What the Cyber Resilience Act is
The Cyber Resilience Act — CRA, Regulation (EU) 2024/2847 — is the first EU law imposing horizontal cybersecurity requirements on products with digital elements: connected hardware and software placed on the EU market, from routers and smart devices to operating systems and desktop applications. It entered into force on 10 December 2024 and applies in two waves: reporting obligations from 11 September 2026, and the main obligations from 11 December 2027. Compliance becomes a condition of the CE marking: a non-compliant product simply cannot be sold in the EU.
The verified timeline
| Date | What applies |
|---|---|
| 10 December 2024 | Entry into force |
| 11 September 2026 | Article 14 reporting: actively exploited vulnerabilities and severe incidents must be notified — including for products already on the market |
| 11 December 2027 | Full application: essential requirements, conformity assessment, market surveillance |
Products placed on the market before 11 December 2027 are not retroactively subject to the main requirements (unless substantially modified) — but the Article 14 reporting duty from September 2026 applies to them regardless.
The notification ladder (Article 14)
From 11 September 2026, a manufacturer that becomes aware of an actively exploited vulnerability in one of its products, or of a severe incident affecting product security, must notify ENISA and its national CSIRT:
- Early warning within 24 hours of becoming aware;
- Structured notification within 72 hours, with an initial severity and impact assessment;
- Final report — within 14 days once a fix or mitigation is available (exploited vulnerability), or within one month (severe incident).
The pattern will look familiar to anyone tracking NIS2 or GDPR: the EU has standardised on the 24h/72h escalation. The practical consequence is the same too — you need a documented, rehearsed process before the first event, not during it.
Who is in scope — and the SaaS nuance
The CRA targets manufacturers of products with digital elements sold in the EU (plus importers and distributors), wherever the manufacturer is based. Pure SaaS is generally not covered — cloud services fall under NIS2 — except when a remote data-processing service is integral to a product’s functions. Products carry proportionate regimes: a default category self-assessed by the manufacturer, and *important* or *critical* categories (identity systems, firewalls, smart meters…) subject to stricter conformity assessment. Free and open-source software developed outside a commercial activity benefits from a lighter regime.
The essential requirements, in practice
The Annex I essential requirements read like a secure-development policy: secure-by-default configuration, no known exploitable vulnerabilities at release, vulnerability handling with coordinated disclosure, security updates for the product’s expected lifetime, and technical documentation demonstrating it all. For a software editor, the deliverables are concrete: a secure development policy, a vulnerability management and disclosure process, an update/support commitment, and the incident notification runbook above. Sanctions reach €15M or 2.5% of worldwide turnover for breaches of the essential requirements.
What to do before September 2026
- Qualify your products: which of your offerings are products with digital elements placed on the EU market, and in which category?
- Stand up the Article 14 runbook now — the 24-hour clock starts at awareness, and it applies to products already sold.
- Document secure development and vulnerability handling — they are both an essential requirement and your best evidence.
- Track ANSSI’s guidance: the French authority publishes CRA resources on cyber.gouv.fr.
Primary sources
- Regulation (EU) 2024/2847 (CRA) — full text on EUR-Lex (eur-lex.europa.eu/eli/reg/2024/2847/oj).
- ANSSI — Cyber Resilience Act (cyber.gouv.fr).
- European Commission — Cyber Resilience Act (digital-strategy.ec.europa.eu).
How PolicyForge helps
PolicyForge generates the CRA’s documentary backbone — secure development, vulnerability management with disclosure, incident response with the 24h/72h ladder, supplier security — bilingual, versioned and approved. Start free →