Question 1

What is the EU Cyber Resilience Act?

Accepted Answer

The CRA is an EU regulation that sets mandatory cybersecurity requirements for hardware and software products with digital elements placed on the Union market, covering the full product lifecycle.

Question 2

Which products are in scope?

Accepted Answer

The CRA covers most connected hardware and software products sold in the EU. Products are categorised as default, important (Class I and II) or critical based on their risk profile, with stricter assessment for higher classes.

Question 3

What are the essential requirements?

Accepted Answer

Products must be secure-by-design and secure-by-default, ship without known exploitable vulnerabilities, provide security updates, and meet specific requirements around integrity, confidentiality, authentication and resilience.

Question 4

Do manufacturers need an SBOM?

Accepted Answer

Yes. Manufacturers must maintain a machine-readable Software Bill of Materials covering at least the top-level dependencies of every product with digital elements.

Question 5

What is the vulnerability handling obligation?

Accepted Answer

Manufacturers must operate a coordinated vulnerability disclosure policy, remediate vulnerabilities without delay, provide free security updates for the support period and report actively exploited vulnerabilities within 24 hours.

Question 6

How is conformity demonstrated?

Accepted Answer

Depending on the product class, manufacturers use internal control, EU-type examination or full quality assurance. CE marking and an EU Declaration of Conformity are required before placing products on the market.

Question 7

When does the CRA apply?

Accepted Answer

The CRA entered into force in late 2024, with the main obligations applying from 2027 and vulnerability reporting obligations applying earlier. Manufacturers should plan multi-year readiness programmes.

Question 8

What are the penalties?

Accepted Answer

Non-compliance with essential requirements can lead to fines of up to EUR 15 million or 2.5% of global annual turnover, with lower tiers for other breaches and information obligations.

Question 9

How does the CRA relate to NIS2 and RED?

Accepted Answer

The CRA complements NIS2 at the product level and replaces the cybersecurity delegated act under the Radio Equipment Directive for products in its scope, creating a single harmonised regime.

Question 10

How does Basenorm support CRA compliance?

Accepted Answer

Basenorm links CRA requirements to the Unified Control Library, manages SBOMs, vulnerability workflows, technical documentation and conformity evidence across every product, with continuous monitoring and incident reporting.

Meet the EU
Cyber Resilience Act

Secure Development and Product Scope

Secure-by-Design Lifecycle

Software Bill of Materials

Vulnerability Handling and SBOM Management

Conformity Assessment and CE Marking

Vulnerability Disclosure Workflow

Ready to operationalise CRA compliance?

Frequently Asked Questions

Meet the EUCyber Resilience Act

Secure Development and Product Scope

Secure-by-Design Lifecycle

Software Bill of Materials

Vulnerability Handling and SBOM Management

Conformity Assessment and CE Marking

Vulnerability Disclosure Workflow

Ready to operationalise CRA compliance?

Frequently Asked Questions

What is the EU Cyber Resilience Act?

Which products are in scope of the CRA?

What are the essential cybersecurity requirements?

What is the SBOM obligation under the CRA?

How does vulnerability reporting work?

What does conformity assessment look like?

How does the CRA interact with NIS2?

Who is responsible along the value chain?

What are the penalties for non-compliance?

How does Basenorm support CRA compliance?

Related FAQ Topics

Meet the EU
Cyber Resilience Act