Frameworks

The Cyber Resilience Act Explained: What Software and Technology Companies Need to Know

The EU Cyber Resilience Act raises the standard for secure software, connected products, vulnerability management and security updates.

14 July 202612 min readKodex-Compliance
The Cyber Resilience Act Explained: What Software and Technology Companies Need to Know

What is the Cyber Resilience Act?

The Cyber Resilience Act is Regulation (EU) 2024/2847.

It creates a common set of cybersecurity requirements for hardware and software products made available on the European Union market.

The CRA covers the security of a product throughout its lifecycle, including:

  • Planning

  • Design

  • Development

  • Production

  • Delivery

  • Maintenance

  • Vulnerability handling

  • Security updates

The regulation follows a product compliance model similar to other European product rules.

Before placing an in-scope product on the EU market, the manufacturer must assess whether it meets the applicable cybersecurity requirements, prepare the required documentation and complete the relevant conformity assessment process.

When does the CRA apply?

The CRA entered into force on 10 December 2024.

However, its requirements apply in stages.

11 June 2026

The provisions concerning the notification of conformity assessment bodies began applying.

These are the organisations that may perform third-party conformity assessments for certain products.

11 September 2026

Manufacturers must begin reporting certain actively exploited vulnerabilities and severe security incidents.

This is the most immediate deadline for many companies.

11 December 2027

The main CRA obligations become applicable.

This includes the essential cybersecurity requirements, technical documentation, conformity assessment and CE marking obligations.

Companies should not interpret the 2027 date as permission to wait.

The reporting duties begin in September 2026, and building the necessary product security processes can take significant time.

Which products are covered?

The CRA applies to products with digital elements that are made available on the EU market.

A product with digital elements can include:

  • Software products

  • Hardware products

  • Software components

  • Hardware components

  • Remote data-processing solutions that are necessary for a product to perform one of its functions

The product must also have an intended or reasonably foreseeable direct or indirect connection to a device or network.

Examples may include:

  • Mobile applications

  • Desktop software

  • Operating systems

  • Network management tools

  • Security software

  • Internet of Things devices

  • Smart consumer products

  • Industrial software

  • Routers and firewalls

  • Embedded software

  • Commercial software components

Both final products and components sold separately can fall within the CRA.

Does the CRA apply to SaaS?

The answer is not a simple yes or no.

The CRA is not a blanket cybersecurity law covering every online service simply because it is described as SaaS.

The correct assessment depends on how the service operates and how it is supplied.

Important questions include:

  • Is the offering a software product made available on the EU market?

  • Is it connected directly or indirectly to a device or network?

  • Does it form part of another product with digital elements?

  • Is remote processing necessary for that product to perform one of its functions?

  • Is the software supplied under the company’s name or trademark?

  • Is another piece of EU legislation more specifically applicable?

A remote data-processing solution may fall within the CRA when it is designed or developed by the manufacturer, or under the manufacturer’s responsibility, and the product could not perform one of its functions without it.

Companies should therefore avoid making broad assumptions based only on labels such as SaaS, cloud platform or web application.

A product-level scope assessment is necessary.

Who is responsible?

The main responsibilities fall on manufacturers.

Under the CRA, the manufacturer is generally the person or company that develops or manufactures a product with digital elements, or has it developed or manufactured, and markets it under its own name or trademark.

This can apply whether the product is offered:

  • For payment

  • Through another form of monetisation

  • Free of charge as part of a commercial activity

The CRA can therefore affect companies outside the European Union when they make products available on the EU market.

Importers and distributors also have responsibilities.

Importers must check that the manufacturer has completed relevant compliance steps, including technical documentation, conformity assessment and CE marking.

Distributors must verify certain product information and must not continue making a product available when they know, or have reason to believe, that it does not comply with the CRA.

What about open-source software?

The CRA contains a specific approach to free and open-source software.

Software that is developed or supplied outside a commercial activity may fall outside the normal manufacturer obligations.

However, describing software as open source does not automatically remove it from the CRA.

The way the software is developed, supported, monetised and made available matters.

The Regulation also introduces the concept of an open-source software steward.

This can include a legal entity that provides sustained support for the development of specific open-source software intended for commercial activities.

Open-source organisations and companies using commercial open-source models should conduct a careful assessment rather than assuming they are excluded.

What does the CRA require from manufacturers?

1. Conduct a cybersecurity risk assessment

Manufacturers must perform a cybersecurity risk assessment for the product.

The assessment should influence decisions during:

  • Planning

  • Design

  • Development

  • Production

  • Delivery

  • Maintenance

The risk assessment should not be treated as a document created after development is complete.

It should guide the security measures built into the product.

2. Build security into the product

Products must be designed, developed and produced in accordance with the CRA’s essential cybersecurity requirements.

Depending on the product and its risks, this can include measures relating to:

  • Secure configurations

  • Access control

  • Protection against unauthorised access

  • Confidentiality and integrity

  • Data minimisation

  • Availability and resilience

  • Attack-surface reduction

  • Security logging

  • Secure updates

  • Protection from known vulnerabilities

The exact measures required will depend on the product’s purpose, functionality and cybersecurity risk.

3. Manage vulnerabilities throughout the support period

The manufacturer’s responsibility does not end when the product is released.

Manufacturers must establish processes to identify, document, remediate and disclose vulnerabilities.

They must also define a support period during which vulnerabilities will be handled effectively.

The end date of that support period must be communicated clearly to users.

Evidence of vulnerability handling may include:

  • Vulnerability reports

  • Triage records

  • Severity assessments

  • Patch decisions

  • Remediation records

  • Update logs

  • Disclosure communications

  • Component and dependency records

4. Report actively exploited vulnerabilities

From 11 September 2026, manufacturers must report actively exploited vulnerabilities that they become aware of.

The reporting process includes:

  • An early warning within 24 hours

  • A main notification within 72 hours

  • A final report no later than 14 days after a corrective or mitigating measure becomes available

The notifications will be submitted through the CRA Single Reporting Platform maintained by ENISA.

5. Report severe security incidents

Manufacturers must also report severe incidents affecting the security of their products.

The process includes:

  • An early warning within 24 hours

  • A main notification within 72 hours

  • A final report within one month of the 72-hour notification

This means companies need more than an incident response policy.

They need clear internal processes for identifying reportable events, escalating them, documenting decisions and meeting short regulatory deadlines.

6. Maintain technical documentation

Manufacturers must prepare technical documentation showing how the product meets the CRA requirements.

The documentation should include relevant information about:

  • The product and its intended purpose

  • Product design and development

  • The cybersecurity risk assessment

  • Security measures

  • Vulnerability-handling processes

  • Testing

  • Standards or technical specifications used

  • The conformity assessment

  • Supporting evidence

Market surveillance authorities may request this documentation.

It should therefore be accurate, current and connected to the product’s real implementation.

7. Complete a conformity assessment

Before placing an in-scope product on the EU market, the manufacturer must complete the relevant conformity assessment procedure.

For many standard products, self-assessment may be permitted.

However, stricter procedures apply to important and critical products with digital elements.

Important products are divided into Class I and Class II.

Depending on the category and the standards used, Class I products may require third-party assessment.

Important Class II products and critical products generally require a notified body or an applicable European cybersecurity certification route.

Examples of products that may face stricter requirements include certain:

  • Operating systems

  • Antivirus products

  • Routers

  • Firewalls

  • Hypervisors

  • Secure elements

  • Smart cards

  • Network management systems

Product classification should therefore happen early.

Discovering late that a notified body is required could delay market access.

8. Prepare the declaration and CE marking

Once the appropriate conformity assessment has been completed successfully, the manufacturer must prepare an EU Declaration of Conformity.

The product must also carry the CE marking in accordance with the applicable rules.

The CE marking does not mean that a regulator has personally inspected every product.

It represents the manufacturer’s declaration that the product meets the applicable EU requirements, supported by the required assessment route and technical documentation.

The biggest mistake companies can make

The biggest mistake is treating the CRA as a document-generation exercise.

A company might have:

  • A secure development policy

  • A vulnerability management policy

  • An incident response plan

  • A supplier security policy

  • A product security statement

Those documents are useful.

But they do not prove that the processes are working.

A stronger CRA compliance record would connect each requirement to:

  1. The relevant risk

  2. The documented control

  3. The real implementation

  4. The supporting evidence

  5. The responsible owner

  6. The review history

  7. Any unresolved gaps

For example, a vulnerability management policy might say that critical vulnerabilities are remediated quickly.

The supporting evidence should show:

  • When the vulnerability was discovered

  • How it was classified

  • Who reviewed it

  • What corrective action was taken

  • When the fix was released

  • Whether affected users were informed

  • Whether regulatory reporting was considered

That is the difference between a written intention and a defensible compliance record.

How companies should prepare

Step 1: Build a product inventory

Identify the software, hardware, components and connected products your company develops or sells.

Do not assess the company as one single product.

Different products may have different scope and classification outcomes.

Step 2: Conduct a CRA scope assessment

For each product, determine:

  • Whether it is made available on the EU market

  • Whether it has a direct or indirect connection to a device or network

  • Whether remote processing forms part of its functionality

  • Whether it is covered by sector-specific legislation

  • Whether it may qualify as an important or critical product

Document the reasoning behind the decision.

Step 3: Assign responsibility

The CRA affects several teams, including:

  • Product

  • Engineering

  • Security

  • Legal

  • Compliance

  • Customer support

  • Incident response

  • Supply-chain management

Assign a clear owner for the CRA programme and define which teams are responsible for each obligation.

Step 4: Prepare for the September 2026 reporting deadline

Create a process for identifying and reporting:

  • Actively exploited vulnerabilities

  • Severe incidents affecting product security

The process should include:

  • Clear reporting criteria

  • Escalation contacts

  • Decision-making authority

  • Legal and technical review

  • Evidence preservation

  • 24-hour and 72-hour response procedures

  • Final reporting responsibilities

Step 5: Review the secure development lifecycle

Compare current product-development practices against the CRA’s essential cybersecurity requirements.

Look for gaps in areas such as:

  • Threat modelling

  • Secure design

  • Code review

  • Dependency management

  • Security testing

  • Vulnerability disclosure

  • Patch management

  • Update delivery

  • Logging

  • Incident response

Step 6: Review third-party components

Manufacturers must exercise due diligence when integrating third-party components.

Create an inventory of:

  • Open-source dependencies

  • Commercial libraries

  • Embedded components

  • External services

  • Product integrations

  • Software suppliers

Record how component risks are assessed, monitored and addressed.

Step 7: Create an evidence structure

Do not wait until the conformity assessment to begin collecting evidence.

Evidence should be organised while the product is being designed, developed, tested and maintained.

Examples include:

  • Risk assessments

  • Threat models

  • Test reports

  • Code-review records

  • Vulnerability tickets

  • Patch records

  • Release notes

  • Incident logs

  • Supplier assessments

  • Product documentation

  • Approval records

  • Review histories

Common CRA misconceptions

“The deadline is in 2027, so we can wait.”

The main obligations apply in December 2027, but vulnerability and incident reporting begins in September 2026.

“Every SaaS platform is automatically covered.”

The SaaS label alone does not determine CRA scope. The product, functionality, delivery model and role of remote processing must be assessed.

“The CRA only applies to physical devices.”

Software products and separately supplied software components can also be covered.

“A cybersecurity policy is enough.”

The CRA requires real cybersecurity measures, vulnerability handling, technical documentation and evidence supporting conformity.

“Every product needs a third-party audit.”

Many standard products may use self-assessment. Important and critical products can face stricter conformity assessment requirements.

“CE marking means the product is completely secure.”

CE marking shows that the manufacturer declares conformity with applicable requirements. It does not guarantee that the product can never contain a vulnerability or experience an incident.

Final thoughts

The Cyber Resilience Act represents a major shift in European product cybersecurity.

Security will need to be considered before release, maintained after release and supported by evidence throughout the product lifecycle.

For many companies, the difficult part will not be understanding that cybersecurity matters.

The difficult part will be proving that security requirements were translated into real controls, real product decisions and real vulnerability-management processes.

The strongest preparation strategy is therefore not:

Write more policies before 2027.

It is:

Build a clear chain from risk, to control, to implementation, to evidence.

That is how companies prepare for regulatory review, customer scrutiny and product conformity without relying on last-minute paperwork.

Kodex Compliance helps growing companies organise requirements, controls, implementation evidence and review history across the CRA and other compliance frameworks.

Learn more at kodex-compliance.com


References

  1. European Commission, Cyber Resilience Act, including scope, purpose and application dates.

  2. European Commission, The Cyber Resilience Act: Summary of the Legislative Text, including definitions, manufacturer obligations, importer and distributor duties, reporting timelines, technical documentation and product classification.

  3. European Commission, Cyber Resilience Act: Reporting Obligations, covering the reporting framework for actively exploited vulnerabilities and severe incidents.

  4. European Commission, Cyber Resilience Act: Conformity Assessment, covering self-assessment, important products, critical products and notified bodies.

  5. European Commission, Cyber Resilience Act: Manufacturers, covering risk assessment, secure product development, CE marking, support periods and post-market vulnerability handling.

Disclaimer: This article provides general information and does not constitute legal advice. CRA scope and obligations should be assessed based on the specific product, business model and applicable EU legislation.

Build the evidence trail

Kodex Compliance helps teams turn questionnaires, documents, implementation proof, and reviewer decisions into a clear compliance record.

Request demo