Regulus

CRA Scope
Join Now
CRA FAQs image

Cyber Resilience Act FAQ: 30 Essential Questions Answered

A practical Cyber Resilience Act FAQ for manufacturers, IoT vendors and software teams. This guide answers the most common CRA questions about scope, obligations, deadlines, documentation, SBOM and conformity assessment.

Join Early Access
CRA FAQs image

This Cyber Resilience Act FAQ explains how the EU Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements placed on the European market. For many manufacturers, IoT vendors and software teams, the first challenge is not the technical detail but simply understanding what the CRA actually requires and how it affects their products.

This Cyber Resilience Act FAQ collects the questions that product, engineering, security and compliance teams ask most often. It is designed as a practical reference that you can share internally to align stakeholders on CRA scope, obligations, timelines and documentation expectations.

For official background information, you can refer to the European Commission Cyber Resilience Act page and guidance from ENISA, the EU Agency for Cybersecurity.

Infographic summarising key Cyber Resilience Act FAQ topics such as scope, obligations, security requirements and documentation
The most common CRA questions revolve around scope, obligations, security requirements and documentation.

Cyber Resilience Act FAQ: General Questions

1.1 What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is an EU regulation that establishes essential cybersecurity requirements for products with digital elements. It applies to hardware and software that include digital components and are placed on the EU market. The CRA requires manufacturers to design, develop and support products in a secure way throughout their lifecycle, and to document security measures, vulnerabilities and updates.

1.2 Why did the EU introduce the CRA?

The CRA was introduced to address the growing number of vulnerabilities and cyber incidents caused by insecure products. Until now, many connected devices and software products reached the market without systematic security controls or support obligations. The CRA aims to create a more consistent baseline of cybersecurity across the EU and to reduce the impact of cyberattacks that exploit insecure digital products.

1.3 Who needs to comply with the Cyber Resilience Act?

Any organization that manufactures, imports or distributes products with digital elements in the EU may need to comply with the CRA. This includes EU companies and non-EU manufacturers whose products are sold into the European market through importers, distributors or online channels. In most cases, the primary responsibility lies with the manufacturer.

1.4 When does the Cyber Resilience Act apply?

The CRA enters into force and then applies in stages. The regulation is already in force, but most obligations become fully applicable after a transition period. Security incident and vulnerability reporting obligations begin earlier, and the full product compliance obligations apply around late 2027. From a practical standpoint, this Cyber Resilience Act FAQ assumes that manufacturers treat the period until 2027 as a fixed implementation window for CRA compliance.

1.5 What happens if we do not comply with the CRA?

Non-compliance with the Cyber Resilience Act can lead to several consequences: your product may be prevented from being placed on the EU market, authorities may order corrective actions or withdrawals, and financial penalties can be imposed. In serious cases, fines can reach a significant percentage of the company’s worldwide annual turnover. Beyond fines, lack of CRA compliance can affect customer trust and procurement decisions.

Cyber Resilience Act FAQ on Scope and Applicability

2.1 What is a “product with digital elements” under the CRA?

A product with digital elements is any product that contains software, firmware or other programmable components and whose use involves direct or indirect connection to a device or network. This can include everything from consumer IoT devices and industrial sensors to operating systems, security products and software tools that connect to a network at any point in their lifecycle.

2.2 How do we know if the CRA applies to our product?

You need to perform a CRA scope and applicability assessment. This usually involves checking whether your product:

  • Contains software or firmware
  • Connects directly or indirectly to a network
  • Processes, stores or transmits digital data
  • Is placed on the EU market

If these conditions are met and no sector-specific exclusion applies, the Cyber Resilience Act likely applies. For a deeper walkthrough beyond this Cyber Resilience Act FAQ, see our dedicated guide Cyber Resilience Act Applicability: Does the CRA Apply to Your Product?

2.3 Are IoT and smart home products covered by the CRA?

Yes. IoT and smart home products are some of the most clearly in-scope categories under the CRA. If your device connects to the internet, a home network or a gateway, and includes firmware or software, you should assume that the Cyber Resilience Act applies.

2.4 Are industrial and OT devices in scope?

Most industrial IoT and operational technology devices that include digital components and connectivity will fall under CRA scope. This includes gateways, controllers, industrial sensors and embedded systems used in factories, energy, manufacturing and other sectors. In some cases, sectoral regulations and standards must be considered in parallel.

2.5 Does the CRA apply to pure SaaS products?

Generally, pure SaaS is considered a service, not a product with digital elements. A cloud only SaaS platform with no installed agents or firmware usually sits outside direct CRA scope. However, the situation changes if the SaaS:

  • Includes installable agents or client software
  • Controls or configures hardware devices in the field
  • Delivers firmware or software updates as part of a product

In those cases, SaaS components can be considered part of the overall product with digital elements. The safest approach, as this Cyber Resilience Act FAQ emphasises, is to assess the entire technical solution, not just the cloud interface.

2.6 Which products are excluded from CRA scope?

Some categories are excluded because they are already covered by sector-specific EU regulations. These typically include medical devices regulated by MDR or IVDR, automotive systems under vehicle type approval frameworks, aviation systems, certain marine equipment and products developed strictly for defence or national security purposes. For more detail beyond this FAQ, see our article CRA Scope: What Products Are In and Out.

Cyber Resilience Act FAQ on Obligations and Roles

3.1 What are the main CRA obligations for manufacturers?

Manufacturers have the most extensive obligations under the Cyber Resilience Act. They must:

  • Design and develop products using secure by design and secure by default principles
  • Ensure products are placed on the market without known exploitable vulnerabilities
  • Perform cybersecurity risk assessments
  • Implement technical and organizational measures aligned with CRA security requirements
  • Maintain technical documentation and an EU Declaration of Conformity
  • Operate a vulnerability handling and update process throughout the product lifecycle
  • Provide security related information and instructions to users

3.2 What obligations do importers have?

Importers must verify that products manufactured outside the EU comply with the CRA before placing them on the EU market. This includes checking that the manufacturer has carried out the relevant conformity assessment, drawn up documentation, applied the CE marking and provided required instructions and information. If an importer places a product on the market under its own name or brand, it may be treated as a manufacturer for CRA purposes.

3.3 What obligations do distributors have?

Distributors must act with due care to ensure that only CRA compliant products reach the market. They must check that products carry the proper CE marking, that required documentation and instructions are available, and that there are no obvious signs of non compliance or manipulation. If a distributor makes substantial modifications to a product, they may also be considered a manufacturer under the CRA.

3.4 Does open source software change CRA obligations?

Using open source software does not exempt a commercial product from CRA requirements. If you integrate open source components into a product with digital elements that you place on the EU market, you are still responsible for ensuring compliance, including vulnerability management and SBOM. Some purely community driven open source projects without commercial activity are outside direct CRA obligations, but once integrated in a commercial PDE, they become part of the manufacturer’s responsibility.

Cyber Resilience Act FAQ on Security Requirements

4.1 What are the core CRA security requirements?

The Cyber Resilience Act defines essential security requirements for products with digital elements. At a high level, products must provide an appropriate level of cybersecurity based on risk, support security by design and by default, protect confidentiality, integrity and availability, limit unnecessary data processing and include mechanisms such as access control, secure updates, vulnerability handling, logging and monitoring.

4.2 Does the CRA require secure by design development?

Yes. Secure by design and secure by default principles are at the center of CRA security requirements. This means that security must be built into the design and development process, not added as an afterthought. Default configurations should be secure out of the box, and security features should be enabled rather than optional.

4.3 How does CRA affect vulnerability handling?

Manufacturers must maintain a structured vulnerability handling process. This includes identifying and assessing vulnerabilities, releasing security updates without undue delay, testing patches, publishing information about resolved vulnerabilities and providing a clear contact channel for vulnerability reports. The CRA also expects a Coordinated Vulnerability Disclosure policy.

For a deeper breakdown, see our dedicated article CRA Vulnerability Handling Requirements.

4.4 Does the CRA require an SBOM?

Yes. The Cyber Resilience Act explicitly expects manufacturers to maintain an inventory of software components and dependencies for their products. This is typically implemented as a Software Bill of Materials. The SBOM enables traceability, vulnerability correlation and structured documentation of third party and open source components.

If you need a deep dive into CRA SBOM expectations, see CRA SBOM Requirements: Complete Guide.

4.5 Do we need logging and monitoring to comply with the CRA?

Yes. Products must support logging and monitoring of security relevant events, such as authentication attempts, configuration changes and detected anomalies. These logs must help detect misuse, attacks and failures. In many cases, logging must be designed to support post market monitoring and incident investigation in line with CRA and other EU regulations.

Cyber Resilience Act FAQ on Documentation and Evidence

5.1 What documentation do we need for CRA compliance?

Manufacturers must create and maintain technical documentation that demonstrates compliance with CRA requirements. This normally includes:

  • Product description and architecture
  • Cybersecurity risk assessment
  • Description of security controls and design decisions
  • SBOM and component overview
  • Testing and validation evidence
  • Vulnerability handling and update procedures
  • Support and end of life policy for security updates

For a structured view, see our article Cyber Resilience Act Technical Documentation: Complete Guide.

5.2 What is the EU Declaration of Conformity under the CRA?

The EU Declaration of Conformity is a formal document in which the manufacturer declares that the product meets the relevant CRA requirements and any applicable harmonised standards. It must reference the Cyber Resilience Act and other applicable EU legislation, and it becomes part of the documentation that authorities or notified bodies may request.

5.3 Do we need user facing security information?

Yes. CRA compliance requires not only internal documentation but also clear information and instructions to users. This includes safe configuration guidance, information on security features, known limitations, support periods and how to receive updates or report issues. Poor or missing security instructions can be considered a non compliance.

Cyber Resilience Act FAQ on Conformity Assessment and Deadlines

6.1 How are products assessed for CRA conformity?

The conformity assessment route depends on the product category and risk level. Many default category products can follow an internal control procedure based on self assessment and harmonised standards. Important and critical products, especially those listed in CRA annexes, may require involvement of a notified body that reviews documentation, design and testing.

6.2 What are the key CRA deadlines?

The main milestones include:

  • Earlier dates for obligations such as vulnerability and incident reporting
  • Full product compliance obligations becoming enforceable around late 2027, after the transition period ends

You should treat the period between now and 2027 as the implementation window for Cyber Resilience Act compliance projects. A dedicated article on CRA deadlines and the transition period can help you plan your roadmap.

6.3 How does CRA interact with NIS2 and other regulations?

The CRA focuses on product cybersecurity. NIS2 focuses on the security of networks and information systems of essential and important entities. In practice, many organizations will need to comply with both: CRA for their products, NIS2 for their operational environment. In regulated sectors, additional frameworks such as DORA, MDR or automotive rules may also apply in parallel.

Cyber Resilience Act FAQ: Getting Started With Compliance

7.1 What is the first step to start CRA compliance?

The first step is to build a clear inventory of your products with digital elements and perform a CRA scope and applicability assessment for each. Without this, it is impossible to prioritise work or understand which teams and products are truly affected. From there, you can move on to classification, risk assessment, security controls and documentation.

Timeline graphic showing the first steps to start Cyber Resilience Act compliance, from inventory and scope to documentation and roadmap
A clear sequence of steps helps organizations start Cyber Resilience Act compliance with structure and focus.

7.2 How can we assess our CRA readiness quickly?

A structured checklist is often the most efficient way to identify gaps. Regulus provides a CRA Readiness Checklist that helps you review product scope, roles, security requirements, documentation and lifecycle obligations. It is a practical starting point for internal discussions between engineering, product and compliance.

7.3 How does Regulus help with CRA compliance?

Regulus is building a platform focused on CRA applicability, classification, requirements mapping and documentation workflows. Instead of relying on spreadsheets and scattered documents, the goal is to give manufacturers, IoT vendors and embedded teams a structured way to evaluate CRA scope, generate requirement matrices, organise documentation and plan their compliance roadmap for 2025 to 2027.

If you want to follow the evolution of the platform and access CRA tools early, you can join the Regulus Early Access program.

Igor Smith
More

Related publications

Regulus Logo
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.