ensure that, while a product with digital elements is under their responsibility, storage and transport conditions do not jeopardise its conformity with the essential cybersecurity requirements.
If a distributor learns that a product they have made available on the market is not in conformity, they must immediately take corrective action including withdrawal or recall if necessary. Where the product poses a significant cybersecurity risk, they must immediately notify the relevant national market surveillance authority.
Upon a reasoned request from a competent authority, distributors must provide all information and documentation necessary to demonstrate the conformity of a product, and cooperate on any corrective action required by that authority.
An importer or distributor is treated as a manufacturer — and is subject to all of Articles 13 and 14 — if they place a product with digital elements on the market under their own name or trademark, or if they carry out a substantial modification of an already-placed product.
Any natural or legal person — other than the original manufacturer, importer, or distributor — who carries out a substantial modification of a product and then makes it available on the market is treated as the manufacturer. That person is then subject to Articles 13 and 14 either for the affected part of the product or, if the modification affects the entire product's cybersecurity, for the whole product.
All economic operators must be able to identify, on request from market surveillance authorities, (a) any economic operator who supplied them with a product, and (b) any economic operator to whom they supplied a product. Records must be maintainable for 10 years from each transaction.
Open-source software stewards must put in place and document a cybersecurity policy that fosters the development of a secure product and enables effective handling of vulnerabilities in the open-source software components they support.
Open-source software stewards must notify the relevant CSIRT (computer security incident response team) designated as coordinator without undue delay of any actively exploited vulnerability contained in their open-source software components, as well as any severe incident affecting the security of those components.
Open-source software stewards must cooperate with market surveillance authorities upon request and provide all information required for the performance of their regulatory tasks.
Upon request from market surveillance authorities, open-source software stewards must draw up and keep up-to-date technical documentation for the open-source software components they administer, sufficient to allow assessment of cybersecurity compliance.
Manufacturers must draw up an EU Declaration of Conformity (EU DoC) that follows the Annex V model structure and contains all specified elements. The EU DoC states that the product meets the applicable essential cybersecurity requirements. A simplified version (Annex VI) may accompany the product provided the full DoC is accessible online. The DoC must be updated whenever relevant changes occur.
Manufacturers must draw up technical documentation before placing a product on the market, and continuously update it (at least during the support period). The documentation must contain all elements listed in Annex VII, demonstrating how the product and the manufacturer's processes comply with the essential cybersecurity requirements in Annex I. It must be kept available to market surveillance authorities for at least 10 years or the support period.
Manufacturers must perform a conformity assessment demonstrating that both the product and the manufacturer's processes meet the Annex I essential requirements, before placing the product on the market. The required procedure depends on the product's classification: Module A self-assessment for default products, third-party assessment for important products in certain circumstances, and mandatory notified-body involvement for Class II important and critical products.
