Cyber Insights – Silverskin

The EU Cyber Resilience Act (CRA) – What organizations need to know

Written by Silverskin | 6 / 2026

Digitalization has introduced immense opportunities, but it has also opened doors to cyber threats. Until now, the cybersecurity of many network-connected devices and software components has largely depended on the goodwill of the manufacturer. The EU's Cyber Resilience Act (Regulation (EU) 2024/2847), or CRA, is changing the rules permanently.

 

The CRA is a new EU-wide regulatory framework that establishes mandatory cybersecurity requirements for all products with digital elements. The regulation entered into force on December 10, 2024, and its implementation will progress in phases through 2027.

NOTE: In Finland, the Government has submitted a proposal for the national implementation of the CRA, defining the specific and supplementary regulations required under national law.

 

 

Which products fall under the scope of the CRA and which do not?

The CRA applies to all devices and software with a direct or indirect digital or network connection.

  • IoT devices and smart appliances

  • Industrial automation and control systems

  • Software and embedded systems

  • Components sold separately for the above

 

The CRA does not apply to:

  • Products developed exclusively for national security or defense purposes

  • Medical devices and other products regulated under specific sectorial EU frameworks

  • Pure cloud services (SaaS/PaaS/IaaS), unless they are essential for the product’s functionality

  • Non-commercial open-source software (with certain exceptions)



What requirements does the CRA impose?

The requirements introduced by the CRA for manufacturers and organizations are divided into three tiers: 


(a) Essential Requirements for All Products

The manufacturer must ensure the following throughout the product's lifecycle:

  • Security by design and development
  • Secure default configurations (security by default)
  • Protection against vulnerabilities and cyberattacks
  • Secure update mechanisms and vulnerability handling processes

(b) Risk-Based Classification (Class I & II)

Higher-risk products, such as identity management systems, firewalls, and operating systems, require a third-party conformity assessment.

(c) Vulnerability Reporting

Time is now critical for both security and compliance. Manufacturers must report significant vulnerabilities and cybersecurity incidents to authorities within strict timeframes:

  • Early Warning: Within 24 hours of detecting the incident.
  • Incident Notification: Within 72 hours.
  • Final Report: Generally within one month of the initial notification.

 

Timeline for the CRA

The obligations of the regulation will come into effect progressively to allow organizations time to adapt: 

  • December 10, 2024 – Regulation officially entered into force.
  • June 11, 2026 – Registration of notified conformity assessment bodies begins.
  • September 11, 2026 – Vulnerability reporting obligations become applicable.
  • December 11, 2027 – Full application takes effect. After this date, only products compliant with CRA requirements can be placed on the EU market.

Obligations of Market Operators

The CRA affects the entire supply chain, establishing clear responsibilities for different actors:

  • Manufacturers: Must draw up an EU declaration of conformity, affix the CE marking to the product, and maintain vulnerability management throughout the product's lifecycle. Security updates must remain available for at least the expected lifetime of the product.
  • Importers and Distributors: Must actively verify that products imported into or distributed within the EU market comply with the CRA before they are made available.

 

How to bring a CRA-compliant product to market

When preparing a product for the EU market, the process involves the following phases:

  1. Classification of Risk: Determine whether the product falls into the default category or the more critical Class I or Class II categories.
  2. Conformity Assessment: Perform either an internal self-assessment or use a designated third-party notified body, depending on the risk classification.
  3. Compilation of Technical Documentation: Document all security processes and solutions precisely.
  4. EU Declaration of Conformity: Draw up the official declaration.
  5. CE Marking: Affix the CE mark to the product, indicating compliance with EU cybersecurity requirements.
  6. Continuous Lifecycle Management: Transition to ongoing vulnerability management and mandatory reporting frameworks.
 
 
 

Consequences of Non-Compliance

Failure to comply with the regulation can result in severe consequences for organizations:

  • Financial Penalties: Non-compliance with the CRA can lead to administrative fines of up to €15 million or 2.5% of the global annual turnover, whichever is higher.
  • Operational Barriers and Management Liability: Risks include product bans, mandatory recalls from the market, and potential management liability under national legislation (which will be further specified in Finland following the Government's proposal).
  • Reputational Damage and Liability for Damages: Deficient cybersecurity poses a significant reputational risk and erodes customer trust. Furthermore, manufacturers may face direct liability for damages caused by non-compliant products.



 
 Further Information and Useful Links
 

In Finland, the National Cyber Security Centre (NCSC-FI) at Traficom provides guidance and official information regarding the CRA. Explore the topic further through the following sources:

 

 

How is your organization preparing for the CRA requirements?

Get in touch with us using the form below. Let’s have a low-pressure chat about what the regulation means specifically for your products or operations.
View full post