Cyber Resilience Act: Scope, Product Classes, Deadlines

Q: Who is affected by the Cyber Resilience Act?

The CRA imposes obligations on manufacturers, importers and distributors of products with digital elements placed on the EU single market. In scope are all products whose intended use entails a direct or indirect logical or physical data connection to a device or network: from smart home devices through general-purpose software to industrial control systems. An estimated 90 % of in-scope products fall into the default category with conformity assessment by the manufacturer itself; more safety-critical products are classified as Important Class I and Class II (Annex III) or as Critical (Annex IV), each subject to stricter assessment procedures. Products already covered by sector-specific regulation ( medical devices (MDR/IVDR), motor vehicles (UNECE R155 in conjunction with Regulation (EU) 2019/2144) and civil aviation products ) are out of scope, as are pure SaaS offerings without an associated product.

Q: What deadlines apply under the CRA?

Regulation (EU) 2024/2847 was published in the Official Journal of the EU on 20 November 2024 and entered into force on 10 December 2024 . The substantive obligations apply in stages: from 11 September 2026 , reporting obligations for actively exploited vulnerabilities and severe security incidents take effect, channelled through the ENISA single reporting platform. From 11 December 2027 , all requirements from Annex I (essential cybersecurity requirements, conformity assessment, CE marking) apply. From this date, products with digital elements may only be placed on the EU market if they meet the CRA requirements.

Q: How are products classified under the CRA?

The CRA recognises four categories : the default category (estimated 90 % of in-scope products) allows conformity assessment by the manufacturer itself via internal production control. Important Class I and Important Class II are listed exhaustively in Annex III ; Class I (e.g. password managers, standard browsers, home routers) permits self-assessment under harmonised standards, while Class II (e.g. hypervisors, industrial firewalls, publicly accessible PKI components) requires the involvement of a notified body . Critical products in Annex IV (e.g. HSMs, smart-meter gateways, security-critical smartcards) require mandatory certification under a European cybersecurity scheme established under the EU Cybersecurity Act (Regulation (EU) 2019/881). The lists of Important and Critical products may be updated by Commission delegated acts.

Q: What obligations follow from the essential requirements?

Annex I of the CRA sets out the core requirements for products with digital elements. They cover, among others, security by design and by default , protected authentication and access control, protection of the confidentiality and integrity of stored and transmitted data, secure default configuration, minimisation of the attack surface, secure update mechanisms, and logging of security-relevant events. Part II of Annex I additionally describes requirements for vulnerability handling across the lifecycle, including a documented coordinated vulnerability disclosure policy, the provision of security updates for the defined support period, and the requirement to maintain a Software Bill of Materials (SBOM) for the components contained in the product. The BSI Technical Guideline TR-03183 provides practical guidance on these requirements.

What is the Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act, Regulation (EU) 2024/2847, is the first horizontal cybersecurity framework for products with digital elements placed on the EU single market. It obliges manufacturers, importers and distributors to ensure cybersecurity across the entire product lifecycle: from design and development to vulnerability management, security updates and the reporting of actively exploited vulnerabilities and severe incidents. Unlike the NIS2 Directive, the CRA takes the form of a directly applicable regulation and does not require transposition into national law.

The CRA in the EU: Entry into Force and Deadlines

The regulation was published in the Official Journal of the EU on 20 November 2024 and entered into force on 10 December 2024. The substantive obligations apply in two staged dates, not all at once:

11 September 2026: reporting obligations: manufacturers must report actively exploited vulnerabilities and severe security incidents affecting their products to the competent CSIRTs via the ENISA single reporting platform.
11 December 2027: full applicability: all requirements from Annex I (essential cybersecurity requirements) as well as the obligations relating to conformity assessment and CE marking apply in full. From this date, products with digital elements may only be placed on the EU market if they meet the CRA requirements.

In Germany, the BSI accompanies implementation and provides the Technical Guideline BSI TR-03183 with concrete specifications on general requirements, the Software Bill of Materials (SBOM) and procedures for vulnerability reporting ( BSI:Cyber Resilience Act ).

At SCHUTZWERK we understand the transformative impact of the CRA and the associated challenges for product development and the integration of required security practices. Our team of security experts provides comprehensive support for implementing the CRA’s requirements, from initial threat and risk assessments to ongoing compliance maintenance. We help manufacturers and distributors not only to meet the CRA requirements, but also to build robust security practices that withstand targeted and specialised attacks , thereby strengthening product quality and user trust.

Objective

Support in implementing and maintaining compliance with the EU Cyber Resilience Act through specialized security assessments

Question

How can we effectively meet the requirements of the Cyber Resilience Act?

Scope

Products with digital elements within the scope of CRA requirements

Comprehensive CRA Framework

The Cyber Resilience Act establishes a comprehensive framework for product security, focusing on several key areas that manufacturers and distributors must address to ensure product compliance and establish a consistent level of security for approved products. This framework represents a significant advancement in product security regulation, requiring organizations to implement robust security measures throughout the product lifecycle.

Security by Design and Default

The CRA mandates that cybersecurity must be considered from the earliest stages of product design and development. We support organizations by providing initial threat and risk analysis and advice on defining appropriate security requirements, designing secure architectures and implementing appropriate security mechanisms. Our approach ensures that security mechanisms are built into products from the ground up, rather than being added as an afterthought.

With our dedicated Embedded Security Team and specialized laboratory for IoT and embedded systems, we provide manufacturers with in-depth hardware and firmware security analysis capabilities. This specialized expertise is particularly valuable for CRA compliance, as we can perform advanced testing techniques such as hardware penetration testing, firmware analysis, side-channel analysis, and reverse engineering – critical for identifying security vulnerabilities that standard software testing might miss.

Vulnerability Management

Effective vulnerability management is a cornerstone of CRA compliance. We assist organizations in establishing comprehensive vulnerability management processes, including vulnerability assessment, prioritization, and remediation procedures. Our expertise helps ensure that security issues are identified and addressed throughout the product lifecycle.

Incident Response and Reporting

The CRA requires manufacturers to implement robust incident response capabilities and meet specific reporting obligations. We help organizations develop efficient incident management processes, including detection mechanisms, response procedures, and reporting protocols that meet regulatory requirements while minimizing business impact.

Supply Chain Security

Security of the supply chain is crucial under the CRA. We support organizations in implementing secure supply chain practices, including vendor assessment, component verification, and secure integration processes. Our approach helps ensure the integrity and security of all components used in digital products.

Documentation and Compliance

The CRA introduces specific documentation requirements to demonstrate conformity. We assist organisations in developing and maintaining the required documentation, including technical files, conformity assessments, and user documentation. Our expertise helps ensure that all requirements are met efficiently and completely.

Scope: Products with Digital Elements and Product Classes

The CRA applies to products with digital elements (software and hardware) whose intended use entails a direct or indirect logical or physical data connection to a device or network. An estimated 90 % of in-scope products fall into the default category with conformity assessment carried out by the manufacturer itself; for more safety-critical products, the CRA prescribes stricter procedures:

Product class	Examples (non-exhaustive)	Conformity assessment
Default category	The majority of products with digital elements, e.g. smart home devices, wearables, general-purpose application software without a dedicated security function	Manufacturer conformity assessment (internal production control)
Important Class I (Annex III)	Security-relevant products with mass-market distribution, e.g. password managers, standard browsers, home routers, VPN and antivirus products	Manufacturer conformity assessment under harmonised standards; alternatively involving a notified body
Important Class II (Annex III)	More safety-critical products, e.g. hypervisors, container-runtime systems, firewalls and intrusion detection systems for industrial use, publicly accessible PKI components	Conformity assessment involving a notified body
Critical (Annex IV)	A small number of particularly critical products, e.g. hardware security modules (HSM), smart-meter gateways, security-critical smartcards	Mandatory certification under a European cybersecurity scheme established under the EU Cybersecurity Act (Regulation (EU) 2019/881)

Annex III lists the Important Class I and Class II products exhaustively; Annex IV names the critical products. Where a product is not assigned to any of these classes, it falls in the default category. The lists may be updated by Commission delegated acts.

Explicitly out of scope are products already covered by equivalent sector-specific regulation: medical devices (Regulations (EU) 2017/745 and 2017/746), motor vehicles in the type-approval regime (UNECE R155 in conjunction with Regulation (EU) 2019/2144), civil aviation products (Regulation (EU) 2018/1139), marine equipment (Directive 2014/90/EU), and products developed exclusively for defence or national security purposes or for processing classified information. Pure Software-as-a-Service offerings without an associated product with digital elements are also not in scope.

Legal Opinion on CRA Scope and Product Classification by a Specialised Lawyer

If you need a formal legal assessment beyond the technical classification (for example to delineate between the default category and Important Class I/II, to clarify a sector-specific exemption (medical device, motor vehicle, civil aviation), or to present to your management board, supervisory board or a market surveillance authority), we can include, on request, a legal opinion on CRA scope and product classification by a lawyer specialised in IT and cybersecurity regulation.

Background: in Germany, the Rechtsdienstleistungsgesetz (RDG) reserves the provision of legal advice for admitted lawyers. In practice, a well-founded CRA scope determination requires both technical analysis of the product and its digital elements and legal evaluation; and the usual setup (your technical consultant going back and forth with your external lawyer, often with you as an intermediary) is slow and lossy.

Our model: we work with a law firm specialised in regulatory and IT law whose lawyer can act directly as part of our project team and, on request, be billed through SCHUTZWERK; no additional vendor needs to be set up or onboarded on your side. The legal advice itself is delivered in an RDG-compliant manner on the basis of a client mandate agreement (“Mandatsvereinbarung”) between you and the law firm directly, so the opinion is clearly documented and cleanly embedded in your SCHUTZWERK engagement. Outcome: a single consolidated technical-legal CRA scope and product-classification opinion from one point of contact, with no whisper-down-the-lane between consultants.

Frequently Asked Questions About the Cyber Resilience Act

Who is affected by the Cyber Resilience Act?

The CRA imposes obligations on manufacturers, importers and distributors of products with digital elements placed on the EU single market. In scope are all products whose intended use entails a direct or indirect logical or physical data connection to a device or network: from smart home devices through general-purpose software to industrial control systems. An estimated 90 % of in-scope products fall into the default category with conformity assessment by the manufacturer itself; more safety-critical products are classified as Important Class I and Class II (Annex III) or as Critical (Annex IV), each subject to stricter assessment procedures. Products already covered by sector-specific regulation (medical devices (MDR/IVDR), motor vehicles (UNECE R155 in conjunction with Regulation (EU) 2019/2144) and civil aviation products) are out of scope, as are pure SaaS offerings without an associated product.

What deadlines apply under the CRA?

Regulation (EU) 2024/2847 was published in the Official Journal of the EU on 20 November 2024 and entered into force on 10 December 2024. The substantive obligations apply in stages: from 11 September 2026, reporting obligations for actively exploited vulnerabilities and severe security incidents take effect, channelled through the ENISA single reporting platform. From 11 December 2027, all requirements from Annex I (essential cybersecurity requirements, conformity assessment, CE marking) apply. From this date, products with digital elements may only be placed on the EU market if they meet the CRA requirements.

How are products classified under the CRA?

The CRA recognises four categories: the default category (estimated 90 % of in-scope products) allows conformity assessment by the manufacturer itself via internal production control. Important Class I and Important Class II are listed exhaustively in Annex III; Class I (e.g. password managers, standard browsers, home routers) permits self-assessment under harmonised standards, while Class II (e.g. hypervisors, industrial firewalls, publicly accessible PKI components) requires the involvement of a notified body. Critical products in Annex IV (e.g. HSMs, smart-meter gateways, security-critical smartcards) require mandatory certification under a European cybersecurity scheme established under the EU Cybersecurity Act (Regulation (EU) 2019/881). The lists of Important and Critical products may be updated by Commission delegated acts.

What obligations follow from the essential requirements?

Annex I of the CRA sets out the core requirements for products with digital elements. They cover, among others, security by design and by default, protected authentication and access control, protection of the confidentiality and integrity of stored and transmitted data, secure default configuration, minimisation of the attack surface, secure update mechanisms, and logging of security-relevant events. Part II of Annex I additionally describes requirements for vulnerability handling across the lifecycle, including a documented coordinated vulnerability disclosure policy, the provision of security updates for the defined support period, and the requirement to maintain a Software Bill of Materials (SBOM) for the components contained in the product. The BSI Technical Guideline TR-03183 provides practical guidance on these requirements.

What sanctions does the CRA provide for?

Violations of the essential cybersecurity requirements in Annex I and of the core obligations of economic operators may be sanctioned under Article 64 CRA with fines of up to €15 million or 2.5 % of global annual turnover (whichever is higher). For violations of other provisions, the CRA provides for staged lower fine ranges. In the event of non-conformity, market surveillance authorities may additionally order corrective measures, withdraw products from the market or issue sales and import bans. The specific sanctions are imposed by national authorities; in Germany, market surveillance is expected to fall to the BSI and the Bundesnetzagentur, depending on the product category and any radio interface.

From Product Classification to Conformity: CRA Support by SCHUTZWERK

The CRA itself does not prescribe specific methods. The requirements of Annex I can in practice be mapped to established product-security standards. For technical implementation, the most relevant reference frameworks are IEC 62443 (Industrial Automation and Control Systems Security, with IEC 62443-4-1 for secure product development and IEC 62443-4-2 for component requirements), ETSI EN 303 645 (Cyber Security for Consumer IoT), and ISO/IEC 27001 (information security management for the manufacturer’s development process). SCHUTZWERK supports CRA-affected manufacturers along these standards with long-standing experience in embedded and IoT security and certified ISO 27001 Lead Auditors.

A typical CRA package consists of four building blocks that build on each other and can be commissioned individually or as a single engagement:

Scope determination and product classification: assignment of the product to the default category, Important Class I/II or Critical (Annex III/IV) including delineation against sector-specific regimes (MDR/IVDR, UNECE R155, civil aviation, marine equipment); optionally extended with a formal legal opinion via our specialised law firm partner (see section above).
Position assessment: product-level threat and risk assessment along IEC 62443-3-2 or ETSI EN 303 645, together with a gap analysis of existing product and development security against the essential requirements in Annex I CRA.
Technical assessment: focused penetration tests and embedded security assessments to validate implemented security measures, including firmware and hardware security analysis in our specialised embedded laboratory.
Implementation support and ongoing operations: setup and operation of the product security process including coordinated vulnerability disclosure, SBOM maintenance and update pipeline; on request embedded in an information security management system (ISMS) under ISO/IEC 27001.

Which building blocks are required and in what depth depends on the product class, existing development processes and the time-to-market of your products.

Our Services

Threat and Risk Assessment

We develop relevant threat scenarios for the product and evaluate the resulting risks in order to subsequently derive appropriate security requirements and measures for the product.

Product Security Assessment

Our comprehensive security assessments help identify vulnerabilities in your products and systems. We provide detailed insights and practical recommendations for improvement.

Secure Development

We help you implement secure development practices and processes that meet CRA requirements.

Penetration Testing

Our specialized penetration testing services help assess the security of your products and identify potential vulnerabilities.

Security Architecture

We help design and implement secure architectures that meet CRA requirements while maintaining efficient development processes.

Implementation Approach

Our approach to CRA implementation combines technical expertise with practical experience in product security. We work closely with your team to:

Assess your current product security practices against CRA requirements
Develop a tailored implementation roadmap
Support the implementation of required security measures
Provide ongoing guidance and support for maintaining compliance

Benefits of Working with SCHUTZWERK

When partnering with SCHUTZWERK for CRA compliance, you benefit from:

Deep understanding of both technical security requirements and regulatory frameworks
Practical experience in implementing product security measures
Comprehensive testing and assessment capabilities
Ongoing support and guidance throughout your compliance journey
Independent and objective security expertise

Our goal is not only to help you achieve CRA compliance, but also to build lasting product security capabilities that sustainably increase the value of your products and reliably protect your users.

Funding for SMEs: The EU SECURE4SME programme supports small and medium-sized enterprises with grants of up to 30,000 euros for implementing CRA measures. Learn more on our SECURE4SME funding page .

CRA