What is the Cyber Resilience Act?

Alexis Hirschhorn· CEO, Acuna16 July 2026

Direct answer

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the first EU-wide horizontal cybersecurity law for products with digital elements — hardware and software — covering their whole lifecycle. It requires manufacturers to make products secure by design, handle vulnerabilities, maintain an SBOM, and report incidents, and it carries penalties of up to EUR 15 million or 2.5 % of global turnover.

Key Facts

  • First EU-wide horizontal cybersecurity law for products with digital elements (Art. 1).
  • Covers hardware, software and remote data-processing solutions integral to the product.
  • Core obligations: secure by design · free of known exploitable vulnerabilities · SBOM · vulnerability handling · 24h/72h/14-day incident reporting.
  • CE marking becomes evidence of CRA conformity.
  • Penalties: up to EUR 15 million or 2.5 % of total worldwide annual turnover, whichever is higher (Art. 64).
  • Full application from 11 December 2027; reporting obligations from 11 September 2026 (Art. 71).

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the first EU-wide law that sets mandatory cybersecurity requirements for products with digital elements across their whole lifecycle (Art. 1). It covers both hardware and software, and it extends to remote data-processing solutions that a connected product needs to perform a core function. What it changes is where responsibility sits. Before the CRA, the cybersecurity of a product was largely left to the buyer. The CRA moves that obligation onto the manufacturer: a product with digital elements may only be placed on the EU market if it meets the essential requirements in Annex I and the manufacturer has carried out the appropriate conformity assessment. The CE marking on the product becomes evidence that both conditions are met. The essential requirements cover two dimensions: what the product must be (secure by design and by default, free of known exploitable vulnerabilities, minimal attack surface) and what the manufacturer must do (run a vulnerability-handling process, provide security updates across the support period, maintain an SBOM, report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours). For a security or compliance team, the CRA is best read alongside, not instead of, NIS2 and DORA. NIS2 governs the cybersecurity of your organisation; DORA governs the ICT risk of financial entities; the CRA governs the security of the products you place on the market. Many organisations are subject to all three, and the vulnerability-handling, risk and evidence work overlaps enough that a single control set is more efficient than three silos.

What's next

See how Acuna handles this