What Is the EU Cyber Resilience Act? A Complete Guide for Tech Leaders

🇪🇺 The CRA Is Here

The EU Cyber Resilience Act (CRA) is the most significant cybersecurity regulation for software products since GDPR transformed data privacy. Adopted in 2024 and entering enforcement in 2027, it fundamentally changes how software — including open source — must be developed, maintained, and documented.

If you build, sell, or distribute software products with digital elements in the EU market, this affects you.

What Does the CRA Cover?

The CRA applies to products with digital elements — essentially any hardware or software connected to a network. This includes:

• Operating systems and firmware
• Browsers and email clients
• VPNs, firewalls, and security software
• IoT devices and smart home products
• Container runtimes and hypervisors
• Network management systems (NMS)
• Password managers
• PKI and certificate software

Product Classification

The CRA defines three risk tiers:

Default Products (Self-Assessment)

Most software products fall here. Manufacturers can self-assess conformity.

Important Products — Class I

Products with higher risk requiring standardized assessment:

• Browsers (EN 304 617)
• Password Managers (EN 304 618)
• VPNs (EN 304 620)
• Network Management Systems (EN 304 621)
• Boot Managers (EN 304 623)
• Operating Systems (EN 304 626)
• Routers and switches (EN 304 627)
• Smart home devices (EN 304 631, 632)
• Personal wearables (EN 304 634)

Important Products — Class II

Higher scrutiny, may require third-party assessment:

• Hypervisors and container runtimes (EN 304 635)
• Firewalls and IDS/IPS (EN 304 636)
• SIEM systems (EN 304 622)
• Antivirus software (EN 304 619)
• PKI infrastructure (EN 304 624)

Critical Products

Highest risk, mandatory third-party certification:

• Network functions of telecom systems (EN 304 642)
• Hardware security modules
• Smart meter gateways

Timeline

Key Requirements

1. Security by design: Security must be considered from the product design phase
2. Vulnerability handling: Establish a coordinated vulnerability disclosure process
3. Software Bill of Materials (SBOM): Document all components including open source dependencies
4. Security updates: Provide security patches for the product’s expected lifetime (minimum 5 years)
5. Incident reporting: Report actively exploited vulnerabilities to ENISA within 24 hours
6. CE marking: Products must carry CE marking to be sold in the EU

Open Source Impact

The CRA includes specific provisions for open source:

• Non-commercial open source is exempt — hobby projects and community contributions are not covered
• Commercial open source IS covered — if you monetize through support, SaaS, or dual licensing
• “Open Source Steward” — a new role for foundations managing commercial open source, with lighter obligations

What This Means for Your Business

If you sell software products in the EU:

1. Audit your products — determine their CRA classification
2. Implement SBOM generation — CycloneDX or SPDX format
3. Establish vulnerability handling — coordinated disclosure, patch management
4. Plan for reporting — 24-hour incident reporting to ENISA
5. Budget for compliance — testing, documentation, potential third-party assessment

The CRA is not optional. Non-compliance means products can’t be sold in the EU, with fines up to €15 million or 2.5% of global turnover.

Need help preparing for CRA compliance? I help organizations assess their products and build compliant development processes. Get in touch.