EU Cyber Resilience Act EU (CRA, 2025–2027)

These upcoming European cybersecurity regulations will reshape how software and digital products are developed, deployed, and maintained across all industries.

The EU Cyber Resilience Act (CRA, 2025–2027) represents one of the most significant cybersecurity regulatory frameworks to emerge from the European Union, targeting digital products and software with comprehensive security requirements. This legislation will fundamentally change how DevSecOps leaders, engineering teams, and technology decision-makers approach software development, security compliance, and supply chain management.

The regulation establishes mandatory cybersecurity requirements for products with digital elements, creating new obligations for manufacturers, distributors, and importers throughout the software supply chain. Understanding this framework becomes critical for US-based enterprises and mid-size businesses that develop software, integrate digital products, or serve European markets.

‍

Resources

‍

What is the EU Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act is comprehensive legislation designed to strengthen cybersecurity across the European market by imposing specific security requirements on digital products and software. The act covers products ranging from consumer devices to enterprise software solutions, creating uniform cybersecurity standards across all EU member states.

This regulation operates on the principle that cybersecurity should be built into products from the design phase rather than added as an afterthought. The CRA establishes a framework where manufacturers must demonstrate compliance with cybersecurity requirements before placing products on the European market.

The scope of the CRA extends beyond traditional software applications to include any product with digital elements, such as:

Software applications and operating systems
IoT devices and smart home products
Industrial control systems
Cloud services and Software-as-a-Service platforms
Mobile applications and web applications
Embedded systems and firmware

Who must comply:

Software manufacturers and developers selling products in the EU
Hardware manufacturers with connected devices or IoT products
Cloud service providers serving EU customers
Any organization worldwide that distributes software or connected devices in Europe

The EU Cyber Resilience Act is comprehensive cybersecurity legislation that establishes mandatory security requirements for products with digital elements sold in the European Union. It applies regardless of where your company is headquartered—if you sell digital products to EU customers, you must comply. Full compliance is required by 2027, with penalties up to 2.5% of global annual revenue for non-compliance.

‍Key Regulatory Components

The CRA introduces several regulatory mechanisms that work together to create a comprehensive cybersecurity framework. These components include conformity assessments, CE marking requirements, and ongoing security maintenance obligations.

Conformity assessment procedures vary based on the risk level of the product. Lower-risk products require self-assessment by manufacturers, while higher-risk products need third-party evaluation by notified bodies. This tiered approach allows the regulation to scale appropriately across different product categories.

The CE marking requirement means that products must display the CE conformity marking before being placed on the EU market, similar to existing product safety regulations. This marking indicates that the product meets all applicable EU requirements, including the new cybersecurity standards.

‍What is a Software Bills of Materials (SBOM) and why are they required for CRA compliance?

SBOMs are a comprehensive inventory listing all software components, libraries, and dependencies in your software product. Under the CRA, SBOMs serve as critical transparency documents for vulnerability management and regulatory compliance.

Key SBOM requirements for CRA:

Complete component inventory including all direct and transitive dependencies
Vulnerability data and patch status for each component
Machine-readable formats (SPDX, CycloneDX) with API access
Real-time updates when components change
Integration with vulnerability databases and threat intelligence

SBOMs enable rapid incident response, supply chain risk assessment, and provide the transparency regulators need to verify your security practices.

‍

Timeline and Implementation Phases

The EU Cyber Resilience Act follows a structured implementation timeline spanning from 2025 to 2027, giving organizations time to adapt their processes and products to meet the new requirements.

Phase 1: Initial Framework (2025)

The regulation enters into force with basic framework requirements taking effect. During this phase, organizations should begin assessing their product portfolios and identifying which products fall under CRA scope. This period allows for preparation and initial compliance planning.

Key activities during Phase 1 include:

Product portfolio assessment and categorization
Gap analysis against new requirements
Development of compliance strategies
Initial staff training and process updates

Phase 2: Full Implementation (2026-2027)

Complete regulatory requirements become mandatory for all covered products. Organizations must have implemented all necessary security measures, documentation processes, and compliance procedures by this phase.

The full implementation phase requires:

Complete conformity assessment procedures
CE marking on all applicable products
Incident reporting mechanisms
Ongoing security update processes

‍

Products and Services Covered by the CRA

The CRA applies to a broad range of products with digital elements, creating obligations for various types of software and hardware solutions. Understanding which products fall under the regulation helps organizations prepare appropriate compliance strategies.

Software Applications

Traditional software applications, whether distributed as downloadable packages or accessed through web interfaces, fall under CRA requirements. This includes desktop applications, mobile apps, and web-based software solutions.

Software developers must implement security-by-design principles, maintain vulnerability management processes, and provide regular security updates throughout the product lifecycle. The regulation requires documentation of security measures and transparent communication about security capabilities.

Connected Devices and IoT Products

Internet-connected devices represent a significant portion of CRA-covered products. These devices often present unique security challenges due to their distributed nature and varying update capabilities.

IoT manufacturers must address specific security requirements including:

Secure default configurations
Authentication and authorization mechanisms
Encrypted communications
Remote update capabilities
End-of-support transparency

Cloud Services and SaaS Platforms

Cloud-based services and Software-as-a-Service platforms must comply with CRA requirements when serving European customers. This creates new obligations for service providers regarding security documentation, incident reporting, and customer communication.

Cloud service providers need to demonstrate compliance with data protection measures, access controls, and infrastructure security standards. The regulation requires clear communication about security capabilities and limitations to customers.

‍

Core Security Requirements

The CRA establishes specific cybersecurity requirements that products must meet before being placed on the European market. These requirements focus on both technical security measures and organizational processes.

Security by Design and Default

Products must incorporate security measures from the initial design phase rather than adding security features later in development. This principle requires organizations to consider security implications throughout the entire product development lifecycle.

Security by default means that products should be configured securely out of the box without requiring users to enable security features. Default passwords, unnecessary open ports, and insecure default settings violate this principle.

Implementation of security by design includes:

Threat modeling during design phases
Security requirements integration into product specifications
Regular security architecture reviews
Secure coding practices and guidelines

Vulnerability Management

Organizations must establish comprehensive vulnerability management processes that include identification, assessment, remediation, and disclosure procedures. The CRA requires ongoing monitoring for security vulnerabilities throughout the product lifecycle.

Vulnerability management processes must include coordinated disclosure procedures, allowing security researchers to report vulnerabilities through established channels. Organizations need to respond to vulnerability reports within specified timeframes and provide updates to affected users.

The regulation requires maintenance of Software Bills of Materials (SBOMs) to track all software components and their associated vulnerabilities. This transparency helps organizations and users understand potential security risks from third-party components.

Incident Response and Reporting

The CRA establishes mandatory incident reporting requirements for actively exploited vulnerabilities and security incidents affecting covered products. Organizations must report qualifying incidents to relevant authorities within 24 hours of becoming aware of the incident.

Incident response capabilities must include:

Detection and analysis procedures
Impact assessment methodologies
Communication protocols for users and authorities
Remediation and recovery processes

‍

Compliance and Conformity Assessment

The CRA introduces formal conformity assessment procedures that organizations must complete before placing products on the European market. These procedures vary based on product risk classification and complexity.

Risk-Based Product Classification

Products are classified into different risk categories based on their potential impact on cybersecurity. Higher-risk products require more stringent conformity assessment procedures, including third-party evaluation by notified bodies.

Risk classification considers factors such as:

Criticality of functions performed
Potential impact of security failures
Exposure to network-based attacks
Data sensitivity and privacy implications

Self-Assessment Procedures

Lower-risk products may undergo self-assessment procedures where manufacturers evaluate their own compliance with CRA requirements. This process requires thorough documentation of security measures and ongoing compliance monitoring.

Self-assessment includes preparation of technical documentation, implementation of quality management systems, and establishment of post-market surveillance procedures. Organizations must maintain detailed records demonstrating compliance with all applicable requirements.

Third-Party Assessment

Higher-risk products require evaluation by accredited third-party organizations known as notified bodies. These assessments provide independent verification of compliance with CRA security requirements.

Third-party assessment involves comprehensive review of technical documentation, security testing results, and organizational processes. The assessment culminates in issuance of conformity certificates that allow products to bear CE markings.

‍

Impact on DevSecOps and Software Development

The CRA significantly impacts how DevSecOps teams approach software development, requiring integration of compliance considerations into existing development workflows and security practices.

Development Lifecycle Integration

Security requirements must be integrated throughout the software development lifecycle, from initial requirements gathering through deployment and maintenance. This integration requires updates to existing development processes and tooling.

DevSecOps teams need to implement automated security testing, vulnerability scanning, and compliance checking within continuous integration and deployment pipelines. These tools must generate documentation and evidence required for conformity assessment procedures.

‍

The regulation drives adoption of security-focused development practices including:

Automated security testing integration
Static and dynamic code analysis
Container and infrastructure scanning
Supply chain security verification
Continuous compliance monitoring

Documentation and Evidence Generation

Compliance with the CRA requires extensive documentation of security measures, testing results, and organizational processes. DevSecOps teams must implement systems to automatically generate and maintain this documentation.

Required documentation includes technical specifications, risk assessments, testing reports, and incident response procedures. This documentation must be maintained throughout the product lifecycle and made available during conformity assessments.

Supply Chain Security Management

The CRA places increased emphasis on software supply chain security, requiring organizations to understand and manage risks from third-party components and dependencies. This requirement drives adoption of supply chain security tools and processes.

Supply chain management must include component inventory tracking, vulnerability monitoring, and license compliance verification. Organizations need visibility into all software components used in their products and the ability to quickly respond to newly discovered vulnerabilities.

Enforcement and Penalties

The CRA includes significant enforcement mechanisms and financial penalties for non-compliance, making adherence to the regulation a business-critical requirement for organizations serving European markets.

Market Surveillance Activities

European market surveillance authorities have broad powers to monitor compliance, conduct inspections, and take enforcement actions against non-compliant products. These authorities can require product recalls, impose sales restrictions, and levy substantial fines.

Market surveillance includes both routine monitoring and reactive investigations based on reported incidents or security vulnerabilities. Authorities may conduct on-site inspections, request documentation, and perform independent security testing of products.

Financial Penalties

The CRA establishes substantial financial penalties for various types of non-compliance, with fines potentially reaching millions of euros or significant percentages of annual turnover. These penalties create strong incentives for compliance.

Penalty amounts vary based on the severity and nature of violations:

Administrative violations: Up to €2.5 million or 1% of annual turnover
Security requirement violations: Up to €10 million or 2.5% of annual turnover
Major compliance failures: Up to €15 million or 2.5% of annual turnover

‍

Preparing for CRA Compliance

Organizations need to begin preparing for CRA compliance well before the regulation takes full effect. Early preparation allows for gradual implementation of necessary changes and reduces compliance costs and risks.

Assessment and Planning

The first step involves comprehensive assessment of existing products and processes against CRA requirements. This assessment identifies gaps, estimates compliance costs, and prioritizes necessary changes based on business impact and regulatory deadlines.

Planning activities should include resource allocation, timeline development, and integration with existing compliance programs. Organizations may need to invest in new tools, training, and personnel to meet CRA requirements effectively.

Process and Tool Implementation

CRA compliance requires implementation of new processes and tools for security testing, documentation generation, and ongoing monitoring. These implementations should integrate with existing development and security workflows where possible.

Tool selection should prioritize solutions that provide automated compliance checking, evidence generation, and reporting capabilities. Integration with existing DevSecOps toolchains reduces implementation complexity and ongoing maintenance costs.

Training and Capability Building

Team members across development, security, and compliance functions need training on CRA requirements and implementation approaches. This training should cover both regulatory requirements and practical implementation techniques.

Capability building may require hiring additional personnel with cybersecurity and regulatory compliance expertise. Organizations should plan for these resource needs early in their compliance preparation efforts.

Essential SDLC preparations:

CRA compliance requires "security-by-design" integration throughout your entire SDLC, not just bolt-on security measures.

Secure development practices: Implement automated security scanning (SAST, DAST, SCA) in CI/CD pipelines
Policy enforcement: Use binary authorization to ensure only compliant, signed artifacts reach production
Continuous monitoring: Deploy real-time vulnerability scanning and incident response capabilities
Documentation and audit trails: Maintain comprehensive records of security decisions and compliance activities
Cross-functional governance: Align development, security, legal, and compliance teams around shared responsibilities

‍

Understanding CRA's Long-term Impact on Cybersecurity

The EU Cyber Resilience Act represents a fundamental shift in how cybersecurity regulations approach product security, moving beyond organizational requirements to establish mandatory security standards for digital products themselves. This regulatory framework will influence cybersecurity practices globally as organizations adapt their development processes to meet European market requirements.

For DevSecOps leaders and technology decision-makers, the CRA creates both challenges and opportunities. Organizations that proactively embrace these security requirements can differentiate their products in the market while building more resilient and secure software solutions. The regulation's emphasis on security by design and supply chain transparency aligns with industry best practices and emerging security frameworks.

The long-term impact extends beyond compliance, driving innovation in security tooling, automated testing, and supply chain management. Organizations that view CRA compliance as an opportunity to strengthen their overall security posture will be better positioned to compete in an increasingly security-conscious market. The regulation's focus on transparency and user communication also creates new opportunities for organizations to build trust with customers through clear security communications.

As the EU Cyber Resilience Act (CRA, 2025–2027) moves toward full implementation, organizations need comprehensive strategies for managing compliance while maintaining development velocity and innovation capabilities. The integration of security requirements into DevSecOps workflows requires careful planning, appropriate tooling, and ongoing commitment to security excellence across the entire product development lifecycle.

Ready to strengthen your software supply chain security and prepare for CRA compliance? Schedule a learning session with Kusari to discover how our platform can help your DevSecOps team implement comprehensive supply chain security management, automated vulnerability tracking, and compliance documentation generation to meet the upcoming EU Cyber Resilience Act requirements.

‍

Most Asked Questions About EU Cyber Resilience Act (CRA, 2025-2027)

‍What products are covered by the EU Cyber Resilience Act?

The EU Cyber Resilience Act covers products with digital elements, including software applications, IoT devices, industrial control systems, cloud services, mobile applications, and embedded systems. Any product that connects to networks or processes digital data falls under the regulation's scope. The act applies to both hardware devices with software components and standalone software products distributed in the European market.

Coverage extends to Software-as-a-Service platforms, web applications, operating systems, and firmware. Consumer electronics, smart home devices, and automotive systems with digital connectivity also fall under CRA requirements. The regulation creates obligations for manufacturers, distributors, and service providers regardless of their geographic location when serving European customers.

When does the EU Cyber Resilience Act take effect?

The EU Cyber Resilience Act (CRA, 2025–2027) follows a phased implementation timeline beginning in 2025 with full requirements taking effect by 2027. The initial framework becomes active in 2025, giving organizations time to assess their products and begin compliance preparations. Complete regulatory requirements become mandatory for all covered products during the 2026-2027 timeframe.

Organizations should begin preparation activities immediately to meet the implementation deadlines. The phased approach allows for gradual adoption of new security requirements and processes. Early preparation reduces compliance costs and minimizes business disruption during the transition period.

What are the main security requirements of the CRA?

The EU Cyber Resilience Act establishes core security requirements including security by design and default, vulnerability management, and incident response capabilities. Products must incorporate security measures from the initial design phase and maintain secure default configurations. Organizations must implement comprehensive vulnerability management processes with coordinated disclosure procedures.

Additional requirements include maintenance of Software Bills of Materials, mandatory incident reporting within 24 hours, and ongoing security update processes. The regulation requires technical documentation, risk assessments, and quality management systems. Products must undergo conformity assessment procedures before placement on the European market.

How does the CRA affect software development practices?

The EU Cyber Resilience Act significantly impacts software development by requiring integration of security considerations throughout the development lifecycle. DevSecOps teams must implement automated security testing, vulnerability scanning, and compliance checking within CI/CD pipelines. Development processes need updates to generate required documentation and evidence for conformity assessments.

The regulation drives adoption of security-focused development practices including static and dynamic code analysis, container scanning, and supply chain security verification. Teams must implement continuous compliance monitoring and maintain detailed records of security measures and testing results throughout the product lifecycle.

What are the penalties for CRA non-compliance?

The EU Cyber Resilience Act establishes substantial financial penalties for non-compliance, with fines potentially reaching €15 million or 2.5% of annual global turnover for major violations. Administrative violations can result in penalties up to €2.5 million or 1% of turnover. Security requirement violations may incur fines up to €10 million or 2.5% of annual turnover.

Enforcement includes market surveillance activities with authority powers to conduct inspections, require product recalls, and impose sales restrictions. European authorities can perform independent security testing and request comprehensive documentation during compliance investigations.

How should organizations prepare for CRA compliance?

Organizations should begin EU Cyber Resilience Act preparation with comprehensive assessment of existing products and processes against regulatory requirements. This assessment identifies compliance gaps, estimates implementation costs, and prioritizes necessary changes based on business impact. Early preparation allows for gradual implementation of required security measures and processes.

Preparation activities include implementing new security testing tools, updating development processes, and training team members on regulatory requirements. Organizations may need to invest in additional personnel with cybersecurity and compliance expertise. Integration with existing DevSecOps workflows reduces implementation complexity and ongoing maintenance costs.

Does the CRA apply to US companies?

The EU Cyber Resilience Act applies to US companies that place products with digital elements on the European market, regardless of where the company is located. Any organization that manufactures, imports, or distributes covered products to European customers must comply with CRA requirements. This extraterritorial application affects many US-based software companies and technology organizations.

US companies serving European markets need to implement the same security requirements, documentation processes, and conformity assessment procedures as European organizations. The regulation creates compliance obligations for cloud service providers, software vendors, and IoT manufacturers regardless of their geographic headquarters location.

What is the difference between the CRA and other cybersecurity regulations?

The EU Cyber Resilience Act differs from other cybersecurity regulations by focusing specifically on product security requirements rather than organizational security practices. While regulations like GDPR address data protection and NIS2 covers critical infrastructure operators, the CRA establishes mandatory security standards for digital products themselves.

The CRA creates product-specific obligations including conformity assessments, CE marking requirements, and ongoing security maintenance responsibilities. This regulation complements existing cybersecurity frameworks by addressing security at the product level rather than focusing solely on organizational cybersecurity practices and incident response capabilities.

How does the CRA impact software supply chain security?

The EU Cyber Resilience Act significantly strengthens software supply chain security requirements by mandating comprehensive component tracking and vulnerability management. Organizations must maintain Software Bills of Materials documenting all third-party components and their associated security risks. The regulation requires ongoing monitoring of supply chain vulnerabilities and rapid response to newly discovered threats.

Supply chain obligations include component inventory tracking, license compliance verification, and coordinated vulnerability disclosure processes. Organizations need visibility into all software dependencies and the ability to quickly patch or replace vulnerable components. These requirements drive adoption of supply chain security tools and more rigorous vendor management practices.

Table of Contents