Part 1
Understanding the CRA
What Is the Cyber Resilience Act?
The Cyber Resilience Act (Regulation (EU) 2024/2847, hereafter CRA) is the EU's first horizontal cybersecurity regulation for products with digital elements. It entered into force on 10 December 2024 and establishes mandatory cybersecurity requirements for the design, development, production, and ongoing maintenance of any connected product placed on the EU market.
The CRA imposes three categories of obligation on manufacturers:
Product security
How a product must be designed, built, and maintained (Article 13, Annex I Part I)
Vulnerability handling
How vulnerabilities are received, assessed, remediated, and disclosed (Article 13, Annex I Part II)
Reporting obligations
Mandatory notification of actively exploited vulnerabilities and severe incidents (Article 14)
These three categories do not all apply at the same time, which is where most of the industry confusion originates.
The Two Deadlines
The CRA's obligations apply in two distinct phases, and understanding the difference between them is the single most important thing a manufacturer can do before spending a cent on compliance.
11 September 2026
Article 14 — reporting only
Event-triggered: manufacturers must report if an actively exploited vulnerability or severe incident occurs. Applies to all in-scope products.
Full article available here →11 December 2027
Full CRA applies
Article 13: comprehensive product security requirements and vulnerability handling processes. Any product placed on the EU market from this date must comply.
Which Products Are in Scope?
A product is in scope when three conditions are met simultaneously: it meets the definition of a product with digital elements, it is made available on the EU market, and its intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
Product with digital elements — definition
Any software or hardware product, including its remote data processing solutions, made available on the market. This is intentionally broad.
Connections in scope: direct (Ethernet, Wi-Fi, Bluetooth, USB) and indirect (a software component running on a connected host OS).
Products manufactured exclusively for one's own use are not covered. Several categories are fully or partially exempted: medical devices (EU) 2017/745, in vitro diagnostic medical devices (EU) 2017/746, motor vehicles (EU) 2019/2144, civil aviation products certified under (EU) 2018/1139, and marine equipment under Directive 2014/90/EU.
Products placed on the market before 11 December 2027 are only subject to full Article 13 requirements if they subsequently undergo a substantial modification. However, the Article 14 reporting obligation applies to all in-scope products regardless of when they were placed on the market.
Product Categories: Default, Important, and Critical
The CRA divides products into three tiers. The tier determines the conformity assessment procedure required before the CE marking can be affixed — specifically, how much independent third-party involvement is required.
All products not classified as important or critical. Self-assess via Module A — no notified body required.
Listed in Annex III. Self-assess if a harmonised standard is applied; otherwise Module B+C or H required.
Listed in Annex III. Always require third-party assessment via Module B+C or H regardless of harmonised standards.
Listed in Annex IV. Mandatory third-party assessment; may require a European cybersecurity certificate.
Classification is determined by the core functionality of the product — not its name, marketing description, or ancillary features. Both Annex III and Annex IV are technically described in Commission Implementing Regulation (EU) 2025/2392 .
How many CRA projects will you need?
This question is critically important — it is one of the primary drivers of your total CRA compliance cost. Manufacturers commonly have more than 100 products. Running a separate compliance project for each is neither feasible nor necessary. Where products share sufficient characteristics, they can be grouped into product families.
The rule of thumb for forming a product family is to assess similarity across five dimensions:
- Product context — Similar intended purpose and reasonably foreseeable use, product functions, operational environment, and user types
- Assets — Similar things of value — security parameters (e.g., cryptographic keys), network functions, software components — that if compromised could affect the product security, its users or the manufacturer.
- Security mechanisms — Similar authentication, access control, secure storage, communication, and update mechanisms
- Architecture — Similar system architecture and hardware components
- Operating system — Running on the same OS or firmware base
Cost saving opportunity
Specialist consulting engagements for CRA compliance can run to tens or even hundreds of thousands of euros per project. If you are using Z-CMS for your CRA preparation, the cost becomes predictable: €4,000 per project per year (at the time of publishing this article). For a manufacturer running five projects instead of fifty, the difference is transformative.
The Standards That Operationalise the CRA
The CRA defines essential requirements — the cybersecurity outcomes products and manufacturers must achieve. However, these requirements are deliberately high-level and technology-neutral: they define what must be achieved, not how. Standards bridge that gap. They translate each essential requirement into concrete, testable activities and controls, making it possible to demonstrate that a product or process actually meets what the regulation demands.
All CRA standards are currently in draft form. There are 41 standard deliverables under the CRA standardisation mandate, and none have been formally adopted yet. No manufacturer can legitimately claim CRA compliance today. Prepare using current drafts, knowing adjustments will be needed once final versions are made available.
Horizontal standards — applicable to all products
Three horizontal standards form the baseline for every manufacturer regardless of product category.
Establishes the generic cybersecurity principles and risk management framework applicable to all products across their entire lifecycle. It is the foundation on which all other compliance work is built.
Defines the vulnerability handling requirements under Annex I Part II of the CRA. Applies to every manufacturer regardless of product category — default, important, and critical alike. 59 mandatory requirements across 6 phases.
Defines the product security requirements under Annex I Part I for default category products. Important and critical products use vertical standards alongside this baseline. Note: roughly two-thirds of this standard's requirements are drawn from the EN 18031 series — a meaningful head start for RED-compliant manufacturers.
Vertical standards — applicable to important and critical products
Important and critical products must comply with their product-category-specific vertical standard. For some categories, two vertical standards are in development: an EN 304 6XX for non-industrial products and an EN 62443-5-XX security profile for industrial products. These do not apply simultaneously — manufacturers determine which applies based on the intended purpose and reasonably foreseeable use of their product.
The table below shows the current state of all vertical standards. Where no draft is yet available, manufacturers should prepare using the horizontal standards and be ready to incorporate vertical requirements as soon as drafts become available.
| Product Category | Class | Standard Ref. | Title | Draft Available |
|---|---|---|---|---|
| Identity management and PAM systems | Class I | tbd | Criteria to fulfil essential requirements for identity management and PAM | Not yet available |
| Browsers | Class I | EN 304 617 | Essential cybersecurity requirements for browsers | v0.1.0, Dec 2025 |
| Password managers | Class I | EN 304 618 | Essential cybersecurity requirements for password managers | v0.1.0, Dec 2025 |
| Anti-malware software | Class I | EN 304 619 | Essential cybersecurity requirements for anti-malware software | v0.0.12, Dec 2025 |
| VPN — non-industrial | Class I | EN 304 620 | Essential cybersecurity requirements for VPN products | v0.1.0, Dec 2025 |
| VPN — industrial | Class I | EN 62443-5-XX (tbd) | Security profile for VPN products (IEC 62443-based) | Not yet available |
| Network management systems — non-industrial | Class I | EN 304 621 | Essential cybersecurity requirements for network management systems | v0.1.2, Dec 2025 |
| Network management systems — industrial | Class I | EN 62443-5-XX (tbd) | Security profile for network management systems (IEC 62443-based) | Not yet available |
| SIEM systems — non-industrial | Class I | EN 304 622 | Essential cybersecurity requirements for SIEM systems | v0.1.0, Dec 2025 |
| SIEM systems — industrial | Class I | EN 62443-5-XX (tbd) | Security profile for SIEM systems (IEC 62443-based) | Not yet available |
| Boot managers | Class I | EN 304 623 | Essential cybersecurity requirements for boot managers | v0.0.12, Dec 2025 |
| PKI and digital certificate issuance software | Class I | EN 304 624 | Essential cybersecurity requirements for PKI and digital certificate issuance software | v0.0.8, Jan 2026 |
| Physical and virtual network interfaces — non-industrial | Class I | EN 304 625 | Essential cybersecurity requirements for physical and virtual network interfaces | v0.0.13, Dec 2025 |
| Physical and virtual network interfaces — industrial | Class I | EN 62443-5-XX (tbd) | Security profile for physical and virtual network interfaces (IEC 62443-based) | Not yet available |
| Operating systems | Class I | EN 304 626 | Essential cybersecurity requirements for operating systems | v0.1.0, Dec 2025 |
| Routers, modems, and switches — non-industrial | Class I | EN 304 627 | Essential cybersecurity requirements for routers, modems, and switches | v0.0.11, Nov 2025 |
| Routers, modems, and switches — industrial | Class I | EN 62443-5-XX (tbd) | Security profile for routers, modems, and switches (IEC 62443-based) | Not yet available |
| Microprocessors and microcontrollers with security-related functionalities | Class I | EN 50XXX (tbd) | Cybersecurity requirements for microprocessors and microcontrollers with security-related functionalities | Not yet available |
| ASICs and FPGAs with security-related functionalities | Class I | tbd | Essential cybersecurity requirements for ASICs and FPGAs with security-related functionalities | Not yet available |
| Smart home virtual assistants | Class I | EN 304 631 | Essential cybersecurity requirements for smart home general purpose virtual assistants | Not yet available |
| Smart home security products | Class I | EN 304 632 | Essential cybersecurity requirements for smart home security products including door locks, cameras, baby monitors and alarm systems | Not yet available |
| Internet-connected toys | Class I | EN 304 633 | Essential cybersecurity requirements for internet-connected toys with social interactive or location tracking features | Not yet available |
| Health-monitoring wearables | Class I | EN 304 634 | Essential cybersecurity requirements for health-monitoring wearables and wearables for children | Not yet available |
| Hypervisors and container runtime systems | Class II | EN 304 635 | Essential cybersecurity requirements for hypervisors and container runtime systems | v0.0.10, Dec 2025 |
| Firewalls and IDS/IPS — non-industrial | Class II | EN 304 636 | Essential cybersecurity requirements for firewalls and intrusion detection and prevention systems | v0.0.9, Dec 2025 |
| Firewalls and IDS/IPS — industrial | Class II | EN 62443-5-XX (tbd) | Security profile for firewalls and IDS/IPS (IEC 62443-based) | Not yet available |
| Tamper-resistant microprocessors and microcontrollers | Class II | EN 5XXXX (tbd) | Cybersecurity requirements for tamper-resistant microprocessors and microcontrollers | Not yet available |
| Hardware devices with security boxes | Critical | tbd | Cybersecurity requirements for hardware devices with security boxes | Not yet available |
| Smart meter gateways | Critical | tbd | Cybersecurity requirements for smart meter gateways | Not yet available |
| Smartcards, similar devices, and secure elements | Critical | tbd | Cybersecurity requirements for smartcards and secure elements including EUCC-certified platforms | Not yet available |
Scroll horizontally to see all columns on small screens.
Part 2
Preparing for September 2026
What Article 14 Requires and What Triggers a Report
Article 14 is not a general vulnerability management obligation. It is an event-triggered reporting duty that applies only when a manufacturer becomes aware of one of two specific events.
Trigger Event 1
Actively exploited vulnerability
Reliable evidence that a malicious actor has exploited a vulnerability in a user's system without permission. A real breach, a real actor, actually impacting users.
Trigger Event 2
Severe incident affecting product security
An attack on the manufacturer's own infrastructure — dev environments, update pipelines, build systems — that creates downstream risk for end users. Example: malicious code injected into a software update channel.
The Reporting Process
Once a reportable event occurs, manufacturers must follow a structured multi-step notification process. Steps can be collapsed if earlier submissions already contained the required information.
For an actively exploited vulnerability
Early warning notification
Submit via the Single Reporting Platform (SRP). Initial alert to the CSIRT designated as coordinator.
Detailed notification
Product information, nature of the exploit, corrective or mitigating measures taken, and guidance users can apply.
Final report
Full vulnerability description, severity and impact, malicious actor information if known, and security update details.
For a severe incident
Early warning notification
Initial alert via the SRP.
Detailed notification
Nature of incident, initial assessment, measures taken, and user guidance.
Final report
Full description, threat type or root cause, and applied and ongoing mitigation measures.
Reports go simultaneously to the CSIRT designated as coordinator and to ENISA, both via a single submission on the CRA Single Reporting Platform (SRP), expected to be operational by 11 September 2026. Manufacturers must also notify impacted users directly. If a manufacturer fails to do this in a timely manner, the CSIRT designated as coordinator may step in.
Identifying Your CSIRT
Determining which CSIRT to notify is not always straightforward, particularly for non-EU manufacturers. The determination follows a decision logic based on your establishment in the Union. We have produced a dedicated Q&A to help manufacturers work through this step — you can find it on our CRA Article 14 reporting obligations page.
A map of all EU Member State CSIRTs is available at csirtsnetwork.eu .
What to Actually Prepare Before September 2026
There is very little to prepare upfront for this deadline. The information required in reports can only be gathered after an event occurs — you cannot pre-fill a vulnerability report before discovering a vulnerability. The two things worth doing now:
- Know which CSIRT you would notify — Use the flowchart referenced above to determine your main EU establishment and identify the corresponding CSIRT.
- Know where your products are sold — Reports require you to list the EU Member States where the affected product is available.
That is genuinely it for September 2026. The energy you save here is better spent on what comes next.
Part 3
Preparing for December 2027
Plan Your CRA Projects
The first task before any technical or process work begins is to determine how many compliance projects you will need to run. As discussed above, grouping products into families wherever possible is the single highest-leverage cost reduction available to you at this stage. The criteria for forming a product family — similar context, assets, security mechanisms, architecture, and operating system — should be assessed systematically across your full product portfolio before committing to a project structure.
Conduct a Risk Assessment
Before you can implement product security controls, you need to understand what risks your product faces. The standard governing this is prEN 40000-1-2, which defines the generic cybersecurity principles and risk management framework for all products with digital elements.
The risk assessment process follows a structured six-stage sequence:
The critical output of the risk assessment is the identification of which CRA essential requirements apply to your product and how they are implemented. This is what the technical documentation must capture and what market surveillance authorities will examine.
Z-CMS's upcoming risk assessment feature (coming in version 2.14.0) will provide a structured, methodology-grounded workflow for this purpose — currently one of the most significant gaps in available tooling for CRA preparation.
Run a CRA Gap Analysis
Once you have a picture of your risk profile, the next step is to assess where you currently stand against all CRA obligations. A proper CRA gap analysis covers all three compliance pillars: product security (mapped against EN 18031 and prEN 40000-1-4, plus the applicable vertical standard for important and critical products), vulnerability handling processes (mapped against prEN 40000-1-3), and user documentation (mapped against Annex II).
The output is a requirement-level picture of what is already met, what has gaps, and what needs to be built before December 2027.
Zealience has developed an automated CRA gap analysis feature in Z-CMS. It dramatically reduces the time and cost of this assessment — work that would otherwise require months of specialist consulting engagement. See a demo.
The Three Compliance Pillars
Pillar 1
Product Security
prEN 40000-1-4 + vertical standard
Pillar 2
Vulnerability Handling
prEN 40000-1-3 · 59 mandatory requirements
Pillar 3
User Documentation
Annex II · 14 obligations
Pillar 1: Product Security
With your risk assessment complete and your gap analysis in hand, you implement the product security controls required by your applicable standard — prEN 40000-1-4 for default products, the relevant vertical standard (from the table above) for important and critical products. Not every essential requirement applies to every product, but where a requirement does not apply, that determination must be justified and documented in your technical documentation.
Pillar 2: Vulnerability Handling (prEN 40000-1-3)
This applies to every manufacturer regardless of product category. The standard structures vulnerability handling into six phases with 59 mandatory requirements, 29 of which fall in the Preparation phase alone. The stakeholders involved span CISO, PSIRT, Product Management, Legal, Customer Support, and PR.
Manufacturers must produce seven documents:
The core internal document mapping to 48 requirements of EN 40000-1-3. Covers what your organisation does at each phase, who is responsible, and within what timeframes. A generic internal process document is not sufficient.
Get compliant template in Z-CMSThe public-facing counterpart to the Vulnerability Handling Policy, published on your website. Communicates to researchers, customers, and partners how your organisation handles reported vulnerabilities.
Free template on GitHubMaintained in CycloneDX or SPDX format, covering all upstream software dependencies including open source. Feeds ongoing vulnerability monitoring in the Receipt phase.
A documented inventory of hardware components, serving the same monitoring function at the hardware level.
Free template on GitHubA risk-based document specifying what security testing you perform, which vulnerability sources you monitor, and at what frequency. Auditors will expect ongoing evidence of execution — not just the plan itself.
Produced per vulnerability, documenting verification steps taken, evidence gathered, and conclusion reached.
Free template on GitHubRequired whenever a verified vulnerability has been fixed. Published on your website in human-readable format, covering the vulnerability description, affected product versions, severity and impact, and user remediation guidance.
Pillar 3: Information and Instructions to Users (Annex II)
CRA Annex II lists 14 specific documentation obligations covering what manufacturers must communicate to users — from security configuration guidance and known cybersecurity risks, to end-of-support timelines and instructions for secure decommissioning. These are mandatory under Article 13 and for most organisations represent deliverables that do not yet exist in any structured form.
Conformity Assessment and CE Marking
Once compliance is achieved, manufacturers must demonstrate it through a formal conformity assessment and affix the CE marking. Three procedures are available:
Once harmonised standards are formally adopted and their references published in the Official Journal of the EU, manufacturers who correctly apply those standards benefit from a presumption of conformity for the requirements they cover.
A Practical Compliance Roadmap
- Right now: Classify products, determine project count, identify CSIRT, identify applicable standards, begin risk assessments, run CRA gap analysis.
- By September 2026: Register on the SRP, report actively exploited vulnerabilities or severe incidents if they occur.
- Between now and December 2027: Draft Vulnerability Handling Policy, publish CVD Policy, build SBOM and hardware component list, establish Security Test and Review Plan, implement product security controls, prepare Annex II documentation, incorporate vertical standards as available, complete conformity assessment.
Right now
- Classify your products: default, important (Class I or II), or critical
- Determine how many compliance projects you need and group products into families where possible
- Identify applicable standards per product family — horizontal and, where available, vertical drafts
- Identify your designated CSIRT and the Member States where your products are available
- Begin risk assessments using prEN 40000-1-2 to identify applicable essential requirements
- Run a CRA gap analysis to establish your baseline across all three compliance pillars
By September 2026
- Register on the Single Reporting Platform when it goes live
- Report any actively exploited vulnerabilities or severe incidents if and when they occur
Between now and December 2027
- Draft your Vulnerability Handling Policy, mapped to all 48 relevant requirements of EN 40000-1-3
- Publish your CVD Policy
- Build or update your SBOM and hardware component list
- Establish your Security Test and Review Plan and begin generating execution evidence
- Implement product security controls identified through your gap analysis and risk assessment
- Prepare your Annex II user documentation package
- Once vertical standards are made available for your product category, incorporate their specific requirements
- Complete your conformity assessment and affix the CE marking before placing products on the market
The manufacturers who start now — with classified products, a structured risk assessment, and a clear gap analysis — will spend the next 18 months remediating in an orderly, prioritised way. Those who wait will face a compressed and expensive scramble as December 2027 approaches.
Frequently Asked Questions
Common questions about the Cyber Resilience Act (CRA), its deadlines, standards, and compliance requirements.