Skip to main content
  • Guide

Guide to the Cyber Resilience Act

Learn more about the European Cyber Resilience Act (CRA) that aims to enhance the cybersecurity of products with digital elements sold within the EU.

Two IT technicians reviewing a program's code

Why the Cyber Resilience Act matters: Securing your digital future

The primary purpose of the European Union (EU) Cyber Resilience Act (CRA) is to enhance the cybersecurity of products with digital elements, including software and hardware sold within the EU.

For organizations across all industry and technology sectors, compliance is no longer optional — it’s a critical step to protect your brand, avoid penalties and maintain market access.

Stay ahead of the Cyber Resilience Act

In an era when digital products power everything from smart devices to critical infrastructure, the capability to handle modern cybersecurity threats is essential — and a significant competitive advantage. The CRA sets new standards for securing digitally enabled products in Europe, requiring manufacturers, importers and distributors to embed robust cybersecurity measures throughout the product life cycle.

CRA subclasses

The CRA introduces a risk-based framework, categorizing digital products into three main categories and two subclasses:

Default 

This includes products with the lowest risk profile, which comprises approximately 90% of all covered products, including most smart home and consumer Internet of Things (IoT) devices.  

Important products

This product category is further divided into three classes based on their criticality:

Icon of a padlock in front of a browser window
Class I important products

This includes products with essential functionalities that present a higher risk than default products but are less critical than Class II. The category includes identity management systems, standalone and embedded browsers, routers, modems, switches, smart home security devices — e.g., smart locks and cameras, personal health monitoring wearables (not covered by medical device regulation), internet-connected toys and other similar devices.

Icon of  server with a shield with a checkmark inside it
Class II important products

This includes products presenting a higher cybersecurity risk and criticality. If these products were compromised, the results could have major adverse effects or disrupt many other products. Includes products such as firewalls, intrusion detection/prevention systems (IDS/IPS), cryptoprocessors and industrial routers and modems.

Icon of a credit card chip
Critical products

Products with cybersecurity-related functionality whose compromise could disrupt, control or damage many other products or critical infrastructure. These may include hardware security modules (HSMs), smartcards, or secure elements and hardware devices with security boxes.

Why work with UL Solutions

Following the CRA publication in the Official Journal of the European Union on Nov. 20, 2024, businesses were allowed a three-year period — until Dec. 11, 2027 — to achieve full compliance with its new requirements. Organizations must move quickly to adapt to these evolving regulations and establish effective, practical strategies for meeting the CRA standards. Noncompliance may lead to significant penalties, including fines of up to 2% of global annual turnover and potential exclusion from the EU market. 

Grounded in the principles of security by design, ongoing life cycle management and clear accountability for manufacturers and software developers, the CRA establishes robust cybersecurity resilience principles that are required to conduct relevant conformity assessments and implement proactive risk management for all digital products according to their risk profiles and standards applicability. Our team of cybersecurity experts is here to guide you through the complex landscape, providing guidance on cybersecurity standards and helping you safeguard your reputation.  

Let’s turn your compliance into your competitive advantage — contact us today to prepare for the future of digital security.

Contact us

 

Comprehensive Cyber Resilience Act guidance and services

We offer tailored services to help you meet CRA obligations efficiently and effectively, including:

Webinar icon

Introduction to CRA (training)

Gain clarity on the complexity of CRA requirements and align your team’s understanding with regulatory expectations. Explore how the CRA integrates with key frameworks across industries. Identify your product’s risk category to determine applicable conformity assessment methods and avoid costly missteps by addressing requirements early in development.

Expected result: CRA understanding and alignment, stakeholder consensus on risk profiles and awareness of regulatory interdependencies. 

Explore our CRA training

Notebook and pencil checklist icon

Evaluate CRA readiness (gap analysis)

Address gaps through strategic action planning and clarify your organization’s current cybersecurity capabilities against CRA requirements.

Expected result: Clear understanding of current readiness, prioritized gaps and a road map of best practices to integrate CRA requirements into existing ways of working. 

Contact us

Icon of teacher teaching

CRA process framework (technical support and workshops)

Address the comprehensive requirements of the CRA across the complete product life cycle. Develop a structured process focused on proactive prevention rather than reactive recovery, seamlessly enhancing and integrating with existing processes to standardize compliance efforts, track progress systematically and demonstrate all requirements are met efficiently.

Contact us

Icon of a checklist in a report

Perform CRA evaluations and assessments

Our CRA services are designed to help manufacturers meet regulatory and cybersecurity best practices throughout the product life cycle, or as final preparation for certification. We conduct reviews of technical documentation, risk management and product security features (with testing as a core element of evaluation), against essential requirements and best practice principles and standards. This includes threat modeling, vulnerability scanning, software bill of materials (SBOM) validation and penetration testing to identify and address potential weaknesses. Our approach covers conformity documentation, incident response procedures and ongoing compliance checks to demonstrate continuous alignment with CRA requirements.

Contact us

Related resources


EU Cyber Resilience Act: Implications for the Automotive Industry

Learn how the Cyber Resilience Act (CRA) is shaping the future of cybersecurity practices in the EU.

Read more

Beyond Compliance Smarter Strategies for Mastering ISOSAE 21434, EU Cyber Resilience Act and ASPICE

Watch the video

Cyber Resilience Act FAQs

What is the Cyber Resilience Act?

The CRA is an EU regulation (Regulation (EU) 2024/2847) requiring manufacturers of digital products to demonstrate cybersecurity resilience throughout their life cycle, focusing on risk-based compliance and transparency. 

What products are included in the Cyber Resilience Act?

Products in scope:

  • Consumer IoT devices, such as smart home gadgets, e.g., thermostats, cameras, speakers and lighting, wearables like smartwatches and fitness trackers, and connected household appliances, like smart fridges and washing machines
  • Networking hardware, including routers, modems, firewalls and network switches
  • Operating systems and software applications for both desktop and mobile platforms, such as antivirus tools, office productivity suites and web browsers
  • Components of industrial control systems (ICS), like programmable logic controllers (PLCs), sensors and actuators with digital interfaces (unless governed by sector-specific regulations)
  • Cybersecurity tools, including VPN clients and security gateways
  • Other smart or connected devices, such as smart meters, printers, smart toys and smart speakers

Products out of scope:

  • Noncommercial products: Digital tools are not marketed or sold commercially
  • Nonmonetized open-source software: Free, open-source software (FOSS) shared without commercial intent
  • Custom-built software: Software developed exclusively for a specific customer or internal use, not placed on the general market
  • Defense and classified systems: Military and government systems are governed by national or classified regulations
  • Services, e.g., standalone SaaS: Service-only offerings (like SaaS) fall under NIS2, not CRA
  • Fully excluded sectors (covered by other EU regulations):
    • Medical devices and software covered under the Medical Devices Regulation (MDR) and In Vitro Diagnostic Medical Devices Regulation (IVDR)
    • Aircraft systems covered under European Union Aviation Safety Agency (EASA) regulations
    • Automotive systems covered under UN R155/EU 2019/2144 
How do I evaluate my Cyber Resilience Act readiness?

Conduct an expert-led gap analysis of your existing security policies, processes and product development life cycle against CRA requirements to identify risks, misalignments and actionable steps for compliance. 

What is the Cyber Resilience Act process framework?

Regardless of your industry or product secure development, processes will be a critical requirement to illustrate CRA compliance. Our CRA process framework provides a standardized approach to manage compliance systematically across the product life cycle, integrating proactive prevention, documented processes and continuous monitoring. 

What can I expect working with the UL Solutions team?

The level of UL Solutions' involvement is flexible and scalable to your needs. Our advisory and delivery services team supports you throughout the preparation process, helping you gain a thorough understanding of the CRA, identifying weaknesses or concerns, and helping to educate you on common best practices to streamline your processes and workflows for CRA compliance. Meanwhile, our laboratory and audit teams provide expert support with evaluations, conformity assessments and certifications to help you demonstrate CRA compliance. 

What is the purpose of the Cyber Resilience Act?

The purpose of the CRA is to address the inadequate levels of cybersecurity in digital products (hardware and software) and the lack of timely security updates, particularly building on Radio Equipment Directive Article 3.3 (d), (e) and (f) as its predecessor. It is focused on protecting consumers and businesses from cyber threats and vulnerabilities throughout the life cycle of the product. The CRA's implementation is to reduce product vulnerabilities (when introduced to market and ongoing vulnerability management) and improve transparency around product security, and shift responsibility for cybersecurity from users to manufacturers — and in turn to their supply chain. It enables informed choices for buyers with the CE marking and enhances the overall resilience of the EU’s digital single market against cyberattacks. 

Contact us for training, workshops or technical support.

What are the consequences of noncompliance with the Cyber Resilience Act?

Noncompliance with the CRA can result in substantial administrative fines: up to €15 million, or 2.5% of global annual turnover for breaches of essential cybersecurity requirements, up to €10 million, or 2% of turnover for other offenses, and up to €5 million, or 1% for providing false or incomplete information to authorities. In addition, authorities can require companies to correct security flaws and restrict or withdraw noncompliant products from the market. 

The regulation also imposes ongoing obligations on manufacturers (and their supply chain), importers and distributors to demonstrate product security, maintain technical documentation, promptly report vulnerabilities and cooperate with national market surveillance authorities. These measures are enforced by national surveillance authorities, who aim to harmonize cybersecurity standards and strengthen the overall security of products with digital elements in the EU.

Who does the Cyber Resilience Act apply to?

The CRA applies to manufacturers (including their supply chain and remote processing partners), importers and distributors for any hardware and software defined as products with digital elements. This definition includes any connected product, whether it connects directly or indirectly to another device or network.  

The CRA covers products sold for payment and those supplied free of charge as part of commercial activities, e.g., open source. Manufacturers have primary responsibility for confirming their products meet the CRA’s cybersecurity requirements throughout the entire life cycle, but importers and distributors must also verify compliance before placing products on the EU market. There are, however, some exceptions, such as products already regulated by sector-specific EU laws. 

Want to know more about how we can help you reach CRA compliance?

Prepare for the CRA and contact us today.

X

Want to know more about how we can help you reach CRA compliance?

Prepare for the CRA and contact us today.

Please wait…