The EU Cyber Resilience Act (CRA) has been in the works for a few years, having been introduced to the European Union (EU) in September 2022 and recently entered into force in December 2024.  The law is designed to require a baseline level of cybersecurity controls in products with digital components sold within the EU.

At a high level it includes the following requirements:

• Cybersecurity requirements.
• Vulnerability handling requirements.
• Communication requirements.

But does it impact your product?

Does the CRA Apply to My Product?

First off, if your organization has no products sold in the EU, and has no plans to do so, then you can close this blog post (or keep reading if you’re into this kind of thing).

The CRA’s scope generally applies to hardware and software that can establish an external network connection, with a couple of exceptions. See the table below for details:

What is in the CRA?

The regulation, which goes into effect 11 December 2027, defines a number of requirements around cybersecurity, reporting, and attestation.  

See the table below for an overview of each requirement:

Is my Product a Class I or Class II Product?

Recall from the above table, the key difference between Class I and Class II Products from a compliance standpoint is that Class II Products are required to undergo third-party assessments by a notified body to verify compliance.

The table below provides some guidelines to help understand where your product may fall.

Determining the correct classification can be complex, particularly when your product’s use case or deployment environment varies. For example, products like routers may fall under either Class I or Class II depending on whether they are intended for consumer or industrial use.

For a more detailed list of Class I and II products, please reference Annex III of the CRA.

Is My Product Compliant With CRA?

For many organizations, achieving compliance with the CRA may not require starting from scratch. If your organization has already adopted widely recognized frameworks such as NIST CSF, ISO/IEC 27002, or CIS Controls, you are likely addressing many of the foundational requirements outlined in the CRA. The matrix below illustrates how the key control areas of the CRA align with these frameworks, offering a streamlined path to compliance.

What if my Product Fails to Comply?

National authorities, with the support of ENISA (European Union Agency for Cybersecurity), are responsible for overseeing and enforcing compliance with the CRA. They have the authority to investigate non-compliance, conduct audits, request technical documentation, and mandate corrective actions. In severe cases, they can restrict or ban non-compliant products from the EU market altogether.

The financial penalties for failing to comply can be steep. Organizations may face fines of up to 2.5% of their annual global turnover or €15 million, whichever is higher. Beyond fines, non-compliance can lead to operational disruptions by way of product recalls or redesigns, and market exclusion, which can disrupt supply chains and business continuity.

To mitigate these risks and ensure compliance, VerSprite’s Integrated Risk Management (IRM) team can help identify gaps in your current practices, map your processes to CRA requirements, and build tailored remediation plans. Additionally, our vCISO services provide the strategic and operational leadership needed to maintain compliance over time, ensuring your organization is prepared to adapt to regulatory changes and evolving cybersecurity risks.

Key Dates

The below timeline illustrates key dates for the CRA: