In the first blog post of our CRA series, we examined the scope of the Cyber Resilience Act (Regulation (EU) 2024/2847, the CRA), identifying the affected products and economic operators. This second post focuses on how to comply.
The CRA imposes obligations throughout the lifecycle of products with digital elements (PDEs). This post is structured around three phases of the PDE lifecycle: (1) design and development, (2) pre-market conformity assessment, and (3) post-market obligations. It concludes with an overview of the obligations of importers and distributors.
Phase 1: Design and development
- Essential cybersecurity requirements
The essential cybersecurity requirements set out in Annex I form the core of the CRA’s regulatory approach. They establish horizontal, objective-oriented, and technology-neutral obligations for PDEs, and are divided into two parts as outlined below: Part I relates to the properties of the PDE itself; Part II to the manufacturer’s vulnerability handling processes.
| Part 1 – Properties of PDEs | Part 2 – Vulnerability handling |
| Design PDEs with appropriate cybersecurity based on identified risks | Identify and document components and vulnerabilities, including a Software Bill Of Materials (SBOM) - a structured inventory of all software components and dependencies in the PDE |
| No known exploitable vulnerabilities when placed on the market | Remediate vulnerabilities without delay, including through security updates |
| Secure by default configuration | Apply effective and regular security tests and reviews |
| Ensure vulnerabilities can be addressed through security updates | Publish information about fixed vulnerabilities once a security update is available (with limited delay where justified on security grounds) |
| Prevent unauthorised access through appropriate controls (e.g. authentication) | Put in place and enforce a coordinated vulnerability disclosure policy |
| Protect data confidentiality (via encryption where appropriate) | Provide a reporting contact point and facilitate vulnerability information sharing, including for third-party components |
| Protect the integrity of processed data against unauthorised manipulation or modification | Provide mechanisms to securely distribute updates, including automatic distribution where applicable |
| Limit data processing to what is necessary for the intended purpose (data minimisation) | Disseminate security updates without delay and, by default, free of charge, with user advisories |
| Protect the availability of essential and basic functions, also through incidents | |
| Limit the potential negative impact of the PDE on other devices or networks | |
| Limit attack surfaces | |
| Use exploitation mitigation techniques to reduce the impact of incidents | |
| Enable security logging and monitoring, with user opt-out | |
| Enable secure data deletion and secure transfer to other products or systems |
- Document a cybersecurity risk assessment
One of the key documentation obligations is for manufacturers to prepare a cybersecurity risk assessment early in a PDE’s development. This is because the outcome must inform the planning, design, development, production, delivery and maintenance of the PDE. The assessment should consider the intended purpose, reasonably foreseeable use, operational environment, assets requiring protection, and expected use time of the PDE, and map the essential cybersecurity requirements onto the PDE, explaining how each one is met and justifying any deemed inapplicable. The full assessment is then to be included in the technical documentation.
- Define a support period
During development, manufacturers must also define a support period to ensure the PDE’s continued compliance with essential cybersecurity requirements. This support period should reflect the time the PDE is expected to be in use and be at least five years from the product’s market placement, unless the expected use time is shorter. Where technically feasible, the end date of the support period must be communicated at the time of purchase, and users should be notified when the PDE reaches the end of its support period.
- Build technical documentation alongside development
Manufacturers are further required to create and maintain a comprehensive technical documentation file to demonstrate product conformity. This file must be finalised before the PDE is placed on the market and kept up to date throughout the support period.
As outlined in Annex VII, the documentation must include the following:
- a general description of the PDE.
- design and development information (like system architecture).
- production and monitoring processes.
- the cybersecurity risk assessment.
- the rationale for the defined support period.
- vulnerability handling processes.
- details of relied-upon standards, specifications, or solutions.
- testing reports.
- a copy of the EU declaration of conformity.
- the SBOM.
In practice, manufacturers should begin compiling this documentation at the development stage.
- Consider third-party components
Even when a PDE incorporates third‑party components, manufacturers retain full responsibility for the PDE’s overall cybersecurity. This requires due diligence in component selection and integration, continuous visibility over dependencies, and the ability to remediate any vulnerabilities in those components. This is particularly important where the integrated third-party components themselves qualify as PDEs subject to the CRA.
Phase 2: Pre-market conformity assessment
Before a PDE can be placed on the Union market, manufacturers must formally demonstrate its compliance with the essential cybersecurity requirements through an applicable conformity assessment procedure. They must then affix the CE marking and issue the EU declaration of conformity. The available conformity assessment procedures depend on the PDE’s classification.
- Classification of PDEs
The CRA categorises PDEs according to their core functionality. Categories are
- Default: any PDE not listed as Important or Critical.
- Important, Class I (Annex III): includes identity management systems, password managers.
- Important, Class II (Annex III): includes firewalls and intrusion detection systems.
- Critical (Annex IV): includes security-focused products such as hardware devices with security boxes, smart meter gateways and smartcards.
To support classification, the EU Commission has adopted an Implementing Regulation providing detailed technical descriptions for the Important and Critical categories.
- Conformity assessment procedures
Drawing from the EU product safety framework for conformity assessments, the CRA incorporates four conformity assessment procedures.
- Module A (internal control) allows manufacturers to self-assess conformity and issue the EU declaration of conformity.
- Module B (EU-type examination) involved a notified body assessing a PDE’s design against the essential cybersecurity requirements based on the technical documentation and a representative model (the “type”). Module B is always paired with Module C.
- Module C (conformity to type based on internal production control) requires the manufacturer to ensure production aligns with the type approved under Module B. In other words, Module B covers third-party assessment of the design; Module C covers the manufacturer’s own control of production against the approved design.
- Module H (full quality assurance) mandates that the manufacturer operate and maintain a documented quality management system for design, development, and production, which a notified body audits and surveyed for ongoing effectiveness.
PDE category | Conformity assessment procedure |
| Default | Manufacturer self-assessment (Module A) |
| Important Class I | Manufacturer self-assessment for requirements covered by applicable technical instruments (Module A) For requirements not covered (because the instruments do not exist, or they are not applied), third-party conformity assessment by a notified body (Modules B + C, or Module H) |
| Important Class II | Third-party conformity assessment by a notified body (Modules B + C, or Module H) Alternatively, if available, an EU cybersecurity certification scheme may be used |
| Critical | EU cybersecurity certification may be made mandatory for a product category via delegated act If no mandatory certification, third-party conformity assessment (Modules B + C, or Module H) |
Article 32 of the CRA specifies the conformity assessment procedures for each PDE category, with higher classifications demanding increased independent third-party involvement.
- Technical instruments supporting conformity
The CRA’s high-level essential cybersecurity requirements, which are designed to be applicable to all PDE categories, will be made operational through specific technical instruments. These instruments include harmonised standards, EU Commission common specifications, and EU cybersecurity certification schemes (established under the EU Cybersecurity Act). They will provide concrete technical solutions and establish a presumption of conformity for the requirements they cover.
The availability of these instruments determines which conformity assessment module a manufacturer can use.
- For Important Class I PDEs in particular, manufacturer self-assessment (Module A) is only available where the relevant requirements are covered by applicable technical instruments.
- For Important Class II and Critical PDEs, EU cybersecurity certification may (and in specific cases, must) be used as an alternative conformity assessment route.
For many PDE categories, the relevant technical instruments may not yet exist, as standardisation work is ongoing. The EU Commission’s timeline anticipates the first deliverables in Q3 2026, with subsequent deliverables due by 30 October 2027. Priority is being given to “important” and “critical” PDE categories.
Phase 3: Maintenance – post-market
Post‑market obligations apply throughout the support period defined by the manufacturer, with limited obligations that may extend beyond this period. These obligations require manufacturers to provide security updates and manage vulnerabilities, as well as comply with the CRA’s reporting requirements.
- Security updates and vulnerability handling
Manufacturers must remediate vulnerabilities without delay, including through security updates. Key points include:
- Security updates must be disseminated without delay and, free of charge by default, accompanied by user advisories.
- Each update must remain available for at least 10 years after issuance, or for the remainder of the support period, whichever is longer.
- For software with later substantially modified versions, manufacturers may focus remediation on the latest version in defined circumstances.
- Where public software archives are maintained, users must be clearly informed of the risks of using unsupported software.
- Reporting of exploited vulnerabilities and severe incidents
From 11 September 2026, manufacturers must notify, via the EU single reporting platform, (i) actively exploited vulnerabilities and (ii) severe incidents impacting the security of the PDE. This reporting obligation applies to all in-scope PDEs on the market, including those that were placed on the market before the main application date of the CRA of 11 December 2027.
The CRA imposes a staged reporting timeline:
- Actively exploited vulnerabilities:
- early warning within 24 hours of becoming aware.
- follow-up notification within 72 hours.
- final report no later than 14 days after a corrective or mitigating measure becomes available.
- Severe incidents:
- early warning within 24 hours.
- follow-up within 72 hours.
- final report within one month.
Manufacturers must also inform impacted users and provide guidance on risk mitigation and any available corrective measures.
Obligations of importers and distributors
Although the CRA primarily affects manufacturers, importers and distributors have distinct, albeit more limited, responsibilities that reflect their roles in the supply chain.
As the initial entry point for PDEs into the Union market, importers must verify that manufacturers have completed conformity assessments and that all necessary compliance documentation is in place before placing a PDE on the market. Importers must also add their contact details for traceability purposes, retain the documents required by market surveillance authorities, and refrain from marketing non-compliant PDEs, while supporting corrective actions. Furthermore, they must notify manufacturers of any vulnerabilities discovered and escalate significant cybersecurity risks to the relevant authorities.
Distributors, operating further down the supply chain, have narrower obligations. Before supplying a PDE, they must ensure that the required compliance information accompanies the product. If they have any doubts about a product’s compliance, they must withhold supply and support corrective measures. Like importers, distributors must communicate cybersecurity concerns to manufacturers and cooperate with relevant authorities.
For CRA purposes, both importers and distributors can “become” manufacturers if they place a PDE on the market under their own name or trademark or make a substantial modification.
***
In the final post of our series, we will explore the CRA’s enforcement mechanisms, including the powers of market surveillance authorities and the applicable penalties for non-compliance.