UE Cyber Resilient Act (CRA)

What is the Cyber Resilience Act?

The EU Cyber Resilience Act (CRA), effective from 2024/2026, establishes baseline cybersecurity requirements for hardware and software products with digital elements placed on the EU market.

It aims to protect consumers and businesses by ensuring products meet essential cybersecurity standards throughout their lifecycle—from design to deployment and post-market monitoring.

Scope and Applicability

The CRA applies to all products with digital elements that are connected directly or indirectly to networks or other devices, excluding certain specified categories like open-source software or regulated medical devices.

Manufacturers, importers, distributors, and representatives must ensure compliance to place the CE marking on products.

Key Cybersecurity Requirements

• Secure-by-design development, including threat modeling and secure coding
• Vulnerability management with coordinated disclosure
• Mandatory incident reporting to ENISA within 24 hours for severe cases
• Post-market surveillance for ongoing risk assessment
• Secure default configuration and updates throughout the product lifecycle
• Access control and data protection to prevent unauthorized access and breaches

Manufacturer Obligations

• Conduct cybersecurity risk assessments appropriate to product use and threat environment
• Implement vulnerability handling and incident response processes
• Communicate transparently about security support and update scope
• Maintain comprehensive compliance documentation and CE marking

How Edaway Supports You

Edaway offers expert consulting to assist with understanding CRA requirements, gap analysis, implementing security measures, and designing CRA-compliant products across their life cycle.

Our services help you prepare for compliance deadlines and create resilient, market-ready devices with trusted cybersecurity.