EU Cyber Resilience Act Compliance: Secure Your Products With Digital Elements
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is the first EU-wide law that puts mandatory cybersecurity requirements directly on products. If you make, import, or sell hardware or software with digital elements in the EU, the CRA will apply to you, and it sets rules for the whole lifecycle of the product, from design through to the day you stop supporting it.
For Irish and EU SMEs that build connected devices, apps, or software, the CRA changes the question from "is our product secure enough" to "can we prove it, and can we keep proving it". ShieldIQ helps you assess your readiness against the CRA's six requirement domains in around fifteen minutes, then close the gaps before the 2026 and 2027 deadlines arrive.
Start your Cyber Resilience Act assessment →
What Is the Cyber Resilience Act?
The Cyber Resilience Act entered into force in December 2024 and sets horizontal cybersecurity requirements for "products with digital elements". A product with digital elements is any software or hardware product, and its remote data-processing solutions, whose intended or reasonably foreseeable use includes a direct or indirect data connection to a device or network. In plain terms: if it has code and it connects to something, it is in scope.
The CRA is built around a small number of core ideas:
- Security by design and by default: products must be designed, developed, and produced to be secure, with a risk assessment sitting behind every decision
- Essential cybersecurity requirements: a baseline set of properties every in-scope product must meet, such as no known exploitable vulnerabilities at release, secure default configuration, protection of data confidentiality and integrity, and a reduced attack surface
- Vulnerability handling: manufacturers must identify, document, and remediate vulnerabilities across the whole support period, and provide security updates
- Transparency: clear information for users on how to install updates, how long the product will be supported, and how to report issues
- Conformity assessment and CE marking: proof, before the product goes to market, that it meets the requirements, backed by a CE mark
- Incident and vulnerability reporting: fixed timelines for telling ENISA and your national CSIRT when something goes wrong
It replaces a patchwork of national rules and voluntary schemes with one obligation that follows the product across the single market.
Who Does the CRA Apply To?
The CRA places obligations on the economic operators along the supply chain, not just the original developer. You are likely in scope if you are a:
- Manufacturer: anyone who develops or produces a product with digital elements, or has one developed and markets it under their own name or trademark. Manufacturers carry the heaviest obligations, including the essential requirements, the conformity assessment, and the reporting duties.
- Importer: anyone placing a product with digital elements from a non-EU manufacturer onto the EU market. Importers must check that the manufacturer did the work, and must not place a non-compliant product on the market.
- Distributor: anyone in the supply chain, other than the manufacturer or importer, who makes the product available. Distributors must act with due care and check the CE mark and documentation are present.
Open-source software developed or supplied outside a commercial activity is largely outside scope, with a lighter regime for "open-source software stewards". A small number of product categories already covered by sector rules, such as certain medical devices, motor vehicles, and aviation products, are carved out and stay under their own regimes.
Crucially, the CRA does not exempt small businesses from the requirements. It does commit the Commission and member states to simplified technical documentation and guidance for SMEs and microenterprises, but the essential requirements still apply to your product.
The Key Obligations
Essential cybersecurity requirements
Every in-scope product must meet a baseline set of properties set out in Annex I. That means shipping with no known exploitable vulnerabilities, a secure-by-default configuration, the ability to be reset to a clean state, protection of the confidentiality and integrity of stored and transmitted data, processing only the data that is needed, and a minimised attack surface. You must base these choices on a documented cybersecurity risk assessment for the product.
Vulnerability handling and the SBOM
The CRA treats security as a lifecycle duty, not a launch-day checkbox. Across the defined support period, you must identify and document vulnerabilities, including by drawing up a software bill of materials (SBOM) covering at least the top-level dependencies. You must remediate vulnerabilities without delay, provide free security updates, run a coordinated vulnerability disclosure policy, and give users a single point of contact to report issues.
Conformity assessment and CE marking
Before you place a product on the market, you must demonstrate conformity. For most products this is a self-assessment against the requirements, backed by technical documentation and an EU declaration of conformity. For "important" and "critical" product classes, a stricter route applies, sometimes involving a notified body or a European cybersecurity certification scheme. Once you have shown conformity, you apply the CE mark, the same mark you already use for other product safety rules.
The Article 14 reporting timeline
When a product is affected, the clock starts. Under Article 14, manufacturers must notify both ENISA and the relevant national CSIRT of any actively exploited vulnerability, and of any severe incident affecting the security of the product, on a strict schedule:
- 24 hours: an early warning to the CSIRT and ENISA, flagging that an actively exploited vulnerability or severe incident has occurred
- 72 hours: a fuller notification with the details known so far, including any corrective or mitigating measures taken
- 14 days or one month: a final report. For an actively exploited vulnerability, a final report is due within 14 days of a corrective measure becoming available; for a severe incident, a final report is due within one month of the 72-hour notification
Meeting these deadlines under pressure is exactly where a structured incident process, with the timelines built in, saves you.
The Deadlines That Matter
The CRA entered into force in December 2024, but it applies in stages so businesses have time to prepare:
- Around mid-2026 (11 September 2026): the vulnerability and incident reporting obligations begin. From this date, manufacturers must comply with the Article 14 reporting timelines for actively exploited vulnerabilities and severe incidents.
- Around late 2027 (11 December 2027): the full set of obligations applies. From this date, products with digital elements placed on the EU market must meet the essential requirements, carry the CE mark based on a completed conformity assessment, and be backed by the vulnerability-handling processes and documentation the CRA demands.
The gap between now and those dates is the window to build the risk assessments, documentation, and update processes into how you work, rather than scrambling to retrofit them.
Common Challenges for SMEs
Most smaller product teams hit the same wall. They ship features fast, but they have no product-level cybersecurity risk assessment, no SBOM, and no coordinated way to receive and act on vulnerability reports. Security updates are ad hoc, the support period has never been defined, and nobody owns the reporting duty that the CRA now makes mandatory.
The CRA asks you to bring order to all of that: assess the product's risks, evidence the essential requirements, maintain an SBOM, define and honour a support period, run a disclosure policy, and be ready to report inside tight deadlines. Done manually, that is weeks of effort spread across engineering, security, and compliance. This is precisely the busywork ShieldIQ is designed to remove.
How ShieldIQ Helps You Meet the CRA
Gap analysis. ShieldIQ's AI scores your posture across the CRA's requirement domains, showing you a maturity level and a prioritised remediation plan against the essential requirements and vulnerability-handling duties.
Risk assessment. Document the product cybersecurity risk assessment that sits behind your design decisions, and feed the resulting risks into your risk register with treatment plans.
Asset and dependency visibility. Maintain an inventory that supports your SBOM and helps you track which dependencies carry which vulnerabilities.
Policy library. Editable coordinated vulnerability disclosure, secure development, and update-management policy templates aligned to the CRA.
Incident and vulnerability reporting. Built-in timelines for the Article 14 24-hour early warning, 72-hour notification, and 14-day or one-month final report, with AI-drafted notifications so you are not writing them from scratch mid-incident.
Evidence and executive reporting. Keep the technical documentation and decision records a market surveillance authority will ask to see, and generate board-ready reports on your CRA readiness in seconds.
Start your assessment, no card required →
The CRA and Other Frameworks
The Cyber Resilience Act does not stand alone. It reinforces, and is reinforced by, the frameworks ShieldIQ already covers:
- NIS2 compliance: the CRA secures the products; NIS2 secures the organisations that operate them, and both share incident-reporting discipline
- ISO 27001 compliance: your ISMS underpins the secure development and vulnerability-handling processes the CRA expects
- GDPR compliance: products that process personal data must satisfy GDPR alongside the CRA's data-protection-by-design requirements
- EU AI Act compliance: AI-enabled products can sit under both regimes, so aligning your governance saves duplicated effort
ShieldIQ covers all of these on a single platform, so your compliance work is additive, not duplicated.
Frequently Asked Questions
Does the CRA apply to my software if it is not a physical device?
Yes. The CRA covers products with digital elements, which explicitly includes standalone software as well as hardware. If your software is placed on the EU market as a commercial product and can connect to a device or network, it is very likely in scope. The main exceptions are software as a service, which is generally handled under NIS2 rather than the CRA, and open-source software supplied outside a commercial activity.
We are a small company. Are we exempt?
No. There is no blanket small-business exemption from the essential requirements. What the CRA does provide is proportionality and support: simplified technical documentation formats, guidance aimed at SMEs and microenterprises, and a lighter conformity route for most products. The obligations still apply, but they are meant to be achievable without a large compliance team, which is exactly the gap ShieldIQ fills.
What are the penalties for non-compliance?
They are significant. For breaches of the essential requirements or the manufacturer's core obligations, authorities can impose fines of up to 15 million euro or 2.5 percent of total worldwide annual turnover, whichever is higher. Lesser breaches and providing incorrect or misleading information carry lower but still substantial caps. Authorities can also order a product to be withdrawn or recalled from the market.
What is an SBOM and do we really need one?
A software bill of materials is a structured inventory of the components and dependencies in your product. The CRA requires manufacturers to draw up an SBOM covering at least the top-level dependencies as part of vulnerability handling, because you cannot patch a vulnerable component you do not know you are shipping. Maintaining an SBOM also makes the Article 14 reporting far faster when a dependency is found to be exploited.
When do we actually have to be ready?
In two steps. The reporting obligations under Article 14 apply from around September 2026, so your vulnerability and incident reporting process needs to be live by then. The full requirements, including the essential requirements, conformity assessment, and CE marking, apply from around December 2027 for products placed on the market. Starting your gap assessment now gives you the runway to build these into your product lifecycle calmly.
Start your Cyber Resilience Act assessment, no card required →