Cenitia launchesLaunching September 2026 — first 250 founders get the launch price locked for life.

Reserve your spot →
Cenitia
How it worksLibraryGlossaryRegulationsToolsAbout
Reserve your spot
How it worksLibraryGlossaryRegulationsToolsAbout
← Regulations

EU Regulation · CRA

Cyber Resilience Act

Regulation (EU) 2024/2847

The EU Cyber Resilience Act sets mandatory cybersecurity requirements for products with digital elements across their whole lifecycle — from secure design and a Software Bill of Materials to vulnerability handling and incident reporting.

What it covers

Any product with digital elements that connects to a network or runs software, placed on the EU market.

How it applies to your product

In practice the CRA means a connected product needs secure-by-default configuration, a documented vulnerability-handling process, and a Software Bill of Materials — and the manufacturer must report actively exploited vulnerabilities and severe incidents through the EU single reporting platform to the relevant national CSIRT (with ENISA notified in parallel) within tight deadlines. It applies on top of a product’s other CE-marking obligations, not instead of them.

Key dates

Applies in full from 11 December 2027; the vulnerability and incident reporting obligations apply earlier, from 11 September 2026.

Authoritative source

Always confirm against the primary text on EUR-Lex — the official EU legal database.

Read Regulation (EU) 2024/2847 on EUR-Lex ↗

See also the CRA entry in the glossary.

Guides on CRA

From the Library

  • reference

    Declaration of Conformity translation requirements — every EU language explained

    Which EU language(s) the Declaration of Conformity must be drawn up in, which language(s) must accompany the product per market, and what counts as a valid translation.

  • tutorial

    Sample Declaration of Conformity — annotated walkthrough with template

    Full annotated sample EU Declaration of Conformity for a connected IoT product, citing CRA, RED, LVD, EMC, RoHS — with explanation of each of the nine elements.

  • guide

    Updating a Declaration of Conformity after a regulation amendment

    When a cited EU regulation or harmonised standard is amended, the Declaration of Conformity may need to be reissued. This guide explains when, how, and what to retain.

  • reference

    Conformity assessment Modules A through H — the EU CE marking decision guide

    Every EU conformity assessment module — Module A self-assessment through Module H full quality assurance — when each applies and how to choose the right one.

  • reference

    Top 10 CE marking mistakes that trigger product withdrawal

    Ten CE marking mistakes seen most often in market surveillance enforcement — each grounded in the specific EU regulation that defines the violation.

  • guide

    When you need a Notified Body — the EU CE marking decision guide

    Decision guide for when a Notified Body must be involved in EU conformity assessment — by directive, by product type, by module — plus how to find one and what it costs.

Check your product

Free tools

  • EU Directive Selector →
  • CRA Readiness Checker →
  • Do I need a Notified Body? →
Cenitia

The EU compliance engine for hardware manufacturers. Cited drafts, electronic signing, regulation watching — all in one place.

A product of Inovasense s.r.o., Bratislava, Slovakia · Data hosted in Stockholm, EU

Site

  • How it works
  • Library
  • Glossary
  • Regulations
  • By product type
  • Tools
  • About

Legal

  • Imprint
  • Privacy
  • Terms

© 2026 Inovasense s.r.o. · cenitia.com

EU sovereign · EU data residency by design · Customer data never trains models