Guide to the Cyber Resilience Act

The CRA is an EU regulation (Regulation (EU) 2024/2847) requiring manufacturers of digital products to demonstrate cybersecurity resilience throughout their life cycle, focusing on risk-based compliance and transparency. 

Products in scope:

• Consumer IoT devices, such as smart home gadgets, e.g., thermostats, cameras, speakers and lighting, wearables like smartwatches and fitness trackers, and connected household appliances, like smart fridges and washing machines
• Networking hardware, including routers, modems, firewalls and network switches
• Operating systems and software applications for both desktop and mobile platforms, such as antivirus tools, office productivity suites and web browsers
• Components of industrial control systems (ICS), like programmable logic controllers (PLCs), sensors and actuators with digital interfaces (unless governed by sector-specific regulations)
• Cybersecurity tools, including VPN clients and security gateways
• Other smart or connected devices, such as smart meters, printers, smart toys and smart speakers

Products out of scope:

• Noncommercial products: Digital tools are not marketed or sold commercially
• Nonmonetized open-source software: Free, open-source software (FOSS) shared without commercial intent
• Custom-built software: Software developed exclusively for a specific customer or internal use, not placed on the general market
• Defense and classified systems: Military and government systems are governed by national or classified regulations
• Services, e.g., standalone SaaS: Service-only offerings (like SaaS) fall under NIS2, not CRA
• Fully excluded sectors (covered by other EU regulations):
  • Medical devices and software covered under the Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR)
  • Aircraft systems covered under European Union Aviation Safety Agency (EASA) regulations
  • Automotive systems covered under UN R155/EU 2019/2144 

Conduct an expert-led gap analysis of your existing security policies, processes and product development life cycle against CRA requirements to identify risks, misalignments and actionable steps for compliance. 

Regardless of your industry or product secure development, processes will be a critical requirement to illustrate CRA compliance. Our CRA process framework provides a standardized approach to manage compliance systematically across the product life cycle, integrating proactive prevention, documented processes and continuous monitoring. 

The level of UL Solutions' involvement is flexible and scalable to your needs. Our advisory and delivery services team supports you throughout the preparation process, helping you gain a thorough understanding of the CRA, identifying weaknesses or concerns, and helping to educate you on common best practices to streamline your processes and workflows for CRA compliance. Meanwhile, our laboratory and audit teams provide expert support with evaluations, conformity assessments and certifications to help you demonstrate CRA compliance. 

The purpose of the CRA is to address the inadequate levels of cybersecurity in digital products (hardware and software) and the lack of timely security updates, particularly building on Radio Equipment Directive Article 3.3 (d), (e) and (f) as its predecessor. It is focused on protecting consumers and businesses from cyber threats and vulnerabilities throughout the life cycle of the product. The CRA's implementation is to reduce product vulnerabilities (when introduced to market and ongoing vulnerability management) and improve transparency around product security, and shift responsibility for cybersecurity from users to manufacturers — and in turn to their supply chain. It enables informed choices for buyers with the CE marking and enhances the overall resilience of the EU’s digital single market against cyberattacks. 

Contact us for training, workshops or technical support.

Noncompliance with the CRA can result in substantial administrative fines: up to €15 million, or 2.5% of global annual turnover for breaches of essential cybersecurity requirements, up to €10 million, or 2% of turnover for other offenses, and up to €5 million, or 1% for providing false or incomplete information to authorities. In addition, authorities can require companies to correct security flaws and restrict or withdraw noncompliant products from the market. 

The regulation also imposes ongoing obligations on manufacturers (and their supply chain), importers and distributors to demonstrate product security, maintain technical documentation, promptly report vulnerabilities and cooperate with national market surveillance authorities. These measures are enforced by national surveillance authorities, who aim to harmonize cybersecurity standards and strengthen the overall security of products with digital elements in the EU.

The CRA applies to manufacturers (including their supply chain and remote processing partners), importers and distributors for any hardware and software defined as products with digital elements. This definition includes any connected product, whether it connects directly or indirectly to another device or network.  

The CRA covers products sold for payment and those supplied free of charge as part of commercial activities, e.g., open source. Manufacturers have primary responsibility for confirming their products meet the CRA’s cybersecurity requirements throughout the entire life cycle, but importers and distributors must also verify compliance before placing products on the EU market. There are, however, some exceptions, such as products already regulated by sector-specific EU laws.