<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Regulus</title>
	<atom:link href="https://goregulus.com/feed/" rel="self" type="application/rss+xml" />
	<link>https://goregulus.com/</link>
	<description>Regulus provides compliance tools for EU cybersecurity regulations, helping manufacturers, IoT vendors and digital product teams meet Cyber Resilience Act requirements.</description>
	<lastBuildDate>Mon, 13 Jul 2026 16:37:43 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://goregulus.com/wp-content/uploads/2026/01/cropped-favicon-32x32.png</url>
	<title>Regulus</title>
	<link>https://goregulus.com/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>CRA vs RED Cybersecurity Requirements: A Clear Comparison for 2026</title>
		<link>https://goregulus.com/cra-basics/cra-vs-red-cybersecurity-requirements/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 13 Jul 2026 16:37:26 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA vs RED Cybersecurity]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[Cybersecurity Compliance]]></category>
		<category><![CDATA[EU IoT Compliance]]></category>
		<category><![CDATA[Radio Equipment Directive]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2238</guid>

					<description><![CDATA[<p>For manufacturers of connected devices, figuring out how the Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED) fit together is now a critical task. The core difference is one of scope. RED’s cybersecurity rules are specific to radio equipment, while the CRA casts a much wider net, covering nearly all products with digital [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-vs-red-cybersecurity-requirements/">CRA vs RED Cybersecurity Requirements: A Clear Comparison for 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>For manufacturers of connected devices, figuring out how the Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED) fit together is now a critical task. The core difference is one of scope. RED’s cybersecurity rules are specific to radio equipment, while the CRA casts a much wider net, covering nearly all products with digital elements. This creates a significant overlap that demands a unified compliance strategy.</p>



<h2 class="wp-block-heading">Comparing CRA and RED High-Level Requirements</h2>



<p>For businesses placing products on the EU market, navigating the cybersecurity requirements of the CRA versus RED can feel like untangling a complex web. The Radio Equipment Directive has long governed radio-enabled products, but the Cyber Resilience Act introduces a broader, more demanding security framework that now sits alongside it.</p>



<p>Understanding how they interact is the first step toward building a compliant product strategy that won’t get you into trouble with market surveillance authorities.</p>



<p>The RED’s cybersecurity articles—specifically <strong>3.3(d)</strong>, <strong>(e)</strong>, and <strong>(f)</strong>—are focused on a narrow set of risks associated with radio devices. These articles zero in on preventing network harm, protecting personal data and privacy, and ensuring safeguards against monetary fraud. For instance, this means a Bluetooth speaker must not be designed in a way that could bring down a home Wi-Fi network.</p>



<p>In stark contrast, the CRA establishes a horizontal framework covering the entire lifecycle of any <strong>product with digital elements (PDE)</strong>. It mandates a secure-by-design approach, ongoing vulnerability management, and transparent reporting, regardless of whether the product uses radio waves. A practical example here would be a children&#8217;s toy with a simple LCD screen and a button; even without connectivity, its firmware falls under the CRA&#8217;s security requirements.</p>



<h3 class="wp-block-heading">Key Differences at a Glance</h3>



<p>The main distinction boils down to their primary focus and the breadth of their applicability. While RED is vertical and targeted, the CRA is horizontal and all-encompassing.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The simplest way to look at it is this: RED is concerned with the <em>risks created by a product&#8217;s radio connectivity</em>, while the CRA is concerned with the <em>overall cybersecurity resilience of the product itself</em>. This means many modern devices will need to comply with both.</p>
</blockquote>



<p>This breakdown offers a clearer comparison of the CRA vs RED cybersecurity requirements:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Criterion</th><th>Radio Equipment Directive (RED)</th><th>Cyber Resilience Act (CRA)</th></tr><tr><td><strong>Primary Focus</strong></td><td>Securing radio equipment to protect networks, personal data, and prevent fraud.</td><td>Ensuring cybersecurity for all products with digital elements across their entire lifecycle.</td></tr><tr><td><strong>Product Scope</strong></td><td>&#8220;Radio equipment&#8221;—products that intentionally transmit or receive radio waves.</td><td>&#8220;Products with digital elements&#8221;—any software or hardware product and its remote data processing solutions.</td></tr><tr><td><strong>Lifecycle Stage</strong></td><td>Primarily focused on requirements at the point of being placed on the market.</td><td>Covers the entire lifecycle from design and development to post-market support and end-of-life.</td></tr><tr><td><strong>Security Approach</strong></td><td>Addresses specific, defined cybersecurity objectives (Articles <strong>3.3 d, e, f</strong>).</td><td>Mandates a holistic, secure-by-design and by-default approach with continuous vulnerability handling.</td></tr></tbody></table></figure>



<p>A practical example makes this crystal clear. A new smart watch uses Bluetooth, so its radio module falls directly under RED&#8217;s jurisdiction. This means the manufacturer must ensure the Bluetooth connection doesn&#8217;t disrupt other devices and that personal data transmitted over it is protected.</p>



<p>However, its operating system, the companion mobile app, and how it handles user health data are all governed by the CRA&#8217;s extensive security and reporting obligations. For example, under the CRA, the manufacturer must ensure the watch ships with a secure default configuration (no &#8220;1234&#8221; PIN), has a process for delivering security updates, and provides a Software Bill of Materials (SBOM) for its app. Manufacturers must therefore prepare for both regulatory frameworks simultaneously to ensure complete and undisputed market access.</p>



<h2 class="wp-block-heading">Defining Product Scope and Applicability</h2>



<p>Figuring out which regulation applies to your product is the first hurdle in securing EU market access. The line between the Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED) comes down to a product’s core function and its digital components, so a detailed scope analysis isn&#8217;t just a good idea—it&#8217;s essential.</p>



<p>The RED’s cybersecurity articles are aimed at a very specific category: <strong>‘radio equipment’</strong>. This means any product that intentionally sends or receives radio waves for communication or radiodetermination. If your device uses Wi-Fi, Bluetooth, 5G, or any other radio technology, it’s in the RED’s crosshairs. A practical example is a wireless microphone system; its sole purpose involves radio waves, placing it squarely under RED.</p>



<p>In contrast, the CRA’s net is cast far wider. It covers all <strong>‘products with digital elements’ (PDEs)</strong>, which is almost any piece of hardware or software that can process data, unless another law specifically carves it out. For instance, a USB stick with encryption software is a PDE and falls under the CRA, even though it has no radio components. You can get into the finer details of what counts as a PDE in our deep-dive on <a href="https://goregulus.com/cra-basics/cyber-resilience-act-applicability/">CRA applicability</a>.</p>



<h3 class="wp-block-heading">Differentiating RED and CRA Applicability</h3>



<p>The fundamental difference is straightforward: the RED is vertical, targeting radio-specific risks. The CRA is horizontal, setting a baseline for the general cybersecurity of all digital products. This immediately creates an overlap where a huge number of modern connected products must comply with both.</p>



<p>For manufacturers, the clock is ticking. The RED Delegated Act (RED-DA) becomes mandatory on <strong>1 August 2025</strong>, forcing all new radio equipment to meet Articles 3.3(d) for network protection, 3.3(e) for personal data privacy, and 3.3(f) for fraud prevention. This single deadline affects over <strong>80%</strong> of connected products sold in the EU. Missing it means an immediate market lockout.</p>



<p>This simple decision tree clarifies how to determine if the CRA or RED applies based on a product&#8217;s digital makeup.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-vs-red-cybersecurity-requirements-digital-flowchart.jpg" alt="Flowchart showing digital product classification: a product with no digital element is CRA, otherwise it's RED."/></figure>



<p>As the diagram shows, the moment a product has any digital component, it falls under the scope of either the CRA, the RED, or—very often—both.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The key takeaway is that the CRA establishes a foundational cybersecurity layer. Even if a product satisfies the RED’s radio-specific rules, it must also meet the CRA’s broader obligations for secure design, vulnerability management, and lifecycle support if it contains digital elements.</p>
</blockquote>



<h3 class="wp-block-heading">A Practical Example: A Smart Thermostat</h3>



<p>Let’s break it down with a common IoT device: a smart thermostat.</p>



<ul class="wp-block-list">
<li><strong>RED Applicability</strong>: Its Wi-Fi module, which it uses to connect to your home network and the internet, intentionally transmits and receives radio waves. This radio function is squarely in the RED’s scope and must comply with Articles 3.3(d), (e), and (f). This means ensuring its Wi-Fi connection is stable and doesn&#8217;t hog network resources in a harmful way.</li>



<li><strong>CRA Applicability</strong>: The thermostat&#8217;s operating system, the mobile app you use to control it, its connection to a cloud backend, and the mechanism for receiving firmware updates are all ‘digital elements’. These aspects fall under the CRA&#8217;s comprehensive requirements for secure development, vulnerability handling, and providing security patches. For example, the manufacturer must have a documented process for fixing a vulnerability discovered in the thermostat&#8217;s firmware and pushing an over-the-air update to all users.</li>
</ul>



<p>This dual-track compliance is where many manufacturers get tripped up. The table below lays out the key differences in scope to help you map your obligations.</p>



<h3 class="wp-block-heading">CRA vs RED At a Glance: Scope and Applicability</h3>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Criterion</th><th>Radio Equipment Directive (RED)</th><th>Cyber Resilience Act (CRA)</th></tr><tr><td><strong>Product Scope</strong></td><td>Products that intentionally transmit or receive radio waves (e.g., devices with Wi-Fi, Bluetooth, cellular).</td><td>Any product with digital components, including its hardware, software, and remote data processing functions.</td></tr><tr><td><strong>Primary Focus</strong></td><td>Protecting networks, personal data, and preventing fraud specifically related to the use of the radio spectrum.</td><td>Ensuring end-to-end cybersecurity resilience across the entire product lifecycle, from design to end-of-life.</td></tr><tr><td><strong>Key Applicability</strong></td><td>Based on the presence of a radio interface for communication or radiodetermination.</td><td>Based on the presence of any digital element, whether it’s connected to a network or not.</td></tr></tbody></table></figure>



<p>Understanding this dual applicability is critical. A single product often requires two parallel compliance efforts. You can&#8217;t assume that meeting the RED’s requirements is enough if your product also qualifies as a PDE under the Cyber Resilience Act.</p>



<h2 class="wp-block-heading">Comparing Core Security Requirements</h2>



<p>Once you get past the question of which regulation applies, the real work begins: understanding the specific security obligations each one imposes. The difference between the CRA and RED isn’t just in scope; it’s in their entire security philosophy.</p>



<p>The Radio Equipment Directive’s cybersecurity articles—<strong>3.3(d)</strong>, <strong>(e)</strong>, and <strong>(f)</strong>—are highly targeted. They focus on concrete outcomes: preventing network disruption, protecting personal data, and safeguarding against payment fraud. They define <em>what</em> a product must not do. For example, under 3.3(f), a connected point-of-sale terminal must incorporate features that prevent fraudulent payment transactions.</p>



<p>In contrast, the Cyber Resilience Act mandates a comprehensive, end-to-end security framework. It’s not just about preventing specific harms but about building and maintaining a resilient product from the ground up, covering the entire lifecycle. For that same point-of-sale terminal, the CRA would require the manufacturer to follow a secure coding process and provide security patches for its operating system for at least five years.</p>



<p></p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-vs-red-cybersecurity-requirements-cybersecurity.jpg" alt="Diagram comparing RED and CRA cybersecurity requirements, listing key aspects like network protection, personal data, secure design, and vulnerability handling."/></figure>



<p></p>



<h3 class="wp-block-heading">Secure by Design and by Default</h3>



<p>A core principle of the CRA is that products must be <strong>secure by design and by default</strong>. This isn&#8217;t just a suggestion; it&#8217;s a legal mandate that makes security a foundational part of product development, not an afterthought.</p>



<p>In practice, this means manufacturers must integrate security from the earliest design phase. Key requirements include:</p>



<ul class="wp-block-list">
<li>Shipping products with <strong>secure default configurations</strong>, meaning no more universal &#8220;admin&#8221; passwords. For example, a new router must force the user to create a unique password during setup instead of using a default like &#8220;password123&#8221;.</li>



<li>Minimising the attack surface by shipping with only essential functions and ports enabled. A smart TV, for instance, should have developer-mode ports disabled by default.</li>



<li>Ensuring data is protected both at rest and in transit using appropriate encryption. A fitness tracker must encrypt the health data it stores on the device and when it syncs with a mobile app.</li>
</ul>



<p>The RED doesn&#8217;t explicitly mandate a &#8220;secure by design&#8221; philosophy. Its requirements are more focused on the product&#8217;s final state when placed on the market. For example, a RED-compliant device must not harm the network, but the regulation is far less prescriptive about <em>how</em> a manufacturer achieves this during development.</p>



<h3 class="wp-block-heading">Lifecycle Security From Development to Post-Market</h3>



<p>This is where the CRA and RED diverge most sharply. The CRA’s obligations stretch far beyond the point of sale, demanding a formalised <strong>Secure Development Lifecycle (SDL)</strong>. Implementing robust <a href="https://www.john-pratt.com/secure-software-development-best-practices">secure software development best practices</a> becomes a non-negotiable part of compliance, involving activities like threat modelling, code reviews, and penetration testing.</p>



<p>You can dive deeper into these steps in our complete guide to building a <a href="https://goregulus.com/cra-requirements/cra-secure-development-lifecycle-sdl/">CRA-compliant Secure Development Lifecycle (SDL)</a>.</p>



<p>Let’s take a connected security camera as an example:</p>



<ul class="wp-block-list">
<li><strong>Under RED</strong>: The camera’s Wi-Fi module must not cause interference or disrupt networks. It also needs basic safeguards for the personal data it transmits (like the video stream).</li>



<li><strong>Under the CRA</strong>: The manufacturer must also prove it followed a secure development process. This means conducting threat modeling to identify potential attacks (like hijacking the video feed), performing code analysis to find bugs, and ensuring the camera can be securely updated. The camera has to ship without known exploitable vulnerabilities, feature a secure and reliable update mechanism, encrypt stored video footage, and be delivered without a default password like &#8220;1234.&#8221;</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The CRA effectively codifies lifecycle security as a legal requirement. It transforms security from a static, pre-market check into a continuous, dynamic process of vigilance and maintenance.</p>
</blockquote>



<h3 class="wp-block-heading">Vulnerability Handling and SBOMs</h3>



<p>The CRA’s detailed requirements for vulnerability handling and supply chain transparency are another major differentiator. The Act requires manufacturers to have a structured, public process for receiving and addressing vulnerability reports from security researchers and users.</p>



<p>More importantly, the CRA mandates the creation and provision of a <strong>Software Bill of Materials (SBOM)</strong>—a formal, machine-readable inventory of all software components and dependencies in a product. This is a direct response to the massive impact of supply chain attacks, where a single flaw in an open-source library can compromise thousands of downstream products. A practical example is a manufacturer of a smart fridge providing a list that shows it uses a specific version of the OpenSSL library for encryption, allowing customers to track vulnerabilities associated with that library.</p>



<p>While the harmonised standard EN 18031, which supports RED, mentions the need for an SBOM to monitor vulnerabilities, the CRA elevates it to a mandatory legal obligation. The contrast is stark:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Security Requirement</th><th>Radio Equipment Directive (RED)</th><th>Cyber Resilience Act (CRA)</th></tr><tr><td><strong>Development Process</strong></td><td>Not explicitly defined; focused on product outcomes.</td><td>Mandates a formal Secure Development Lifecycle (SDL).</td></tr><tr><td><strong>Default Configuration</strong></td><td>Implied for protecting data and networks.</td><td>Explicitly required to be &#8220;secure by default.&#8221;</td></tr><tr><td><strong>Vulnerability Handling</strong></td><td>Implied; must fix known exploitable vulnerabilities.</td><td>Mandatory, structured process for disclosure and management.</td></tr><tr><td><strong>SBOM</strong></td><td>Recommended by supporting standards (EN 18031).</td><td><strong>Mandatory</strong> legal requirement for all covered products.</td></tr></tbody></table></figure>



<p>This means that while a RED-compliant product might need patching if a public vulnerability is found, the CRA demands that the manufacturer have the entire infrastructure in place to proactively find, receive reports on, manage, and fix vulnerabilities throughout the product&#8217;s entire supported lifetime. A product’s cybersecurity obligations don&#8217;t simply vanish once it hits the market. This post-market phase is precisely where the differences between the CRA and RED become most stark. While the Radio Equipment Directive (RED) implies a need for ongoing security, the Cyber Resilience Act (CRA) makes it an explicit, legally binding responsibility.</p>



<p>The CRA fundamentally shifts the manufacturer’s role from passive observer to active guardian of a product&#8217;s security. It formalises the duty to maintain a strong security posture long after the initial sale, demanding a major operational overhaul for many organisations.</p>



<h3 class="wp-block-heading">Security Updates and Product Lifecycles</h3>



<p>One of the most significant mandates from the CRA is the provision of free and timely security updates. Manufacturers must supply patches for a product’s expected lifetime or, at a minimum, for <strong>five years</strong> after it is first placed on the market. This rule is designed to prevent products from becoming insecure liabilities over time. For example, a smart TV sold in 2026 must receive security patches for its operating system until at least 2031, free of charge.</p>



<p>For RED, the obligation is far less direct. A manufacturer must address known exploitable vulnerabilities to keep a product compliant, but the directive never specifies a minimum support period or mandates that updates must be free. The CRA closes this regulatory gap, making long-term support a non-negotiable condition for EU market access.</p>



<p>This heightened awareness of lifecycle duties is forcing urgent action. While RED awareness in the EU&#8217;s &#8216;ES&#8217; region was a high <strong>60%</strong> in 2023, awareness of the CRA&#8217;s deeper implications shot up from just <strong>20%</strong> to <strong>45%</strong> in a single year. Projections show CRA awareness will likely hit <strong>70%</strong> by 2025, a rise driven almost entirely by its demanding lifecycle requirements. You can discover more insights about these trends and what they mean for the future on cclab.com.</p>



<h3 class="wp-block-heading">Vulnerability Reporting and Coordinated Disclosure</h3>



<p>This is where the CRA imposes a significant operational burden compared to the RED. The CRA requires a structured, transparent, and audited process for both receiving and handling vulnerability reports from external sources, like security researchers.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The CRA’s 24-hour reporting rule for actively exploited vulnerabilities is a game-changer. It forces manufacturers to have a well-oiled incident response machine ready to act at a moment&#8217;s notice, transforming vulnerability management from a background task into a critical, time-sensitive function.</p>
</blockquote>



<p>Under the CRA, if a manufacturer confirms a vulnerability is being <strong>actively exploited</strong>, they have a strict <strong>24-hour window</strong> to report it to ENISA (the European Union Agency for Cybersecurity). This is a world apart from the RED, which has no equivalent time-bound reporting mandate.</p>



<p>Consider a real-world scenario:</p>



<ul class="wp-block-list">
<li><strong>The Situation</strong>: A smart door lock manufacturer discovers a critical firmware flaw that hackers are actively using to gain unauthorised entry.</li>



<li><strong>Under RED</strong>: The manufacturer would need to develop and issue a patch to maintain compliance, but there are no specific rules on how or when to notify authorities.</li>



<li><strong>Under the CRA</strong>: The manufacturer must not only create and deploy a patch but also notify ENISA of the <strong>actively exploited</strong> vulnerability within <strong>24 hours</strong>. They are also obligated to inform their users about the threat and the available fix without undue delay.</li>
</ul>



<p>This single requirement fundamentally changes how companies must prepare for security incidents. If you&#8217;re looking for more detail, you can learn more about the <a href="https://goregulus.com/uncategorized/cra-reporting-obligations-article-14/">specific CRA reporting obligations and what they mean for your team</a>. Building this proactive security posture requires a serious investment in both processes and people.</p>



<h2 class="wp-block-heading">Navigating Conformity Assessment and Documentation</h2>



<p>Proving compliance is just as important as achieving it, and this is where the paths for the Cyber Resilience Act (CRA) and the Radio Equipment Directive (RED) really start to split. The formal processes for declaring a product compliant—what we call conformity assessment—and the technical files needed to back up that claim are worlds apart.</p>



<p>For years, manufacturers of products under RED have had a relatively straightforward path. Most could perform a <strong>self-assessment</strong>, meaning they could internally check their product against Articles <strong>3.3(d)</strong>, <strong>(e)</strong>, and <strong>(f)</strong>, compile the technical file, and slap on the CE mark with their own Declaration of Conformity. For example, a maker of consumer Bluetooth headphones could conduct its own tests to verify compliance.</p>



<p>The CRA throws a spanner in those works. It brings in a more rigorous, risk-based model that completely changes the game.</p>



<h3 class="wp-block-heading">The CRA’s Risk-Based Assessment Model</h3>



<p>While the CRA does allow self-assessment for many products, it carves them up by risk level, creating entirely different routes to conformity. This adds a layer of complexity that just doesn&#8217;t exist in RED’s one-size-fits-all approach.</p>



<p>Products are now sorted into these categories:</p>



<ul class="wp-block-list">
<li><strong>Default Risk Products</strong>: This is the bucket for the vast majority of consumer electronics and software. For a simple fitness tracker, manufacturers can stick with an internal control procedure (<strong>Module A</strong>), which feels a lot like the old RED self-assessment.</li>



<li><strong>Critical Class I Products</strong>: These are higher-risk products, all listed out in Annex III of the CRA. Examples include home automation controllers or network management systems. They often demand a third-party <strong>Notified Body</strong> to get involved, unless the manufacturer follows the relevant harmonised standards to the letter.</li>



<li><strong>Critical Class II Products</strong>: For the highest-risk gear, like hardware security modules (HSMs) or smart card readers, there&#8217;s no way around it. These products <strong>must</strong> undergo a third-party conformity assessment by a Notified Body. No exceptions.</li>
</ul>



<p>This tiered system means a manufacturer’s journey to the CE mark can look drastically different from one product to the next.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The shift from RED&#8217;s broad self-assessment model to the CRA&#8217;s risk-based conformity paths is one of the biggest operational hurdles for manufacturers. A product that was previously self-declared for RED may now face costly and time-consuming third-party audits under the CRA.</p>
</blockquote>



<h3 class="wp-block-heading">Comparing Documentation Requirements</h3>



<p>The difference in approach bleeds directly into the paperwork. The technical documentation needed for CRA versus RED cybersecurity requirements are night and day in terms of the detail you’ll have to provide. When it&#8217;s time to document your security controls, resources like <a href="https://tricordit.ca/soc-2-compliance-checklist/">a practical SOC 2 compliance checklist</a> can offer a good structural starting point for demonstrating proof of compliance.</p>



<p>A RED technical file is pretty focused. It&#8217;s all about proving compliance with its specific articles, and usually includes:</p>



<ul class="wp-block-list">
<li>Test reports showing the product doesn’t mess with communication networks.</li>



<li>Proof of safeguards for personal data and privacy.</li>



<li>Paperwork on measures taken to stop monetary fraud.</li>
</ul>



<p>The CRA’s technical file, on the other hand, is a much heavier lift. It needs to tell the complete, transparent story of your product’s entire security posture and lifecycle management. Key elements must now include evidence of a secure development lifecycle, detailed vulnerability management procedures, and a full Software Bill of Materials (SBOM). If you need to dig into the nuts and bolts of this new process, you can find more detail on the <a href="https://goregulus.com/cra-compliance/cra-conformity-assessment/">CRA conformity assessment</a> procedures.</p>



<h3 class="wp-block-heading">A Practical Example: A Home Automation Gateway</h3>



<p>Let’s think about a smart home gateway—the kind that controls your locks, lights, and cameras.</p>



<p>Under RED, the manufacturer could simply self-declare its Wi-Fi and Zigbee radios as compliant. The technical file would centre on radio performance and the basic security measures tied to Article 3.3.</p>



<p>Now, under the CRA, this very same product gets classified as <strong>‘Critical Class I’</strong>. Suddenly, the compliance path is a much steeper climb. The manufacturer now must:</p>



<ol class="wp-block-list">
<li>Bring in a Notified Body for a third-party conformity assessment (unless they perfectly implement harmonised standards).</li>



<li>Put together an exhaustive CRA technical file that proves a secure development process was followed from start to finish. This would include evidence like threat modeling diagrams and penetration test reports.</li>



<li>Include a detailed SBOM listing every single firmware and software component, from the operating system kernel to the open-source libraries used in its web interface.</li>



<li>Document the entire process for handling and reporting vulnerabilities post-launch, including the contact point for security researchers.</li>
</ol>



<p>This comparison really drives home how the CRA fundamentally raises the burden of proof. It moves the goalposts from a focused, self-managed process under RED to a comprehensive, often externally-audited system for any product the EU considers critical.</p>



<h2 class="wp-block-heading">Building Your Unified Compliance Roadmap for 2026</h2>



<p>With deadlines for both the RED Delegated Act and the Cyber Resilience Act looming, a unified compliance strategy has moved from a good idea to an absolute necessity. The key is to turn regulatory uncertainty into a structured, step-by-step plan.</p>



<p>This roadmap breaks down the complex comparison of CRA vs. RED cybersecurity requirements into a series of manageable actions.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-vs-red-cybersecurity-requirements-process-steps.jpg" alt="Infographic illustrating a five-step process for cybersecurity requirements: assessment, analysis, classification, implementation, and documentation."/></figure>



<p>Following this plan is your best bet for placing products on the EU market confidently, without staring down the barrel of costly delays or penalties.</p>



<h3 class="wp-block-heading">Phase 1: Portfolio Assessment</h3>



<p>Your first job is to get a complete, honest picture of your product portfolio. You need to map out precisely which products fall under the RED, which fall under the CRA, and—most commonly—which are caught by both.</p>



<p>Take a company that makes smart lighting systems and industrial sensors. Their Wi-Fi-enabled smart lights are clearly subject to both RED and CRA. The wired industrial sensors, however, only fall under the CRA, as they have digital elements but no radio interface. This initial inventory is the foundation for everything that follows.</p>



<h3 class="wp-block-heading">Phase 2: Gap Analysis</h3>



<p>Once you know which regulations apply to which products, you have to benchmark your current security practices against what RED and the CRA demand. Use the latest harmonised standards, like <strong>EN 18031</strong> for RED, to pinpoint exactly where your processes fall short.</p>



<p>This analysis must cover your entire process, from your Secure Development Lifecycle (SDL) all the way to your post-market vulnerability handling. For example, a practical step is to review your current product development handbook and see if it includes mandatory security checkpoints like threat modeling or static code analysis. If not, that&#8217;s a major gap. The goal is to walk away with a concrete list of deficiencies that need fixing to satisfy both regulations.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A thorough gap analysis is what separates the prepared from the panicked. It turns dense regulatory text into a practical to-do list, showing you exactly where to invest your resources for maximum impact before the <strong>2026 and 2027</strong> deadlines hit.</p>
</blockquote>



<p>For example, you might find your development team doesn’t have a formal threat modelling process, a non-negotiable part of the CRA’s secure-by-design mandate. Or you might realise your RED-focused vulnerability response plan can&#8217;t meet the CRA’s strict <strong>24-hour</strong> reporting window for actively exploited flaws.</p>



<h3 class="wp-block-heading">Phase 3: Product Classification</h3>



<p>With your list of CRA-applicable products in hand, the next critical step is to determine their risk classification. This is a major fork in the road because it dictates your entire conformity assessment path.</p>



<p>You have to categorise each product into one of two buckets:</p>



<ul class="wp-block-list">
<li><strong>&#8216;Default&#8217; Risk</strong>: The vast majority of products will land here. These can go through an internal self-assessment.</li>



<li><strong>&#8216;Critical&#8217; Risk (Class I or II)</strong>: These products, which are listed in Annex III of the CRA, demand a third-party assessment from a Notified Body.</li>
</ul>



<p>A smart speaker might be deemed &#8216;Critical&#8217;, forcing you into expensive third-party audits. In contrast, a simple connected toothbrush would almost certainly be &#8216;Default&#8217;. Getting this wrong can invalidate your CE marking and lead to a forced market withdrawal.</p>



<h3 class="wp-block-heading">Phase 4: Process Implementation and Documentation</h3>



<p>This is where the plan becomes action. Using your gap analysis as a guide, you must establish and formalise the required procedures. This means implementing a robust SDL, creating a public-facing vulnerability disclosure policy, and setting up an incident response team that can meet ENISA&#8217;s reporting timelines. A practical first step could be to create a &#8220;<a href="mailto:security@company.com">security@company.com</a>&#8221; email address and a documented procedure for how incoming reports are triaged, verified, and escalated.</p>



<p>At the same time, you need to start compiling the mountain of technical documentation required by both regulations. Begin gathering your Software Bill of Materials (SBOM), evidence from security testing, and the detailed justifications for your risk assessments. Assembling this documentation proactively is the key to a smooth conformity assessment and makes you ready for any inspection by market surveillance authorities.</p>



<h2 class="wp-block-heading">Frequently Asked Questions About CRA and RED</h2>



<p>When comparing the Cyber Resilience Act and the Radio Equipment Directive, manufacturers often run into the same critical questions. Here are the clear, operational answers you need.</p>



<h3 class="wp-block-heading">If My Product Is RED Compliant, Do I Need to Worry About the CRA?</h3>



<p>Yes, without a doubt. Achieving compliance with RED Articles <strong>3.3(d)</strong>, <strong>(e)</strong>, and <strong>(f)</strong> is a necessary step, but it&#8217;s only a starting point. The CRA introduces a completely new set of obligations that span the entire product lifecycle, areas the RED simply doesn&#8217;t cover.</p>



<p>Think of it this way: your smart home hub&#8217;s RED compliance ensures its radio functions correctly and doesn&#8217;t interfere with other networks. The CRA, however, governs the security of its operating system, mandates it ships without guessable default passwords, and requires you to provide security updates for a minimum of <strong>five years</strong>. Your RED assessment is a foundation, but it must be supplemented with a full CRA assessment.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>RED compliance covers specific, point-in-time radio security risks. The CRA demands continuous cybersecurity resilience for the entire product and its software components. One does not replace the other.</p>
</blockquote>



<h3 class="wp-block-heading">What Is the Difference Between a Default and a Critical Product Under the CRA?</h3>



<p>The CRA classifies products into risk-based tiers, and the main difference is how you prove conformity.</p>



<ul class="wp-block-list">
<li><strong>&#8216;Default&#8217; products</strong> are the standard classification, covering the vast majority of consumer electronics and software. For these, manufacturers can typically perform a self-assessment against harmonised standards. A video game or a photo editing software would be a clear example.</li>



<li><strong>&#8216;Critical&#8217; products</strong> (split into Class I and Class II) carry higher security implications. Think industrial controllers, network hardware, or home assistants with privileged access. These products demand a more rigorous conformity assessment, which almost always involves a third-party Notified Body.</li>
</ul>



<p>A connected toothbrush is a perfect example of a &#8216;Default&#8217; product. In contrast, a networked industrial pump controller that could impact critical infrastructure would almost certainly be classified as &#8216;Critical&#8217;, mandating a costly and time-consuming external audit before it can receive its CE mark.</p>



<h3 class="wp-block-heading">How Can I Prepare for Both RED and CRA Deadlines Effectively?</h3>



<p>The most effective strategy is to treat compliance as a single, unified project and start immediately. Use the nearer RED deadline as a catalyst to build foundational security practices that will also satisfy your future CRA obligations.</p>



<p>Your first move should be a gap analysis against harmonised standards that bridge both regulations. From there, focus on implementing a <strong>Secure Development Lifecycle (SDL)</strong> and establishing a formal, documented vulnerability management process. For example, start by generating an SBOM for one of your flagship products using an open-source tool. This practical exercise will reveal supply chain risks and prepare you for the CRA&#8217;s mandatory SBOM requirement. This approach breaks the monumental task into a manageable, step-by-step plan, ensuring you meet the RED deadline while being well-prepared for full CRA enforcement.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Navigating these complex regulations can be daunting. <strong>Regulus</strong> provides a clear path forward, generating a tailored requirements matrix and ready-to-use templates to streamline your CRA compliance journey. Gain clarity and confidently place your products on the EU market by visiting <a href="https://goregulus.com">https://goregulus.com</a>.</p>



<p></p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-vs-red-cybersecurity-requirements/">CRA vs RED Cybersecurity Requirements: A Clear Comparison for 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>CRA vs NIS2 Differences A Guide to EU Cyber Compliance in 2026</title>
		<link>https://goregulus.com/cra-basics/cra-vs-nis-2-differences/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Tue, 07 Jul 2026 15:42:14 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA vs NIS2 differences]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU Cybersecurity]]></category>
		<category><![CDATA[NIS2 Directive]]></category>
		<category><![CDATA[Product Compliance]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2231</guid>

					<description><![CDATA[<p>At first glance, the Cyber Resilience Act (CRA) and the NIS2 Directive might seem to cover similar ground. Both are powerful EU laws designed to bolster cybersecurity, but they approach the problem from fundamentally different directions. Understanding their distinct scopes is essential for any business operating in or selling to the EU. The core difference [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-vs-nis-2-differences/">CRA vs NIS2 Differences A Guide to EU Cyber Compliance in 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>At first glance, the Cyber Resilience Act (CRA) and the NIS2 Directive might seem to cover similar ground. Both are powerful EU laws designed to bolster cybersecurity, but they approach the problem from fundamentally different directions. Understanding their distinct scopes is essential for any business operating in or selling to the EU.</p>



<p>The core difference boils down to what each piece of legislation protects. NIS2 is about securing the <strong>operational continuity of essential services</strong>—think energy grids, banks, and digital infrastructure. The CRA, however, focuses on securing the <strong>digital products themselves</strong>, like software and connected devices.</p>



<h2 class="wp-block-heading">Untangling EU Cybersecurity: The CRA vs. NIS2</h2>



<p>While both the CRA and NIS2 aim for a more secure digital Europe, they don&#8217;t overlap as much as you might think. They are complementary, tackling cybersecurity from opposite ends of the spectrum: one focuses on the organisations providing critical services, the other on the manufacturers building the products those organisations use.</p>



<h3 class="wp-block-heading">The NIS2 Directive: Securing Critical Service Operations</h3>



<p>The <strong>NIS2 Directive</strong> is all about the resilience of organisations that are vital to our economy and society. It imposes strict security and reporting obligations on entities in sectors like healthcare, transport, and finance to ensure they can withstand and recover from cyber incidents.</p>



<p>For example, a large Spanish hospital is designated an ‘Essential’ entity under NIS2. This means its management team is legally responsible for implementing risk management measures like multi-factor authentication, training staff on phishing, and reporting significant service disruptions (like a ransomware attack taking its patient system offline) to national authorities. NIS2 is concerned with <em>how</em> the hospital operates securely day-to-day.</p>



<h3 class="wp-block-heading">The Cyber Resilience Act (CRA): Securing Products by Design</h3>



<p>In contrast, the <strong>Cyber Resilience Act (CRA)</strong> is a regulation targeting the security of &#8220;products with digital elements.&#8221; This covers a huge range of tangible and intangible goods, from smart home devices and industrial controllers to standalone software. If you manufacture, import, or distribute a connected product for the EU market, the CRA applies to you.</p>



<p>To understand how it works in practice, let&#8217;s go back to that Spanish hospital. The manufacturer of a networked medical imaging machine used by the hospital must comply with the CRA. This means designing the machine to be secure from the ground up (e.g., no default passwords), providing security updates for its entire lifecycle, and reporting actively exploited vulnerabilities within 24 hours. The CRA is about ensuring the <em>product</em> itself is secure by design and remains so over time. For more background, <a href="https://goregulus.com/cra-basics/cyber-resilience-act/">you can learn about the Cyber Resilience Act in our detailed guide</a>.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The core distinction is clear: NIS2 compels service providers to maintain robust cyber defences for their operations, while the CRA forces product manufacturers to build and maintain secure products throughout their lifecycle.</p>
</blockquote>



<h3 class="wp-block-heading">Core Differences Between CRA and NIS2 at a Glance</h3>



<p>This table offers a high-level summary of the key distinctions between the two frameworks, highlighting their different targets, objectives, and scope.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Aspect</th><th>NIS2 Directive</th><th>Cyber Resilience Act (CRA)</th></tr><tr><td><strong>Primary Target</strong></td><td>Providers of essential and important services (e.g., hospitals, banks, cloud providers).</td><td>Manufacturers, importers, and distributors of products with digital elements.</td></tr><tr><td><strong>Main Focus</strong></td><td>Operational resilience and incident response for critical services.</td><td>Product security throughout its entire lifecycle (secure-by-design).</td></tr><tr><td><strong>Scope</strong></td><td>Applies to specific sectors and entities meeting size-cap rules (e.g., &gt;50 employees).</td><td>Applies to almost all digital products sold in the EU, regardless of company size.</td></tr><tr><td><strong>Example</strong></td><td>A regional power grid operator securing its control systems from outages.</td><td>The company that builds the software and hardware for that power grid&#8217;s control systems.</td></tr></tbody></table></figure>



<p>Ultimately, an organisation might fall under both. A cloud provider, for instance, is an &#8216;Important&#8217; entity under NIS2 and must secure its operations. If it also develops software that customers install (like a desktop sync client), that software product would need to comply with the CRA. The two regulations work in tandem to secure both the services we rely on and the products that power them.</p>



<h2 class="wp-block-heading">Determining Your Scope and Applicability</h2>



<p>Figuring out where you stand with the CRA and NIS2 starts with one crucial question: does your organisation <em>make</em> something, or does it <em>do</em> something? This is the fundamental difference in logic between the two frameworks, creating separate paths for product manufacturers and service providers.</p>



<p>This simple decision tree gets right to the point. Are you providing a service in a critical sector, or are you building a digital product for the market?</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-vs-nis2-differences-nis2-cra.jpg" alt="Flowchart determining if a business falls under NIS2 (services) or CRA (neither service nor product)."/></figure>



<p>As you can see, NIS2 targets the operators of essential and important services. The CRA, on the other hand, zeroes in on the manufacturers of the very products those operators might be using.</p>



<h3 class="wp-block-heading">How NIS2 Defines Its Scope</h3>



<p>The <strong>NIS2 Directive</strong> identifies entities based on two straightforward criteria: their sector and their size. It lays out explicit lists of <strong>18 sectors</strong>, splitting them into ‘Essential’ and ‘Important’ categories.</p>



<ul class="wp-block-list">
<li><strong>Essential Entities:</strong> This covers the big ones—organisations in energy, transport, banking, health, and digital infrastructure.</li>



<li><strong>Important Entities:</strong> This category includes other vital sectors like postal services, waste management, and the manufacturing of certain critical goods.</li>
</ul>



<p>Beyond the sector, NIS2 applies a simple size-cap rule. The directive generally targets medium and large organisations, which means those with <strong>over 50 employees</strong> or an annual turnover <strong>exceeding €10 million</strong>. For a practical example, a small, family-owned logistics company with 20 employees would likely be exempt, but a large national postal service falls squarely within the scope as an &#8216;Important&#8217; entity.</p>



<h3 class="wp-block-heading">The CRA’s Product-Focused Approach</h3>



<p>The <strong>Cyber Resilience Act (CRA)</strong> comes at this from a completely different angle. It applies horizontally to nearly all <strong>‘products with digital elements’</strong> placed on the EU market. This is a massive net, catching everything from hardware like IoT devices to software like operating systems or mobile apps.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>Crucially, the CRA&#8217;s applicability has no company size or revenue threshold. A two-person startup in a garage developing a smart thermostat app is just as subject to CRA rules as a multinational corporation building enterprise software. If you make it and sell it in the EU, the CRA applies.</p>
</blockquote>



<p>This product-centric versus service-centric divide creates some very clear lines. Take a large German hospital, for instance. It’s an &#8216;Essential&#8217; entity under NIS2 and is responsible for its own operational cybersecurity. But the manufacturer of the networked infusion pumps that hospital uses? They must comply with the CRA to ensure the pumps themselves are secure by design. You can dig deeper into these specifics by exploring our guide on <a href="https://goregulus.com/cra-basics/cyber-resilience-act-applicability/">Cyber Resilience Act applicability</a>.</p>



<p>This distinction is especially sharp in markets like Spain, where regulatory alignment is vital for market access. While NIS2 targets an estimated <strong>1,200 entities</strong> in Spain’s key service sectors, the CRA’s universal approach impacts a much broader base. It directly affects the country&#8217;s <strong>45,000+ IoT-related enterprises</strong>, from multinationals down to the smallest startups, all of which now face immediate product security obligations and must prepare for CE marking requirements by 2027.</p>



<p>Whether your obligations fall under the CRA, NIS2, or both, the first step is always understanding your assets and risks. Using a comprehensive <a href="https://citysourcesolutions.com/cybersecurity/cybersecurity-risk-assessment-checklist/">cybersecurity risk assessment checklist</a> is a solid starting point for building out your compliance strategy.</p>



<h3 class="wp-block-heading">Understanding Your Reporting Obligations and Timelines</h3>



<p>When an incident strikes, the clock starts ticking. One of the most significant differences between the CRA and NIS2 is what triggers that clock and how you must respond. These reporting timelines aren&#8217;t just procedural details; they define your organisation&#8217;s response under pressure and shape your entire incident management strategy.</p>



<p>At a high level, NIS2 is reactive to service disruptions, while the CRA is proactive about product vulnerabilities. For a practical example, think of a major cloud provider, an ‘Essential Entity’ under NIS2, suffering a widespread outage that takes its customers offline. NIS2 gives them <strong>24 hours to submit an ‘early warning’</strong> to their national Computer Security Incident Response Team (CSIRT). This is then followed by a more detailed incident notification <strong>within 72 hours</strong>.</p>



<p>The CRA&#8217;s timeline, however, is triggered by a completely different event.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-vs-nis2-differences-reporting-timelines.jpg" alt="Diagram comparing NIS2 and CRA reporting requirements, showing timelines for outages and actively exploited vulnerabilities."/></figure>



<h3 class="wp-block-heading">Different Triggers for the 24-Hour Clock</h3>



<p>The CRA’s focus is squarely on product security, specifically when a flaw becomes an active threat. For a manufacturer, the 24-hour reporting duty begins the moment they become aware of an <strong>actively exploited vulnerability</strong> within their product. This is a critical distinction from NIS2.</p>



<p>Let&#8217;s take a practical example. A company manufacturing smart thermostats discovers a flaw in their firmware that attackers are actively using to gain control of devices and join them to a botnet. Under the CRA, they must notify ENISA (the EU Agency for Cybersecurity) and their national CSIRT <strong>within 24 hours</strong>. The report is about the vulnerability itself, not necessarily any resulting service disruption. We cover this in more detail in our overview of <a href="https://goregulus.com/uncategorized/cra-reporting-obligations-article-14/">CRA reporting obligations under Article 14</a>.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>Key Takeaway:</strong> For NIS2, the trigger is a <em>significant incident</em> affecting service continuity. For the CRA, it’s the discovery of an <em>actively exploited vulnerability</em> in a product, demanding rapid, coordinated disclosure to prevent widespread harm.</p>
</blockquote>



<p>This difference in triggers really highlights how the two frameworks complement each other. The CRA pushes manufacturers to report and fix exploitable flaws before they can be used to cause the large-scale service disruptions that would then trigger NIS2 reporting.</p>



<h3 class="wp-block-heading">A Practical Comparison of Reporting Timelines</h3>



<p>Getting the reporting timelines right is a common point of confusion, so let&#8217;s break down the practical differences. The table below highlights the key differences in what triggers a report, how quickly you must act, and who you need to inform.</p>



<h4 class="wp-block-heading">CRA vs NIS2 Reporting Requirements At A Glance</h4>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Requirement</th><th>NIS2 Directive</th><th>Cyber Resilience Act (CRA)</th></tr><tr><td><strong>Primary Trigger</strong></td><td>A significant cybersecurity incident causing severe operational disruption.</td><td>Discovery of a vulnerability in a product that is being actively exploited.</td></tr><tr><td><strong>Initial Report</strong></td><td><strong>24-hour</strong> &#8220;early warning&#8221; to the national CSIRT or competent authority.</td><td><strong>24-hour</strong> notification to ENISA and the relevant national CSIRT.</td></tr><tr><td><strong>Follow-Up Report</strong></td><td><strong>72-hour</strong> detailed incident notification, with a final report due within one month.</td><td>No mandatory 72-hour follow-up report is specified, but ongoing vulnerability handling is required.</td></tr><tr><td><strong>Recipient</strong></td><td>National competent authorities and CSIRTs.</td><td>ENISA and national CSIRTs.</td></tr></tbody></table></figure>



<p>While both mandates have a 24-hour deadline, the substance of the report and the required follow-up steps are quite different. As you work to define your incident response plans, it&#8217;s also helpful to be aware of global best practices and specific regional requirements, such as those related to <a href="https://www.rnc.co.il/cyber-law-israel/">cybersecurity incident reporting obligations</a>.</p>



<p>Ultimately, these distinct triggers and timelines require tailored workflows. A product security team must have a process ready for the CRA&#8217;s exploited-vulnerability trigger, which is fundamentally different from the broader service-outage focus of NIS2.</p>



<h2 class="wp-block-heading">Comparing Compliance Paths and Enforcement Penalties</h2>



<p>The path to proving compliance—and the penalties for getting it wrong—is where the CRA and NIS2 diverge most sharply. How you demonstrate your security posture is entirely different under each framework.</p>



<p>NIS2 relies on national oversight of your internal processes. The CRA, on the other hand, uses an established EU-wide product conformity framework. Getting this distinction right is critical.</p>



<h3 class="wp-block-heading">The NIS2 Path: Proving Internal Resilience</h3>



<p>For NIS2, the journey is internal and process-driven. As a directive, it is transposed into national law, meaning each Member State enforces it through its own authorities. Compliance means demonstrating robust internal governance, conducting regular risk assessments, and proving board-level accountability.</p>



<p>Under NIS2, an organisation proves compliance by showing, not just telling. National authorities will conduct audits and demand evidence that your security measures are actually in place and working.</p>



<p>Take a large logistics company in Spain, classified as an ‘Important’ entity. Its compliance path would involve:</p>



<ul class="wp-block-list">
<li>Developing and maintaining a comprehensive risk management policy.</li>



<li>Conducting annual security audits performed by an independent third party.</li>



<li>Running mandatory training programmes for all employees on cybersecurity hygiene.</li>



<li>Demonstrating to national auditors that its board of directors has formally approved and oversees its cybersecurity strategy.</li>
</ul>



<p>Failure to meet these obligations can bring significant fines from national authorities, reaching up to <strong>€10 million or 2% of the company&#8217;s total global annual turnover</strong>, whichever is higher.</p>



<h3 class="wp-block-heading">The CRA Path: Proving Product Security via CE Marking</h3>



<p>The Cyber Resilience Act, as a regulation, is directly applicable across the entire EU without national transposition. It cleverly piggybacks on the well-established <strong>New Legislative Framework (NLF)</strong>, using the <strong>CE marking</strong> process as its compliance mechanism. This applies a familiar product-safety process to the world of cybersecurity.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The CRA essentially says, &#8220;If your product has a digital element, its cybersecurity is now a matter of public safety, just like its electrical or mechanical safety.&#8221; It must earn its CE mark by proving it is cyber-resilient.</p>
</blockquote>



<p>For a manufacturer, this creates a clear, product-focused path:</p>



<ol class="wp-block-list">
<li><strong>Conduct a Conformity Assessment:</strong> The manufacturer assesses the product against the CRA&#8217;s security requirements. For most products, this can be a self-assessment, but higher-risk products demand a third-party notified body.</li>



<li><strong>Create Technical Documentation:</strong> This file must contain everything from the risk assessment and a Software Bill of Materials (SBOM) to evidence of a secure development lifecycle.</li>



<li><strong>Issue an EU Declaration of Conformity:</strong> The manufacturer formally declares that the product meets all CRA requirements.</li>



<li><strong>Affix the CE Mark:</strong> Only then can the product be legally placed on the EU market.</li>
</ol>



<p>This compliance and enforcement model has huge implications for Spain’s digital product teams. While NIS2 impacts around <strong>8,000 important entities</strong> in Spain through nationally transposed laws, the CRA directly hits Spain&#8217;s <strong>30,000+ software and firmware makers</strong> with its CE marking mandate, completely bypassing company size thresholds.</p>



<p>Enforcement also diverges sharply. CRA violations are policed by Market Surveillance Authorities who can order product recalls and impose EU-wide fines of up to <strong>€15 million or 2.5% of global annual turnover</strong>—potentially exceeding NIS2 penalties. You can discover more insights about these <a href="https://www.holmsecurity.com/blog/cra-what-its-about-how-it-relates-to-nis/nis2">contrasting frameworks on holmsecurity.com</a>.</p>



<p>For instance, a French company developing a smart home security camera must create a full technical file, prove it has a process to deliver security updates for at least five years, and then affix the CE mark. If a Market Surveillance Authority in Germany later finds the product non-compliant, it can be pulled from shelves across all 27 EU member states.</p>



<h2 class="wp-block-heading">Navigating the Intersection of CRA and NIS2</h2>



<p>Although the <strong>Cyber Resilience Act (CRA)</strong> and the <strong>NIS2 Directive</strong> target different things—products versus services—they are not independent. The two frameworks were designed to be complementary, creating a strong, interlocking set of security obligations that reinforce one another across the EU market.</p>



<p>For organisations caught in the middle, understanding this intersection is essential for managing dual obligations and turning complex compliance work into a clear market advantage.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-vs-nis2-differences-supply-chain.jpg" alt="Diagram illustrating supply chain interactions between essential services, powerement, compliance, and product manufacturing."/></figure>



<p>The most important point of overlap is <strong>supply chain security</strong>. Under NIS2, critical entities have a legal duty to secure their supply chains. The CRA, in turn, provides the very mechanism for them to do just that.</p>



<h3 class="wp-block-heading">The NIS2 Demand for CRA-Compliant Products</h3>



<p>NIS2 forces <strong>Essential</strong> and <strong>Important</strong> entities to meticulously vet the security of their suppliers. This single requirement transforms CRA compliance from a manufacturer’s internal problem into a key procurement criterion for a huge market of critical service providers.</p>



<p>Take a practical example: a large Spanish power plant, an ‘Essential’ entity under NIS2, must verify the cybersecurity of its operational technology. When its procurement team needs a new industrial control system (ICS), they won’t just evaluate performance and price; they will demand proof of security.</p>



<p>The manufacturer of that ICS falls directly under the <strong>CRA</strong>. They are obligated to:</p>



<ul class="wp-block-list">
<li>Build the ICS according to <strong>secure-by-design</strong> principles.</li>



<li>Provide a <strong>Software Bill of Materials (SBOM)</strong> listing all its software components.</li>



<li>Commit to providing security updates for a defined support period.</li>



<li>Affix the <strong>CE mark</strong> as proof of CRA conformity.</li>
</ul>



<p>This creates an incredibly powerful market dynamic. The power plant will use the manufacturer&#8217;s <strong>CRA compliance</strong>—proven by the CE mark and technical documentation—to fulfil its own NIS2 supply chain security obligations. In practice, NIS2 entities will become major drivers of CRA adoption, creating a strong market preference for CRA-compliant products.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The intersection creates a clear value chain: NIS2 entities must manage supply chain risk, and they will do so by demanding CRA-compliant products. For manufacturers, CRA compliance is no longer just a regulatory hurdle; it&#8217;s a market access key.</p>
</blockquote>



<h3 class="wp-block-heading">When One Organisation Has Dual Obligations</h3>



<p>Another critical scenario involves organisations that are simultaneously NIS2 entities and CRA manufacturers. This is especially common for digital service providers, particularly <strong>Software-as-a-Service (SaaS)</strong> companies.</p>



<p>Think about a cloud-based electronic health record (EHR) provider based in Germany. This company is both:</p>



<ul class="wp-block-list">
<li>An <strong>‘Essential’ NIS2 entity</strong> because it provides a critical service to the healthcare sector.</li>



<li>A <strong>‘manufacturer’ under the CRA</strong> because it develops and commercialises the EHR software product.</li>
</ul>



<p>Here, a single security event can trigger obligations under both frameworks. Imagine the company&#8217;s security team discovers an unpatched, actively exploited vulnerability in the EHR software&#8217;s code that allows unauthorized access to patient data.</p>



<ol class="wp-block-list">
<li><strong>CRA Obligation Triggered:</strong> Because the flaw is <strong>actively exploited</strong>, the provider must notify <strong>ENISA within 24 hours</strong>, as required by the CRA.</li>



<li><strong>NIS2 Obligation Triggered:</strong> If this same vulnerability causes a data breach or service disruption for its hospital clients, it becomes a <strong>&#8216;significant incident&#8217;</strong>. This triggers the <strong>24-hour</strong> early warning and <strong>72-hour</strong> detailed incident report required by NIS2.</li>
</ol>



<p>This dual-trigger scenario shows why a unified compliance strategy is non-negotiable. For organisations in this position, managing product vulnerabilities and operational incidents are two sides of the same coin. The European Commission has provided guidance on this topic, and you can learn more about how to prepare from our analysis of <a href="https://goregulus.com/uncategorized/cra-implementation-guidance-european-commission/">CRA implementation guidance</a>. Ultimately, successfully navigating these overlapping requirements demands a clear understanding of both your role as a service provider and your responsibilities as a product manufacturer.</p>



<h2 class="wp-block-heading">Developing a Unified Compliance Strategy</h2>



<p>Trying to manage CRA and NIS2 requirements with separate spreadsheets and disconnected processes is a recipe for duplicated work. A unified strategy is the only practical way forward, helping you treat both regulations as a single, interlocking compliance challenge instead of two separate problems.</p>



<p>This approach starts with a clear mapping of your obligations. A guided applicability assessment, for example, can immediately clarify whether the CRA, NIS2, or both apply to your products and your customers, giving you a solid starting point.</p>



<h3 class="wp-block-heading">From Rules to a Roadmap</h3>



<p>Once you’ve established applicability, the next step is translating dense legal text into a concrete plan of action. This means generating a requirements matrix based on your product’s specific classification—whether it falls under the default rules or a higher-risk class. This matrix should map specific obligations from the CRA Annexes and give you actionable templates.</p>



<p>For instance, if you manufacture a smart home router, a unified platform can generate a checklist covering:</p>



<ul class="wp-block-list">
<li><strong>Annex I Security Requirements:</strong> Specific secure-by-design principles you must implement, like ensuring encrypted communication and having a secure update mechanism.</li>



<li><strong>Vulnerability Handling Processes:</strong> Templates for documenting how you will manage and report discovered vulnerabilities.</li>



<li><strong>Technical Documentation:</strong> A structured outline for your EU Declaration of Conformity and the supporting evidence files.</li>
</ul>



<p>This turns vague regulations into a concrete roadmap for achieving compliance by the <strong>2026–2027 deadlines</strong>.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>By centralising documentation, managing vulnerability disclosures, and tracking supplier compliance in one place, you can build a single, efficient programme that satisfies both product and service security demands, ensuring you can confidently serve the EU market.</p>
</blockquote>



<h3 class="wp-block-heading">An Integrated Compliance Example</h3>



<p>Consider a SaaS company that provides logistics software to large shipping companies. This company faces dual obligations:</p>



<ul class="wp-block-list">
<li><strong>As a NIS2 &#8216;Important&#8217; entity:</strong> It must secure its own operations and service delivery.</li>



<li><strong>As a CRA &#8216;manufacturer&#8217;:</strong> Its software product must meet CRA&#8217;s security-by-design and lifecycle requirements.</li>
</ul>



<p>Instead of running two parallel compliance projects, a unified approach allows them to use the same evidence for both. The secure software development lifecycle (SSDLC) process documented for CRA compliance also serves as proof of a key risk management measure required under NIS2.</p>



<p>Likewise, the vulnerability disclosure process mandated by the CRA becomes a core component of their NIS2 incident response plan. When a single platform like <strong><a href="https://goregulus.com/">Regulus</a></strong> manages both the product-level requirements (CRA) and the operational security evidence (for their NIS2 customers), the company avoids duplicating effort. This not only reduces costs but also builds a more robust and defensible security posture across the board. The key is to see the CRA vs NIS2 differences not as a conflict, but as an opportunity for integrated efficiency.</p>



<h2 class="wp-block-heading">Frequently Asked Questions About CRA and NIS2</h2>



<p>The relationship between the Cyber Resilience Act and the NIS2 Directive often creates confusion, especially where their obligations seem to overlap. Here are some straightforward answers to the most common questions we hear from manufacturers and digital service providers.</p>



<h3 class="wp-block-heading">If My Product Is CRA Compliant, Do I Still Need to Worry About NIS2?</h3>



<p>Yes, absolutely. Think of it this way: CRA compliance is about the security <em>of your product</em>. NIS2 is about the operational security <em>of the entity using it</em>.</p>



<p>For a practical example, if you sell your CRA-compliant product to a hospital (an ‘Essential’ entity under NIS2), they have their own separate obligations. Specifically, they must manage their supply chain risks. Your CRA compliance—proven by your CE mark and technical documentation—becomes a critical piece of evidence they will need from you to meet <em>their</em> regulatory requirements. Your job is to provide the secure product; their job is to use it securely as part of their broader operations.</p>



<h3 class="wp-block-heading">Can I Be Fined Under Both CRA and NIS2 for the Same Event?</h3>



<p>It is possible, particularly if you are a dual-status organization. Imagine you’re a SaaS provider for the banking sector. A severe security flaw in your software would be a clear CRA violation. If that flaw leads to a major service disruption that prevents customers from accessing their accounts, that disruption could be classed as an NIS2 incident.</p>



<p>Because the two regulations address different failures—the insecure product (CRA) and the disrupted service (NIS2)—you could theoretically face penalties under both for a single root cause.</p>



<h3 class="wp-block-heading">Which Regulation Has Stricter Penalties?</h3>



<p>On paper, the CRA has higher maximum financial penalties. Fines can reach up to <strong>€15 million or 2.5% of global annual turnover</strong>, whichever is greater.</p>



<p>NIS2 penalties are capped slightly lower, at <strong>€10 million or 2% of turnover</strong>. However, focusing only on the numbers is a mistake. Both regulations grant authorities serious enforcement powers, from ordering product recalls (CRA) to issuing legally binding instructions (NIS2).</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>Key Takeaway:</strong> While the CRA&#8217;s fines are nominally higher, the enforcement powers under both regulations are severe and designed to compel compliance. The biggest risk isn&#8217;t just the fine; it&#8217;s the operational chaos from a product recall or a binding order from a supervisory authority.</p>
</blockquote>



<h3 class="wp-block-heading">What Is the Most Significant Difference for a Product Manufacturer?</h3>



<p>For a product manufacturer, the biggest difference lies in the compliance mechanism itself. The CRA mandates compliance through the EU’s established CE marking framework. This means you must conduct a conformity assessment, compile a comprehensive technical file with a Software Bill of Materials (SBOM), and physically affix the CE mark to your product before it can be legally sold in the EU.</p>



<p>NIS2, on the other hand, is primarily about internal processes, risk management, and governance. These obligations fall mainly on your customers (the service providers), not directly on you as the manufacturer, though they will push those requirements down to you via their procurement process.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Navigating CRA and NIS2 requires a clear, actionable plan. <strong>Regulus</strong> provides a guided platform to assess your applicability, map requirements, and generate the evidence needed for CRA compliance. <a href="https://goregulus.com/">Gain clarity on your obligations and build your roadmap today</a>.</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-vs-nis-2-differences/">CRA vs NIS2 Differences A Guide to EU Cyber Compliance in 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Your Guide to a Compliant CRA End of Life Security Updates Policy</title>
		<link>https://goregulus.com/cra-basics/cra-end-of-life-security-updates-policy/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 12:10:29 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA end of life security updates policy]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU CRA compliance]]></category>
		<category><![CDATA[product security]]></category>
		<category><![CDATA[Vulnerability Management]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2221</guid>

					<description><![CDATA[<p>An effective end-of-life (EOL) security updates policy is more than just a document; it’s a public commitment to your customers and a core obligation under the EU’s Cyber Resilience Act (CRA). You’re now required to provide security patches for a defined period, even after a product is no longer for sale. This policy must guarantee [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-end-of-life-security-updates-policy/">Your Guide to a Compliant CRA End of Life Security Updates Policy</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>An effective end-of-life (EOL) security updates policy is more than just a document; it’s a public commitment to your customers and a core obligation under the EU’s Cyber Resilience Act (CRA). You’re now required to provide security patches for a defined period, even after a product is no longer for sale. This policy must guarantee updates for at least <strong>five years</strong> from launch and ensure patches are delivered <em>without delay</em>.</p>



<h2 class="wp-block-heading">Understanding Your Core CRA Update Obligations</h2>



<p>The Cyber Resilience Act isn&#8217;t just another box-ticking exercise. It fundamentally changes how you must manage product security long after a sale is made, shifting security support from a customer service perk to a core compliance mandate. This has serious implications for your budgeting, engineering resources, and long-term product strategy.</p>



<p>At its heart, the CRA establishes a legally binding minimum security support window. For any product with digital elements you place on the EU market, you are obligated to provide security updates for a minimum of <strong>five years</strong>.</p>



<p>For instance, if your company launches a new smart home hub in June 2027, your team must be prepared to actively develop and deploy security patches for it until at least June 2032. This isn&#8217;t about shipping new features; it&#8217;s a firm commitment to patch discovered vulnerabilities for that entire period.</p>



<p>Your security update and EOL policy is where you make this commitment transparent and formal. Below is a summary of the key elements your policy must contain to align with CRA expectations.</p>



<h3 class="wp-block-heading">CRA Security Update Policy Key Elements</h3>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Policy Element</th><th>CRA Requirement</th><th>Practical Implication Example</th></tr><tr><td><strong>Support Period</strong></td><td>Updates for the product&#8217;s expected lifetime, or a minimum of <strong>5 years</strong>.</td><td>A smart thermostat policy states a <strong>7-year</strong> support period from the date of market placement.</td></tr><tr><td><strong>Update Delivery</strong></td><td>Patches must be free of charge and delivered &#8220;without delay&#8221;.</td><td>The policy defines a Service Level Agreement (SLA) for critical patch delivery within <strong>30 days</strong> of a verified vulnerability.</td></tr><tr><td><strong>Vulnerability Handling</strong></td><td>A documented process for receiving, assessing, and fixing vulnerabilities.</td><td>The policy links to a public vulnerability disclosure page with a dedicated contact (security.txt).</td></tr><tr><td><strong>User Communication</strong></td><td>Clear instructions on how to obtain and install updates.</td><td>The policy details that users will be notified via the mobile app and provided with one-click update instructions.</td></tr><tr><td><strong>End-of-Life Notice</strong></td><td>Transparent communication about when security support will end.</td><td>The policy commits to providing at least <strong>180 days&#8217;</strong> notice before the final security update is released.</td></tr><tr><td><strong>Legacy Devices</strong></td><td>A plan for products already on the market before CRA applicability.</td><td>A transition plan is outlined, stating that products sold after December 2027 will be fully CRA-compliant.</td></tr></tbody></table></figure>



<p>This table covers the non-negotiables. Building your policy around these components ensures you&#8217;re not just compliant on paper but also ready to execute when a vulnerability is found.</p>



<h3 class="wp-block-heading">Defining the Five-Year Support Window</h3>



<p>The five-year clock starts the moment a product is “placed on the market.” This is a legally binding obligation that went into force on 10 December 2024, with its main requirements becoming applicable from 11 December 2027. <strong>Article 13</strong> of the CRA is clear: manufacturers must handle vulnerabilities effectively throughout the support period, and patches must be provided &#8220;without delay.&#8221;</p>



<p>So, if you place a product on the EU market in 2028, you must maintain an active security update infrastructure for it until at least 2033. It’s a simple rule with complex operational consequences.</p>



<h3 class="wp-block-heading">Beyond the Five-Year Minimum</h3>



<p>Don&#8217;t get too comfortable with the five-year rule. It’s a floor, not a ceiling. The CRA requires the support period to align with the product&#8217;s <em>expected lifetime</em> and reasonable user expectations. This is where you need to apply some critical judgement.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A key takeaway is that the &#8216;expected product lifetime&#8217; isn&#8217;t determined by your marketing department, but by a realistic assessment of how long a consumer or business will actually use the device.</p>
</blockquote>



<p>Let&#8217;s look at a few real-world scenarios:</p>



<ul class="wp-block-list">
<li><strong>Smart Thermostat:</strong> A consumer who has a smart thermostat professionally installed in their home will reasonably expect it to function securely for <strong>seven to ten years</strong>, not just five.</li>



<li><strong>Industrial PLC (Programmable Logic Controller):</strong> In a factory, these controllers often have operational lifespans of <strong>15 years or more</strong>. A five-year security policy here would be seen as grossly insufficient and non-compliant.</li>



<li><strong>Consumer Drone:</strong> Given the rapid pace of technological change and the likelihood of physical wear and tear, a five-year support window might be perfectly reasonable.</li>
</ul>



<p>Failing to align your support period with these realistic expectations is a direct path to non-compliance penalties and a breakdown in customer trust. To meet these mandates effectively, it&#8217;s vital to build a broader framework for <a href="https://www.logicalcommander.com/post/regulatory-compliance-risk-management">regulatory compliance risk management</a>. For a deeper dive, check out our guide on <a href="https://goregulus.com/cra-requirements/cra-update-requirements/">CRA update requirements</a> for more detailed information. This strategic planning ensures your policy is not only compliant but also a tool for building long-term trust.</p>



<p>An EOL security updates policy isn&#8217;t a document you write once and file away. For CRA compliance, it has to be a living, operational workflow. This is where the theory ends and the real work of building your vulnerability detection, management, and disclosure processes begins.</p>



<p>Your first move is to establish clear and secure reporting channels. Under the CRA, security researchers are your allies, not adversaries. You need to give them an easy, reliable way to tell you about potential vulnerabilities.</p>



<p>A common and effective way to do this is with a <code>security.txt</code> file on your website. This simple text file acts as a signpost, directing researchers to your vulnerability disclosure policy (VDP) and the right email address. For example, your <code>security.txt</code> file should point to a contact like <code>security@yourcompany.com</code> and include a link to your public VDP page.</p>



<h3 class="wp-block-heading">Establishing Internal Triage and Prioritisation</h3>



<p>Once a vulnerability report lands in your inbox, your internal workflow must take over. Not all vulnerabilities are created equal, which is why a structured triage process is so important. This is where you assign severity scores—usually with the Common Vulnerability Scoring System (CVSS)—and prioritise what to fix based on real-world risk.</p>



<p>A solid, repeatable workflow might look like this:</p>



<ul class="wp-block-list">
<li><strong>Initial Triage:</strong> An assigned security team member acknowledges the report within <strong>48 hours</strong>. Their first job is to validate the report to confirm it’s a genuine vulnerability affecting your product. For example, if a researcher claims they can bypass the login on your smart lock app, the triage team&#8217;s first job is to try and replicate that exact process.</li>



<li><strong>Severity Assessment:</strong> The team assigns a CVSS score and classifies the vulnerability (e.g., Critical, High, Medium, Low). A remote code execution flaw in your core firmware is obviously Critical; a minor glitch in the UI is Low.</li>



<li><strong>Prioritisation:</strong> Based on its severity, the vulnerability is fed into the engineering backlog. Critical issues must jump to the front of the queue, no questions asked.</li>
</ul>



<p>This entire triage process has to be documented. When regulators come knocking, they&#8217;ll want to see evidence of a repeatable, risk-based system for handling vulnerability reports. For a much deeper dive into these mechanics, you can read more about <a href="https://goregulus.com/cra-requirements/cra-vulnerability-handling/">https://goregulus.com/cra-requirements/cra-vulnerability-handling/</a>.</p>



<h3 class="wp-block-heading">Defining and Documenting Your SLAs</h3>



<p>With a vulnerability prioritised, the clock on your Service Level Agreements (SLAs) officially starts. The CRA&#8217;s requirement to provide updates &#8220;without delay&#8221; is intentionally vague; your policy is where you translate that into concrete, defensible timelines. These SLAs are your public commitment to patching.</p>



<p>The CRA reporting obligations, which became effective on <strong>11 September 2026</strong>, force manufacturers to have these processes documented and ready for inspection. This deadline arrives well before the main obligations in December 2027. Your technical files must prove you can support your products for the required <strong>five-year period</strong> and respond to incidents, all underscoring the urgency of delivering updates &#8220;without delay.&#8221;</p>



<p>The timeline below shows the mandatory support period that every product must follow.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-end-of-life-security-updates-policy-product-timeline.jpg" alt="Timeline illustrating the CRA product lifecycle with stages: Launch, 5 Years of service, and End of Life."/></figure>



<p>As you can see, the <strong>five-year</strong> security support clock starts the moment your product is launched. This is a commitment that must be actively managed until you formally declare its End of Life.</p>



<p>Defining your response timelines is a critical exercise. The following table provides a template for defining your internal and external SLAs based on vulnerability severity, which is a cornerstone of a compliant CRA policy.</p>



<p><strong>Sample Vulnerability Response SLAs</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Severity Level (CVSS Score)</th><th>Acknowledgement SLA</th><th>Patch Development SLA</th><th>Public Disclosure Target</th></tr><tr><td><strong>Critical (9.0-10.0)</strong></td><td>Within 24 hours</td><td>Patch within 15 days</td><td>Coordinated disclosure</td></tr><tr><td><strong>High (7.0-8.9)</strong></td><td>Within 48 hours</td><td>Patch within 30 days</td><td>After patch is available</td></tr><tr><td><strong>Medium (4.0-6.9)</strong></td><td>Within 5 business days</td><td>Patch within 90 days</td><td>In next scheduled advisory</td></tr><tr><td><strong>Low (0.1-3.9)</strong></td><td>Within 10 business days</td><td>Best effort / next release</td><td>At manufacturer&#8217;s discretion</td></tr></tbody></table></figure>



<p>This structure creates an auditable, risk-based process that demonstrates your commitment to timely remediation and helps you meet those crucial reporting deadlines.</p>



<h3 class="wp-block-heading">Differentiating Default vs. Critical Product Timelines</h3>



<p>The CRA isn&#8217;t a one-size-fits-all regulation. It distinguishes between product classes, and your SLAs absolutely must reflect that. &#8216;Critical&#8217; class products—think industrial controllers, network hardware, or safety systems—carry far greater systemic risk and are held to a much higher standard.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A key principle is that the more integral your product is to critical infrastructure or operations, the shorter your patching timeline must be. Your CRA end of life security updates policy must reflect this risk-based approach.</p>
</blockquote>



<p>Your workflow needs to account for the heightened urgency around <a href="https://www.constructive-it.co.uk/post/critical-security-vulnerabilities-in-draytek-devices-immediate-action-required">critical security vulnerabilities</a>, as recent incidents have shown how quickly these can escalate.</p>



<p>Let’s look at a practical comparison of SLAs for two different types of products. A &#8216;Default&#8217; class smart speaker just doesn&#8217;t carry the same weight as a &#8216;Critical&#8217; class Programmable Logic Controller (PLC) used in a factory.</p>



<ul class="wp-block-list">
<li><p><strong>For a Critical vulnerability (CVSS 9.0+):</strong></p>
<ul class="wp-block-list">
<li><strong>&#8216;Default&#8217; Smart Speaker:</strong> You might commit to a patch within <strong>30 days</strong>. An example would be a flaw allowing unauthorized access to the speaker&#8217;s microphone.</li>



<li><strong>&#8216;Critical&#8217; PLC:</strong> The expectation is much shorter, perhaps <strong>15 days</strong> or even less. A similar remote access flaw in a PLC controlling a city&#8217;s water pumps would demand a much faster response.</li>
</ul>
</li>



<li><p><strong>For a High severity vulnerability (CVSS 7.0-8.9):</strong></p>
<ul class="wp-block-list">
<li><strong>&#8216;Default&#8217; Smart Speaker:</strong> A <strong>60-day</strong> patch timeline might be acceptable.</li>



<li><strong>&#8216;Critical&#8217; PLC:</strong> You&#8217;d be expected to deliver a patch within <strong>30 days</strong>.</li>
</ul>
</li>
</ul>



<p>Building this tiered, risk-based workflow isn&#8217;t just a good idea; it&#8217;s a non-negotiable requirement for market access under the CRA. It creates the repeatable, auditable process you need to prove your vulnerability management is both effective and compliant.</p>



<h2 class="wp-block-heading">Drafting Your Policy Document Clause by Clause</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-end-of-life-security-updates-policy-security-policy.jpg" alt="A policy document outlining scope, support period, and vulnerability disclosure with a product distribution timeline diagram."/></figure>



<p>Alright, let&#8217;s get practical. It&#8217;s time to translate your plans into a formal, actionable document. Your <strong>CRA end of life security updates policy</strong> isn&#8217;t just a box-ticking exercise for the lawyers; it&#8217;s a public promise to your supply chain partners and the people who use your products. This document has to be precise, transparent, and leave zero room for interpretation.</p>



<p>Think of this policy as the single source of truth for your product&#8217;s security lifecycle. It spells out your commitments, manages expectations, and gives you a framework for handling vulnerabilities and communicating updates. Every clause needs to be written with both compliance and real-world clarity in mind.</p>



<h3 class="wp-block-heading">Defining Policy Scope and Applicability</h3>



<p>First up, you need to be crystal clear about which products the policy actually covers. This is especially critical if you have a large or growing product portfolio. Getting specific here prevents a world of confusion down the line for everyone from your internal teams to distributors.</p>



<p>The best way to do this is by listing product families or even specific models. Vague, all-encompassing language is a recipe for trouble.</p>



<p>Here&#8217;s how that might look in a real policy:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>&#8220;This Security Update and End-of-Life Policy applies to all hardware and software products with digital elements manufactured by [Your Company Name] and placed on the European Union market on or after December 11, 2027. This includes, but is not limited to, the &#8216;SmartHome Hub&#8217; Series (Models SH-100, SH-200) and the &#8216;SecureConnect&#8217; Router Series (Models SC-500, SC-550).&#8221;</p>
</blockquote>



<p>This example immediately clarifies which products are in scope, ties it directly to the CRA&#8217;s start date, and gives concrete examples. If you need a deeper dive into the documentation required, our guide on <a href="https://goregulus.com/cra-documentation/technical-documentation/">CRA technical documentation</a> is a great resource.</p>



<h3 class="wp-block-heading">Articulating the Security Support Period</h3>



<p>This is the absolute heart of your policy. The CRA sets a floor with its <strong>five-year</strong> minimum, but as we’ve discussed, your product&#8217;s real-world lifespan might demand a longer commitment. Your policy must state this support period without any ambiguity for each product or product line.</p>



<p>Remember, the clock starts ticking the moment a product is &#8220;first placed on the market.&#8221; Be precise about this so you have a clear, auditable timeline.</p>



<p>Here’s a practical clause:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>&#8220;Each product covered by this policy will receive security updates for a period of no less than seven (7) years from the date it is first placed on the EU market. For Product Model Z, first placed on the EU market on June 1, 2027, security updates will be provided until at least June 1, 2034. The specific End-of-Life (EOL) date for each product model will be published on our corporate website.&#8221;</p>
</blockquote>



<p>This clause doesn&#8217;t just meet the CRA minimum; it extends it based on the product&#8217;s expected use, showing a real commitment to security. It also provides a specific, verifiable example and tells people exactly where to find EOL dates.</p>



<h3 class="wp-block-heading">Outlining the Vulnerability Disclosure and Patching Process</h3>



<p>Transparency in how you handle vulnerabilities is a non-negotiable part of the CRA. This section of your policy needs to lay out the journey from receiving a vulnerability report to shipping a patch. While your internal SLAs can hold the fine-grained details, the public policy should give a clear, high-level overview.</p>



<p>You should also point to your vulnerability disclosure programme (VDP) and the channels researchers should use. It shows you have a mature process for getting that crucial external security intelligence.</p>



<p>A solid vulnerability process clause should cover:</p>



<ul class="wp-block-list">
<li><strong>Reporting Channels:</strong> Be specific about how security researchers can contact you. Point them to your <code>security.txt</code> file, a web form, or a dedicated email address. For example: &#8220;Security researchers are encouraged to report potential vulnerabilities to <a href="mailto:security@yourcompany.com">security@yourcompany.com</a>. Our PGP key for encrypted communication is available on our Vulnerability Disclosure Policy page.&#8221;</li>



<li><strong>Nature of Support:</strong> Make it clear that this support is for security vulnerabilities, not for adding new features or fixing general software bugs.</li>



<li><strong>Update Delivery:</strong> Explain how users will get the updates (e.g., over-the-air, manual download) and confirm they will be provided <strong>free of charge</strong>. For example: &#8220;Updates are delivered automatically via over-the-air (OTA) updates. Users will receive a notification in the companion app to initiate the update.&#8221;</li>
</ul>



<p>This section effectively turns your internal workflows into a public commitment, which goes a long way in building trust with customers and the security community.</p>



<h3 class="wp-block-heading">Structuring Your Communication Plan</h3>



<p>Your policy has to spell out how you&#8217;ll communicate with everyone in your supply chain—importers, distributors, and end-users. A vulnerability isn’t truly fixed until the patch is actually applied, and that requires telling people about it.</p>



<p>The CRA places duties on every economic operator, so your communication plan must help them meet their own obligations. An importer needs to know about a patch just as urgently as an end-user does.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A robust communication clause ensures every actor in the supply chain receives timely, actionable information. This is not just good practice; it&#8217;s a critical component of your shared responsibility under the CRA.</p>
</blockquote>



<p>Here&#8217;s an example of what that commitment looks like on paper:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>&#8220;Upon the release of a security update, [Your Company Name] will notify affected parties through the following channels:</p>



<ul class="wp-block-list">
<li><strong>End-Users:</strong> In-app notifications and a public security advisory posted on our website.</li>



<li><strong>Distributors and Importers:</strong> Direct email notifications to registered supply chain partners within 48 hours of a patch release, including details on the vulnerability and affected product versions.</li>
</ul>



<p>We will provide at least 180 days&#8217; notice before a product&#8217;s declared End-of-Life date, communicated via our website and direct partner channels.&#8221;</p>
</blockquote>



<p>This clause establishes a clear, multi-channel strategy. It ensures the information gets to everyone who needs it, from a homeowner with a smart device to the distributor who brought it into the country. This kind of systematic approach is the backbone of a compliant and effective CRA end of life security updates policy.</p>



<p>The Cyber Resilience Act doesn’t just apply to future products. It creates complex, and often misunderstood, obligations for the devices you already have on the EU market.</p>



<p>The transition period leading up to the full <strong>11 December 2027</strong> deadline requires a clear strategy for these legacy products. Ignoring them is not an option, and getting it wrong can create a major compliance and reputational risk.</p>



<p>While products placed on the market before that date won’t need to meet every CRA requirement retroactively, crucial provisions still apply. Key among them are the rules on vulnerability handling and incident reporting. Your <strong>CRA end of life security updates policy</strong> must therefore have a concrete plan for this transition.</p>



<h3 class="wp-block-heading">Start With a Legacy Product Inventory</h3>



<p>Your first practical step is to get a complete picture of every product with digital elements your company has placed on the EU market. This inventory is the absolute foundation of your transition strategy.</p>



<p>You need to map out your entire portfolio, organised by launch date. For example, imagine a manufacturer with three key product lines:</p>



<ul class="wp-block-list">
<li><strong>Product Line A:</strong> Launched in 2024</li>



<li><strong>Product Line B:</strong> Launched in 2025</li>



<li><strong>Product Line C:</strong> Launched in early 2026</li>
</ul>



<p>Each of these product families carries different obligations under the CRA’s phased timeline. A simple spreadsheet or asset management tool can get you started, but the goal is a definitive record that maps each SKU to its specific compliance path.</p>



<h3 class="wp-block-heading">Understand the Critical Transitional Deadlines</h3>



<p>The CRA’s rollout isn’t a single event. Certain rules activate much earlier than others, and they directly impact your legacy products. Two dates are especially important for your transition plan.</p>



<p>First, the manufacturer’s vulnerability and incident reporting duties under <strong>Article 14</strong> kick in from <strong>11 September 2026</strong>. For all in-scope products already on the market—including those launched in 2024, 2025, and 2026—you must have a process to report actively exploited vulnerabilities to the designated authorities.</p>



<p>Second, the main CRA obligations, like the five-year support window and full technical documentation, apply to products placed on the market from <strong>11 December 2027</strong> onwards. Products launched before this are generally exempt from these retroactive requirements, but there&#8217;s a huge catch: &#8220;substantial modifications.&#8221;</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A &#8220;substantial modification&#8221; is any change made after the deadline that alters the product&#8217;s original intended purpose, function, or type in a way that could change its compliance with the CRA. This effectively turns a legacy product into a new one from a regulatory standpoint.</p>
</blockquote>



<p>For instance, if your team pushes a significant firmware update in 2028 for your 2026 product line—one that adds new connectivity features or increases its cybersecurity risk—that updated version will likely need to be fully CRA-compliant. A practical example: changing a smart camera&#8217;s firmware to allow cloud storage where previously only local storage was possible would almost certainly be a substantial modification. Your transition plan must account for this.</p>



<h3 class="wp-block-heading">Build Your Practical Transition Plan</h3>



<p>With your inventory complete and deadlines understood, you can build a transition plan that prevents compliance gaps. This shouldn&#8217;t be an informal checklist; it must be a documented part of your formal CRA strategy.</p>



<p>The plan needs to outline precisely how you will handle products based on their market placement date.</p>



<p><strong>A Real-World Example: Transition Strategy for Three Product Lines</strong></p>



<p>Let&#8217;s look at how this applies to our example portfolio:</p>



<ol class="wp-block-list">
<li><p><strong>Product Lines A, B, and C (Launched 2024-2026):</strong></p>
<ul class="wp-block-list">
<li><strong>Action:</strong> Implement a vulnerability monitoring and incident response workflow immediately. You must be ready to meet the <strong>11 September 2026</strong> reporting deadline. This means having the systems to detect, assess, and report actively exploited vulnerabilities to the designated CSIRT via ENISA&#8217;s platform.</li>



<li><strong>Action:</strong> Define and enforce a strict policy on &#8220;substantial modifications.&#8221; Your engineering and product teams have to understand that any major post-2027 update could trigger full CRA conformity requirements, turning a simple update into a major compliance project.</li>



<li><strong>Action:</strong> Communicate a clear support status. Even if the CRA&#8217;s five-year rule doesn&#8217;t retroactively apply, providing security updates for a defined, reasonable period builds customer trust and reduces your risk exposure.</li>
</ul>
</li>



<li><p><strong>New Products (Launched from 11 December 2027 onwards):</strong></p>
<ul class="wp-block-list">
<li><strong>Action:</strong> These products must be fully compliant from day one. All your processes for secure design, vulnerability management, documentation (including the SBOM), and the five-year support window must be fully operational and evidenced.</li>
</ul>
</li>
</ol>



<p>This tiered approach ensures you allocate resources effectively. You can prioritise the urgent reporting requirements for legacy devices while systematically preparing your entire product development lifecycle for full compliance. It’s the only way to turn the complex CRA transition period into a manageable, step-by-step process.</p>



<h2 class="wp-block-heading">Generating and Maintaining Your Compliance Evidence</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-end-of-life-security-updates-policy-security-workflow.jpg" alt="Visualizing the security update policy workflow, from vulnerability reports to an audit-ready SBOM."/></figure>



<p>When it comes to the Cyber Resilience Act, the guiding principle is brutally simple: if you can&#8217;t prove it, it didn&#8217;t happen. A perfectly written <strong>CRA end-of-life security updates policy</strong> is just the beginning. The real challenge is generating the complete, auditable evidence trail that regulators expect to see in your technical file, as outlined in <strong>Annex II and VII</strong>.</p>



<p>This isn&#8217;t about scrambling to create paperwork during an audit. It’s about building a system where compliance evidence is the natural output of your day-to-day security and development work. Market surveillance authorities will want to see a clear, traceable line from a vulnerability report all the way to a deployed patch, and your records are what will tell that story.</p>



<h3 class="wp-block-heading">The Software Bill of Materials as Your Foundation</h3>



<p>The absolute cornerstone of your evidence file is the <strong>Software Bill of Materials (SBOM)</strong>. The CRA makes this mandatory, transforming the SBOM from a nice-to-have best practice into a fundamental condition for market access for any product with digital elements.</p>



<p>Your SBOM must be in a common, machine-readable format like SPDX or CycloneDX. While the law requires you to detail at least the top-level dependencies, both best practice and regulatory expectations are pushing for a deeper view that includes transitive dependencies. You’re on the hook for keeping this document for at least <strong>ten years</strong> after the product is placed on the market.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The SBOM isn’t a static document you create once at release. It is a living record. It must be updated with every single patch or component change, providing a real-time inventory of your product&#8217;s software DNA.</p>
</blockquote>



<p>Think of it this way: when you patch a third-party library to fix a critical flaw, your SBOM must be updated to show the new, secure version. That updated SBOM becomes a key piece of evidence, proving you’ve closed the risk.</p>



<h3 class="wp-block-heading">Building Your Undeniable Audit Trail</h3>



<p>An effective audit trail isn’t just a pile of documents; it’s a coherent story that connects every piece of evidence. Regulators need to see the entire lifecycle of your vulnerability response, from the initial report to the final fix.</p>



<p>Here’s a practical example of how you can link records to build that undeniable proof:</p>



<ol class="wp-block-list">
<li><strong>Vulnerability Report:</strong> A researcher reports a flaw in the <code>lib-auth-v1.2</code> library used in your &#8220;SmartConnect Hub&#8221; via your <code>security@yourcompany.com</code> inbox. You immediately log this report with a unique ID, let&#8217;s say <code>VR-2028-005</code>.</li>



<li><strong>Internal Triage:</strong> Your security team confirms a CVSS score of <strong>8.8 (High)</strong>. They document this assessment in your issue tracker, making sure to link it back to the original report, <code>VR-2028-005</code>.</li>



<li><strong>Patch Development:</strong> Your engineers get to work. When they commit the fix, the Git message is explicit: <code>“Fix: Update lib-auth to v1.3 to resolve VR-2028-005.”</code> The link is clear.</li>



<li><strong>Firmware Release:</strong> You release a new firmware version, <code>v2.5.1</code>, containing the patch. The release notes specifically call out the security fix.</li>



<li><strong>SBOM Update:</strong> The SBOM for firmware <code>v2.5.1</code> is generated, and it now correctly lists <code>lib-auth-v1.3</code>.</li>



<li><strong>Communication Logs:</strong> You send a notification to your distributors about the critical update and publish a security advisory on your website. These communications are time-stamped, creating a permanent record.</li>
</ol>



<p>This chain—from email to Git commit to SBOM—creates a complete and irrefutable audit trail. It doesn&#8217;t just show you fixed the bug; it proves you followed your own documented process. For a full breakdown of what to include, you might want to look at our guide on building a <a href="https://goregulus.com/uncategorized/cra-compliance-evidence-pack/">CRA compliance evidence pack</a>.</p>



<h3 class="wp-block-heading">A Checklist of Essential Compliance Evidence</h3>



<p>Whether you’re facing an importer’s verification request or a full regulatory audit, you need your technical file organised and ready. Here is a checklist of the core evidence you should be generating and maintaining as a matter of course.</p>



<ul class="wp-block-list">
<li><strong>Vulnerability Management Records:</strong>
<ul class="wp-block-list">
<li>Logs of all inbound vulnerability reports from researchers, automated tools, and other sources.</li>



<li>Internal triage notes, including CVSS scores and your reasoning for prioritisation.</li>



<li>Records of all communications with the people who reported the vulnerabilities.</li>
</ul>
</li>



<li><strong>Development and Patching Artefacts:</strong>
<ul class="wp-block-list">
<li>Version control history with commit messages clearly linked to specific vulnerability fixes.</li>



<li>QA reports and test results that validate the security patches.</li>



<li>Release notes that transparently identify security updates for your users.</li>
</ul>
</li>



<li><strong>SBOM Lifecycle Records:</strong>
<ul class="wp-block-list">
<li>A complete and up-to-date SBOM for every single product version you ship.</li>



<li>A changelog or version history for your SBOMs, showing exactly how and when they have evolved.</li>
</ul>
</li>



<li><strong>Supply Chain Communication Logs:</strong>
<ul class="wp-block-list">
<li>Copies of emails or portal notifications sent to importers and distributors about security updates.</li>



<li>Time-stamped records of any publicly posted security advisories.</li>
</ul>
</li>
</ul>



<p>By systematically collecting and organising these records, you move your policy from being a static document to a living, auditable system that truly demonstrates cyber resilience.</p>



<p>Digging into the details of the Cyber Resilience Act, even with a solid plan, can bring up some tricky questions. Let&#8217;s tackle some of the most common grey areas and practical scenarios we see manufacturers wrestle with when building their <strong>CRA end-of-life security updates policy</strong>.</p>



<h3 class="wp-block-heading">What Does &#8216;Without Delay&#8217; <em>Really</em> Mean in Practice?</h3>



<p>&#8220;Without delay&#8221; is probably one of the most debated phrases in the entire CRA, and for good reason. The regulators intentionally left it open to interpretation. They&#8217;re not looking for a fixed number of days; they&#8217;re looking for a risk-based response you can defend. Everyone understands that not all vulnerabilities are equal and that a proper patch is more than a quick code change.</p>



<p>The real test is whether your timeline is justifiable given the circumstances. Several factors will naturally shape how fast you can—and should—roll out an update:</p>



<ul class="wp-block-list">
<li><strong>Vulnerability Severity:</strong> A critical remote code execution flaw (CVSS score <strong>9.0+</strong>) is an all-hands-on-deck emergency. A low-severity issue, on the other hand, can probably wait for the next scheduled patch release.</li>



<li><strong>Fix Complexity:</strong> Some fixes are simple. A quick configuration change can be pushed out rapidly. But a flaw buried deep in the firmware might demand serious re-engineering and testing, which just takes more time.</li>



<li><strong>Testing and QA Cycles:</strong> Rushing out a broken patch can cause more damage than the vulnerability itself. Your timeline has to bake in enough time for rigorous testing to make sure the fix is stable and doesn&#8217;t create new problems.</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>For example, if a critical vulnerability is found, &#8220;without delay&#8221; could mean your security team works through the weekend to develop a patch within <strong>72 hours</strong>. This would be followed by another <strong>48 hours</strong> of automated and manual QA before deployment. For a medium-severity bug, a <strong>30-day</strong> sprint cycle is often a perfectly reasonable and defensible timeframe. The key is to have these SLAs defined and documented internally.</p>
</blockquote>



<h3 class="wp-block-heading">Does the Five-Year Clock Apply to Products Sold Before the Deadline?</h3>



<p>This is a major point of confusion, so let&#8217;s clear it up. The <strong>five-year</strong> minimum support clock officially starts ticking only when a product is first &#8220;placed on the market&#8221; <em>after</em> the CRA’s main rules apply on <strong>11 December 2027</strong>. A product you sell on 10 December 2027 is not retroactively covered by this five-year rule.</p>



<p>However, that doesn&#8217;t give pre-deadline products a free pass. There are a couple of important nuances to be aware of.</p>



<p>First, the reporting obligations kick in much sooner. The duty to report actively exploited vulnerabilities to the authorities applies from <strong>11 September 2026</strong>. This affects <em>all</em> products on the market, including your legacy devices.</p>



<p>Second, think about your supply chain partners. An importer bringing your pre-2027 product into the EU will still have their own due diligence to perform. A clear EOL policy, even for older products, makes their life easier and shows you’re a reliable partner. For example, if you provide a clear 2-year support policy for a product sold in 2026, an importer can use that information to confidently handle their obligations, making them more likely to stock your product.</p>



<p>So, while the five-year rule isn&#8217;t retroactive, the CRA&#8217;s earlier reporting deadlines and the expectations of your supply chain mean your legacy products are very much part of the bigger picture.</p>



<h3 class="wp-block-heading">How Do We Announce an End-of-Life Date Without Scaring Off Customers?</h3>



<p>This is all about framing. A lot of manufacturers worry that advertising an EOL date sounds like planned obsolescence and will kill sales. The trick is to position your support period as a guarantee of quality and a transparent security commitment, not as a countdown to a useless product.</p>



<p>Don&#8217;t hide it. Make it a selling point.</p>



<p>Being upfront builds trust and manages customer expectations right from the beginning. It shows you’re a professional organisation that stands behind its products.</p>



<p>Here’s how you can phrase it positively on your website, packaging, and manuals:</p>



<ul class="wp-block-list">
<li><strong>On the Box:</strong> &#8220;Includes guaranteed security updates until at least December 2032 to protect your investment.&#8221;</li>



<li><strong>On a Product Webpage:</strong> &#8220;We stand behind our products. The SmartHome Hub 2.0 comes with a <strong>7-year</strong> security support commitment, ensuring it stays safe and reliable throughout its expected lifetime.&#8221;</li>



<li><strong>In the User Manual:</strong> &#8220;To ensure your long-term security, [Your Company Name] provides critical security patches for this product for a minimum of five years from its market launch. You can find the specific EOL support date for your model at [link to your EOL page].&#8221;</li>
</ul>



<p>When you&#8217;re this transparent, a regulatory headache becomes a competitive advantage. It tells the world you’re serious about keeping your customers safe.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p><strong>Regulus</strong> provides a step-by-step roadmap to turn complex CRA findings into an actionable compliance plan. Our platform helps you unify applicability assessments, generate tailored requirements, and structure technical evidence so you can confidently place compliant products on the European market. Gain clarity and reduce costs by visiting us at <a href="https://goregulus.com">https://goregulus.com</a>.</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-end-of-life-security-updates-policy/">Your Guide to a Compliant CRA End of Life Security Updates Policy</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>CRA Security Support Period Definition Explained for 2026</title>
		<link>https://goregulus.com/cra-basics/cra-security-support-period-definition/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 22 Jun 2026 12:56:35 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA Security Support]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU CRA compliance]]></category>
		<category><![CDATA[product security]]></category>
		<category><![CDATA[Vulnerability Management]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2212</guid>

					<description><![CDATA[<p>The CRA security support period is the legally mandated timeframe where you, the manufacturer, must provide free and timely security updates to fix vulnerabilities after your product is on the market. Think of it as a cybersecurity warranty that&#8217;s no longer optional. It shifts security from a value-add feature to a fundamental obligation for accessing [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-security-support-period-definition/">CRA Security Support Period Definition Explained for 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The <strong>CRA security support period</strong> is the legally mandated timeframe where you, the manufacturer, must provide free and timely security updates to fix vulnerabilities after your product is on the market. Think of it as a cybersecurity warranty that&#8217;s no longer optional. It shifts security from a value-add feature to a fundamental obligation for accessing the EU market.</p>



<h2 class="wp-block-heading">Defining the Security Support Period Under the CRA</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-security-support-period-definition-support-period.jpg" alt="Sketch of a digital door lock linked to a calendar, illustrating a security support period."/></figure>



<p>Let&#8217;s say you&#8217;ve developed a new smart home camera. In the past, you decided how long to provide security patches based on business strategy. The Cyber Resilience Act (CRA) changes that completely. This is now a legal requirement, and the <strong>security support period</strong> is the core concept defining your long-term commitment to a product&#8217;s safety once it&#8217;s in a customer&#8217;s hands.</p>



<p>This isn’t just about fixing the odd bug. It’s about actively maintaining your product&#8217;s defences throughout its expected lifetime. The CRA’s goal is simple: protect consumers from devices that become insecure over time, so they can trust the connected products they buy.</p>



<h3 class="wp-block-heading">From Feature to Legal Requirement</h3>



<p>This is a massive shift for manufacturers. What was once a competitive advantage or a premium service offering is now the baseline for entry into the EU market. Your responsibility doesn&#8217;t end when the product is sold; it extends for a defined period afterwards.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>Under the CRA, manufacturers are legally bound to address vulnerabilities for a defined period. This transforms post-market surveillance from a best practice into an enforceable duty, ensuring products remain resilient against emerging threats.</p>
</blockquote>



<h3 class="wp-block-heading">Practical Examples of the Support Period</h3>



<p>Understanding this is easiest with a few real-world scenarios. The support period you define has to be realistic and defensible, tied directly to how a consumer would reasonably expect to use the product.</p>



<ul class="wp-block-list">
<li><strong>Smart Security Lock:</strong> A customer expects a high-end digital lock to secure their home for years. A manufacturer might therefore define a <strong>10-year support period</strong>, committing to patching any new software flaws or exploits for a full decade.</li>



<li><strong>Connected Kitchen Scale:</strong> This device has a much lower security risk and a shorter expected lifespan. Here, the manufacturer could reasonably set a <strong>5-year support period</strong>—which is the minimum under the CRA, unless an even shorter lifetime can be justified.</li>



<li><strong>Smart Toy for Children:</strong> A connected toy might have a camera or microphone. While its play value might only last a year or two, its potential for privacy invasion means regulators will expect a support period covering its realistic use, likely hitting the <strong>5-year minimum</strong> to protect children&#8217;s data long-term.</li>
</ul>



<p>To get a clearer picture of which of your products fall under these new rules, have a look at our guide on the <a href="https://goregulus.com/cra-basics/cra-scope/">scope of the Cyber Resilience Act</a>. Getting this right sets the foundation for all your other compliance activities.</p>



<h2 class="wp-block-heading">How to Calculate Your Product&#8217;s Support Period</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-security-support-period-definition-product-lifetime.jpg" alt="A balance scale weighs a refrigerator against stacked labels of 'lifetime' and 'years', symbolizing support periods."/></figure>



<p>Figuring out your product&#8217;s security support period isn&#8217;t a guessing game. It’s a strategic decision you have to be ready to defend in front of regulators. The Cyber Resilience Act (CRA) ties this period directly to your product&#8217;s <strong>&#8216;expected lifetime&#8217;</strong>, meaning you need a clear, documented method for calculating how long customers will realistically use it.</p>



<p>This goes far beyond a simple warranty. It requires a hard look at your product&#8217;s purpose, value, and place in the market. You are effectively defining the window during which you are legally on the hook for its security.</p>



<h3 class="wp-block-heading">Factors for Defining Expected Lifetime</h3>



<p>To land on a reasonable and compliant expected lifetime, you need to analyse several key factors. This entire process must be documented because it’s a critical part of your technical file and conformity assessment.</p>



<ul class="wp-block-list">
<li><p><strong>Product Purpose and Type:</strong> Is your product a core piece of infrastructure or a throwaway novelty? A smart thermostat built into a building’s HVAC system clearly has a longer expected lifetime than a connected party speaker. <strong>Practical Example:</strong> A smart thermostat is physically installed and expected to function for 10-15 years, so its support period should align with that. A portable Bluetooth speaker might only be expected to last 3-5 years.</p></li>



<li><p><strong>Customer Expectations:</strong> Put yourself in your customer’s shoes. Someone buying a high-end smart refrigerator rightly expects it to receive security updates for a decade or more, matching its high price tag and long service life. <strong>Practical Example:</strong> A €3,000 smart fridge should receive updates for its entire useful life (e.g., 10+ years), whereas a €50 smart coffee mug has much lower expectations.</p></li>



<li><p><strong>Market Comparisons:</strong> What are your competitors doing? Analysing the support periods and lifecycles of similar products helps establish a benchmark for what’s considered standard practice in your product category. <strong>Practical Example:</strong> If leading brands of smart TVs offer 7 years of security support, offering only the 5-year minimum for your competing model might be hard to justify to regulators.</p></li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The core principle is justification. Your support period must be a logical extension of the product’s intended use and market context, not an arbitrary number picked for convenience. A well-reasoned calculation is your best defence during market surveillance.</p>
</blockquote>



<p>The CRA also throws in a crucial safety net for consumers. While you should aim for a support period that matches the product&#8217;s expected lifetime, the law mandates it must last for <strong>at least five years</strong>. This rule creates a non-negotiable minimum commitment for most products, ensuring a baseline of long-term security.</p>



<h3 class="wp-block-heading">Practical Calculation Examples</h3>



<p>Let’s apply these factors to a couple of different products to see how their support periods might shake out. This shows how the CRA security support period definition works in the real world.</p>



<ol class="wp-block-list">
<li><p><strong>Connected Holiday Decorations:</strong> These have a very specific, seasonal use. A consumer probably expects them to work for a few holiday seasons at most. A manufacturer could justifiably argue for a shorter expected lifetime, perhaps two or three years, but would still be bound by the five-year minimum support requirement.</p></li>



<li><p><strong>Industrial IoT Sensor:</strong> An IIoT sensor used in a factory to monitor critical machinery is expected to operate reliably for a long, long time. Given its role in operational safety and efficiency, its expected lifetime could easily be <strong>10-15 years</strong>, demanding a correspondingly long security support period.</p></li>
</ol>



<p>Ultimately, your goal is to arrive at a period you can confidently document and defend. Getting a handle on these calculations is vital, as the clock on these obligations is already ticking. You might want to check out our guide on the <a href="https://goregulus.com/cra-compliance/cra-deadlines-2025-2027/">upcoming CRA deadlines for 2025-2027</a>.</p>



<h2 class="wp-block-heading">Your Obligations During the Support Period</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-security-support-period-definition-security-concepts.jpg" alt="Illustrated icons representing security concepts: Patching, Vulnerability Management, and Transparent Communication."/></figure>



<p>Defining your product&#8217;s security support period is one thing, but living up to that promise is where the real work begins. Under the Cyber Resilience Act (CRA), this period isn&#8217;t a passive warranty—it&#8217;s an active, continuous service commitment you owe your customers.</p>



<p>Think of it less like a one-off compliance checkbox and more like a live service agreement for your product’s security. Your responsibilities here aren&#8217;t just good practice; they are legal duties that make or break your market access. These obligations are fundamental to what the <strong>CRA security support period definition</strong> truly means in practice.</p>



<p>Let’s break down exactly what the regulation expects from you day in and day out.</p>



<h3 class="wp-block-heading">Proactive Patching and Free Updates</h3>



<p>Your first and most important job is to hunt down and fix security flaws. The CRA firmly rejects the old, reactive model of waiting for bug reports to trickle in. Instead, you are expected to be on the front foot, actively monitoring your product and its third-party components for emerging vulnerabilities.</p>



<p>When a flaw is found, your obligation is to develop and ship a security update to fix it. Critically, these patches must be provided <strong>free of charge</strong> and delivered in a way that’s simple for users to install. Long gone are the days of hiding updates behind complex portals or paywalls.</p>



<p>A smart TV manufacturer, for example, must have a system to push an over-the-air (OTA) update automatically to all its devices when a flaw is discovered in its operating system. The user should see nothing more than a simple on-screen prompt to install it.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The CRA’s mandate is clear: security updates must be delivered <strong>without delay</strong>. This means having a well-oiled machine for patch development, testing, and deployment is non-negotiable for the entire support period.</p>
</blockquote>



<h3 class="wp-block-heading">Structured Vulnerability Management</h3>



<p>Alongside your own proactive work, you must build a formal, organised system for handling vulnerabilities that others find and report. This requires a public, secure channel where security researchers, ethical hackers, and even customers can submit potential bugs they’ve discovered.</p>



<p>To give you a clearer picture, here’s a summary of the core obligations that fall under vulnerability management.</p>



<h3 class="wp-block-heading">Key Manufacturer Obligations During the Security Support Period</h3>



<p>This table outlines the main responsibilities manufacturers have throughout the defined support lifecycle of a product with digital elements.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Obligation Area</th><th>Description</th><th>Practical Example</th></tr><tr><td><strong>Patch Management</strong></td><td>Actively monitor for, develop, and deploy security updates to remediate vulnerabilities. Updates must be free and easy for users to install.</td><td>Pushing an automatic over-the-air (OTA) update to a smart home hub to fix a network vulnerability, with a simple in-app notification for the user.</td></tr><tr><td><strong>Vulnerability Handling</strong></td><td>Establish and maintain a secure, public channel for receiving vulnerability reports. This includes processes for intake, verification, and coordinated disclosure.</td><td>Creating a &#8220;<a href="mailto:security@company.com">security@company.com</a>&#8221; email and a dedicated web form, then acknowledging a researcher&#8217;s report within 48 hours and keeping them updated on the fix.</td></tr><tr><td><strong>Transparent Communication</strong></td><td>Clearly state the security support period in product documentation from the moment it is placed on the market.</td><td>Including the statement, &#8220;This product will receive security updates until at least 31 December 2033&#8221; in the user manual and on the product&#8217;s online store page.</td></tr><tr><td><strong>Post-Market Surveillance</strong></td><td>Continuously monitor the product in the field for any security-related events or new threats that may not have been present at launch.</td><td>Using aggregated, anonymised log data from a fleet of deployed IoT devices to detect anomalous behaviour that could signal a new attack vector.</td></tr></tbody></table></figure>



<p>Ultimately, these duties work together to create a cycle of continuous improvement and risk reduction, which is exactly what regulators want to see.</p>



<h3 class="wp-block-heading">Transparent Communication and Documentation</h3>



<p>Finally, transparency is a non-negotiable pillar of the CRA. You are legally required to tell your customers exactly how long the security support period will last, right from day one. This information must be clear and easy to find in the product’s documentation, like the user manual, on the packaging, or on its website.</p>



<p>This upfront declaration does two things: it manages customer expectations and serves as your public, legally binding commitment. It empowers buyers to make smarter purchasing decisions, weighing the long-term security of your product against competitors.</p>



<p>For instance, the online listing for a new Wi-Fi router must explicitly state something like, &#8220;<strong>This product will receive security updates for a minimum of 7 years from the date of purchase</strong>.&#8221; No ambiguity, no fine print. Just a clear, honest statement.</p>



<h2 class="wp-block-heading">Managing the 24-Hour Vulnerability Reporting Deadline</h2>



<p>When an actively exploited vulnerability hits your product, the clock starts ticking. Loudly. The Cyber Resilience Act (CRA) gives you just <strong>24 hours</strong> to report it, turning a bad day into a frantic race against a legal deadline.</p>



<p>This isn&#8217;t a suggestion; it&#8217;s a mandate. The rule exists to trigger a rapid, coordinated EU-wide response to protect users and critical infrastructure. Without a battle-tested plan, you&#8217;re not just risking a security crisis—you&#8217;re facing serious penalties and a major blow to your brand.</p>



<h3 class="wp-block-heading">Understanding the Reporting Triggers</h3>



<p>The <strong>24-hour</strong> countdown begins the moment you become aware that a vulnerability in your product is <strong>‘actively exploited’</strong>. This isn’t about a theoretical weakness found in a lab. It means attackers are <em>actually using</em> the flaw out in the wild to compromise systems.</p>



<p><strong>Practical Example:</strong> Your security team discovers forum posts with code showing how to take control of your smart doorbell model by exploiting a specific flaw. This is active exploitation, and your 24-hour reporting clock has just started.</p>



<p>This rapid reporting duty is also triggered by any security incident that has a severe impact on your product&#8217;s security, even without confirmed exploitation. Your team needs the skills and authority to assess a situation fast and decide if it hits the threshold for immediate notification.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The moment you learn of an actively exploited vulnerability, you must notify your national Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA). This is an immediate early warning—not a report you file after you’ve fixed it.</p>
</blockquote>



<h3 class="wp-block-heading">A High-Pressure Incident Timeline</h3>



<p>To pull this off, your internal incident response process needs to be flawless. Think about the timeline from the moment of discovery (Hour 0) to the reporting deadline (Hour 24). It&#8217;s tight.</p>



<ul class="wp-block-list">
<li><p><strong>Hour 0-2: Initial Triage.</strong> Your security team gets an alert—maybe a zero-day exploit. The first two hours are a blur of confirming the vulnerability and hunting for the first pieces of evidence showing it&#8217;s being actively used.</p></li>



<li><p><strong>Hour 3-12: Impact Assessment.</strong> The full incident response team is activated. Their job is to quickly understand the blast radius: which product versions are affected, how many users are at risk, and what the potential damage could be.</p></li>



<li><p><strong>Hour 13-20: Drafting the Report.</strong> Your compliance lead grabs a pre-approved communication template and starts drafting the initial notification for ENISA and the national CSIRT. The report must be clear, concise, and packed with all known technical details. You can find more on these formal duties in our article on <a href="https://goregulus.com/uncategorized/cra-reporting-obligations-article-14/">CRA reporting obligations under Article 14</a>.</p></li>



<li><p><strong>Hour 21-24: Review and Submission.</strong> The draft goes through a final, high-speed review by legal and technical leadership. Then, it&#8217;s submitted through the official portal. You absolutely want to submit well before the final hour to avoid any last-minute technical glitches.</p></li>
</ul>



<p>This <strong>24-hour</strong> reporting requirement will apply sooner than other parts of the CRA. In fact, manufacturers must be ready to report vulnerabilities starting <strong>September 11, 2026</strong>. You can read more about what you need to be doing to prepare for the <a href="https://www.dlapiper.com/en/insights/publications/2026/02/cyber-resilience-act-what-you-need-to-know-and-what-you-need-to-be-doing">Cyber Resilience Act on DLAPiper.com</a>.</p>



<p>Turning this potential chaos into a structured process means preparing now. You need a dedicated incident response team, clear lines of authority, and ready-to-go templates.</p>



<p>The infographic below highlights the pressure-cooker scenario of an actively exploited vulnerability. Once discovered, the clock starts ticking on a mandatory <strong>24-hour</strong> reporting window.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/04/cra-security-support-period-definition-vulnerability-timeline.jpg" alt="Timeline illustrating a 24-hour vulnerability report process from discovery to patching."/></figure>



<p>This tight deadline alone shows why having a pre-planned incident response process is not just good practice—it&#8217;s a core survival skill under the CRA.</p>



<h2 class="wp-block-heading">Practical Scenarios: Support Period in Action</h2>



<p>Let&#8217;s move from theory to practice. Seeing how the CRA’s security support period plays out in the real world is the best way to understand the planning, documentation, and long-term commitment it demands from manufacturers.</p>



<h3 class="wp-block-heading">Scenario 1: The High-Risk Smart Security Camera</h3>



<p>Imagine SecureHome, a manufacturer launching a new, high-end security camera with advanced AI features. This isn&#8217;t a cheap gadget; it’s a premium product designed to protect a family&#8217;s home. Given its critical function and price point, the company determines the product’s <strong>expected lifetime is at least 10 years</strong>.</p>



<p>SecureHome doesn&#8217;t just guess. They formally document this assessment in their technical files, referencing market analysis of similar high-value security systems. Based on this, they commit to a <strong>10-year security support period</strong>. This isn&#8217;t buried in the fine print; it&#8217;s stated clearly on the packaging, in the user manual, and on their website.</p>



<p><strong>The Test in Year Six</strong></p>



<p>Six years after the camera’s launch, a crisis hits. A security researcher finds a serious vulnerability that could let an attacker bypass authentication and view the live video feed. Worse, there&#8217;s evidence the flaw is being actively exploited in the wild. The <strong>24-hour reporting clock starts now</strong>.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>Because they were prepared, SecureHome&#8217;s team validates the report and submits its initial notification to ENISA and the relevant national CSIRT in just <strong>18 hours</strong>. Their well-rehearsed incident response plan and pre-written templates made all the difference.</p>
</blockquote>



<p>In the following two weeks, their engineers develop, test, and deploy a free over-the-air (OTA) security patch to every affected camera. SecureHome turned a potential disaster into a demonstration of competence, precisely because their long-term support obligations were baked into their processes from day one.</p>



<h3 class="wp-block-heading">Scenario 2: The Standard-Risk Connected Kitchen Scale</h3>



<p>Now, let&#8217;s look at a different type of product. A company called PreciseKitchen is launching a smart kitchen scale that sends nutritional data to a mobile app. It&#8217;s a useful consumer gadget but serves no critical function. It falls squarely into a lower-risk category.</p>



<p>PreciseKitchen analyses the market and concludes a reasonable expected lifetime for this type of device is five years. They decide to set the security support period to the <strong>CRA-mandated minimum of 5 years</strong>. This decision is justified and documented, with the product’s low cost and non-critical nature as the key rationale.</p>



<p><strong>Planning for End-of-Life</strong></p>



<p>For PreciseKitchen, the game isn&#8217;t just about starting support; it&#8217;s about ending it gracefully. As the <strong>5-year</strong> period nears its conclusion, their focus shifts entirely to transparent communication. They don&#8217;t want to leave their users in the lurch.</p>



<p>One year before support ends, they begin a clear notification campaign through the companion app and by email.</p>



<ul class="wp-block-list">
<li><strong>12 Months Out:</strong> An initial heads-up that security updates will stop in one year.</li>



<li><strong>6 Months Out:</strong> A second reminder about the approaching end of support.</li>



<li><strong>Final Month:</strong> One last alert confirming the exact date security updates will cease.</li>
</ul>



<p>This proactive communication ensures no one is caught by surprise. By managing expectations so effectively, PreciseKitchen not only meets its legal duties but also preserves customer trust—a valuable asset, even when a product reaches the end of its life.</p>



<h2 class="wp-block-heading">How to Prepare: Your Action Plan</h2>



<p>Right, let&#8217;s turn the theory of the CRA support period into a concrete action plan. This isn&#8217;t just about ticking boxes; it&#8217;s about building a defensible process that protects your customers and stands up to regulatory scrutiny.</p>



<p>Think of this as a practical checklist for your product, security, and legal teams to get on the same page.</p>



<ul class="wp-block-list">
<li><p><strong>Define and Document Your Product&#8217;s Lifetime.</strong> This is the cornerstone of your support period. You need to formally assess and justify the expected lifetime based on product type, cost, and realistic user expectations. This isn&#8217;t a guess; it&#8217;s a documented decision that forms the basis for your <strong>CRA security support period definition</strong>.</p></li>



<li><p><strong>Set Up a Public Vulnerability Intake Channel.</strong> You must have a clear, public, and secure way for security researchers and users to report potential flaws. This usually means a dedicated email address (e.g., <code>security@yourcompany.com</code>) and a web form, prominently displayed on your website&#8217;s support page.</p></li>



<li><p><strong>Stress-Test Your 24-Hour Incident Reporting.</strong> Don&#8217;t wait for a real crisis. Run a simulation of an actively exploited vulnerability to ensure your team can meet the CRA&#8217;s strict notification deadlines. A dry run will quickly reveal any gaps in your response plan. Building this into a structured <a href="https://goregulus.com/uncategorized/cra-compliance-evidence-pack/">CRA Compliance Evidence Pack</a> makes the process repeatable and auditable.</p></li>
</ul>



<p>To make all of this work seamlessly throughout the support period, you&#8217;ll need to embed these activities into your daily operations. Adopting a strong set of <a href="https://kluster.ai/blog/devsecops-best-practices">DevSecOps best practices</a> is one of the most effective ways to build this continuous security muscle.</p>



<h2 class="wp-block-heading">Cyber Resilience Act Security Support: FAQs</h2>



<p>The concept of a long-term <strong>security support period</strong> is central to the CRA, but it also raises plenty of practical questions for manufacturers. Let&#8217;s tackle some of the most common ones.</p>



<h3 class="wp-block-heading">What if My Product&#8217;s Lifecycle Is Shorter Than Five Years?</h3>



<p>The CRA sets a default security support period of <strong>at least five years</strong>. But what if your product simply isn&#8217;t designed to last that long?</p>



<p>An exception exists, but you need to justify it. For example, a disposable smart sensor built for a single event might have a realistic lifetime of only a few months. In this case, you must provide a solid, documented justification for the shorter support period in your technical files. Be prepared for scrutiny—market authorities will examine these justifications to ensure they are reasonable and based on the product&#8217;s intended use, not just a desire to cut costs.</p>



<h3 class="wp-block-heading">Does the Security Support Period Require Me to Add New Features?</h3>



<p>No. The obligation is strictly about <strong>security, not functionality</strong>. During the support period, you are required to provide free and timely security updates to fix identified vulnerabilities.</p>



<p>You have no obligation to release new features or performance upgrades. The goal is to maintain the security of the product as it was when first placed on the EU market, making sure it stays resilient against emerging threats.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The CRA’s focus is on resilience and safety. Your duty is to patch security holes, not to provide free functional enhancements. This keeps the product secure without mandating new product development.</p>
</blockquote>



<h3 class="wp-block-heading">Who Is Responsible if a Vulnerability Is in an Open-Source Component?</h3>



<p>You are. As the product manufacturer, you are ultimately responsible for the security of the <strong>entire product</strong> you place on the EU market. This responsibility covers every single component inside it, including all third-party and open-source software.</p>



<p>The CRA requires you to maintain a Software Bill of Materials (SBOM) and actively monitor your entire software supply chain for new vulnerabilities. If a flaw is found in an open-source library your product uses, it&#8217;s your job to integrate the patch and push the security update to your users. Having a clear action plan for these scenarios is a key part of effective <a href="https://usewhale.io/blog/financial-services-regulatory-compliance/">regulatory compliance strategies</a>.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p><strong>Regulus</strong> provides a unified platform to help you navigate the Cyber Resilience Act. Generate your tailored requirements matrix, build audit-ready documentation, and turn complex obligations into an actionable compliance plan. Learn how to confidently place your products on the EU market at <a href="https://goregulus.com">https://goregulus.com</a>.</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-security-support-period-definition/">CRA Security Support Period Definition Explained for 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>CRA Notified Body Requirements: Your Path to Certification in 2026</title>
		<link>https://goregulus.com/cra-basics/cra-notified-body-requirements/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 15 Jun 2026 12:25:20 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[Conformity Assessment]]></category>
		<category><![CDATA[CRA notified body requirements]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU Compliance]]></category>
		<category><![CDATA[Product Certification]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2206</guid>

					<description><![CDATA[<p>The Cyber Resilience Act (CRA) is completely changing the game for digital product security in the EU, and Notified Bodies are the new gatekeepers. For manufacturers of higher-risk products, these organisations aren&#8217;t consultants—they are independent, state-appointed auditors for your product&#8217;s cybersecurity. They don’t help you build a compliant product. They verify that what you’ve built [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-notified-body-requirements/">CRA Notified Body Requirements: Your Path to Certification in 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>The Cyber Resilience Act (CRA) is completely changing the game for digital product security in the EU, and Notified Bodies are the new gatekeepers. For manufacturers of higher-risk products, these organisations aren&#8217;t consultants—they are independent, state-appointed auditors for your product&#8217;s cybersecurity.</p>



<p>They don’t help you build a compliant product. They verify that what you’ve built meets the CRA’s strict legal standards before it can reach the market.</p>



<h2 class="wp-block-heading">Decoding the Role of CRA Notified Bodies</h2>



<p></p>



<figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="1024" height="576" src="https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance.jpg" alt="Sketch of a magnifying glass, shield, microchip, and EU stars, representing Notified Body compliance and assessment." class="wp-image-2497" srcset="https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance.jpg 1024w, https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance-300x169.jpg 300w, https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance-768x432.jpg 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p></p>



<p>The CRA introduces a whole new level of accountability for anyone placing products with digital elements on the EU market. For high-risk products, the framework places Notified Bodies right at the centre. Their entire job is to provide impartial, third-party conformity assessments.</p>



<p>For certain product categories, their stamp of approval is an absolute prerequisite for market access via the CE marking process.</p>



<p><strong>Practical Example:</strong> Imagine you manufacture a smart home security camera. The CRA will almost certainly classify this as a <strong>&#8220;Critical&#8221; product</strong> because of its security function and network connectivity. You can&#8217;t just declare it secure on your own. You have to submit it to a Notified Body for a full-blown audit. This body acts as a strict gatekeeper. They will meticulously review your technical documentation, test your device against known vulnerabilities, and scrutinise your vulnerability management processes. Their role isn&#8217;t to give you design tips or advice. It’s to issue a clear pass or fail verdict against the requirements of the law.</p>



<h3 class="wp-block-heading">The Foundation of Trust and Expertise</h3>



<p>To become a Notified Body, an organisation has to meet a demanding set of criteria laid out by the EU. This is designed to guarantee a consistently high standard of assessment across all Member States.</p>



<p>Key requirements for a Notified Body include:</p>



<ul class="wp-block-list">
<li><strong>Legal Standing and Independence:</strong> They must be a legal entity under national law and prove complete impartiality, with zero conflicts of interest related to the products they assess. For example, a Notified Body cannot assess a product manufactured by its own parent company.</li>



<li><strong>Technical Competence:</strong> Their teams must have deep, demonstrable expertise in cybersecurity—everything from secure coding and network protocols to risk assessment and penetration testing. For instance, auditors assessing a network router must understand BGP hijacking and DNS security, not just general IT security.</li>



<li><strong>Operational Integrity:</strong> They must follow robust, documented procedures for conducting assessments, protecting client confidentiality, and managing any complaints. This includes having secure systems for handling a manufacturer&#8217;s sensitive intellectual property, like source code or design schematics.</li>
</ul>



<p>The timeline for getting this infrastructure in place is tight. With the CRA entering into force on <strong>December 10, 2024</strong>, EU Member States are required to designate their national notifying authorities by <strong>June 11, 2026</strong>. Those authorities will then assess and appoint the Notified Bodies.</p>



<p>This schedule is meant to ensure enough qualified bodies are up and running before the CRA’s main obligations, including conformity assessments, become mandatory on <strong>December 11, 2027</strong>. You can track the CRA&#8217;s legal framework and official timelines on the <a href="https://digital-strategy.ec.europa.eu/en/policies/cra-summary">European Commission&#8217;s summary page</a>.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The core function of a Notified Body is to verify, not to consult. Their impartiality is the bedrock of market trust, assuring consumers and businesses that a CE-marked product has been rigorously vetted against EU cybersecurity standards.</p>
</blockquote>



<p>Getting this dynamic right is the first step to a successful conformity assessment. If you manufacture a critical product, you need to learn to think like an auditor. That means preparing evidence-backed documentation that proves you meet every single requirement. To see how these requirements are defined, check out our guide on <a href="https://goregulus.com/uncategorized/cra-harmonised-standards/">CRA harmonised standards</a>.</p>



<h2 class="wp-block-heading">Navigating Your CRA Conformity Assessment Route</h2>



<p>Figuring out your path to Cyber Resilience Act (CRA) compliance isn&#8217;t a one-size-fits-all exercise. The route you take is decided entirely by your product’s risk classification. Think of it like this: the rules for a casual Sunday drive are very different from the rules for transporting hazardous materials through a city centre.</p>



<p>The CRA sorts products based on the potential harm they could cause if compromised. This classification directly sets the level of scrutiny your product will face before it can wear the CE mark and enter the EU market. Getting this right from the start is a critical strategic decision that will shape your project timelines, budget, and resource planning.</p>



<h3 class="wp-block-heading">The Three Main Pathways</h3>



<p>The CRA lays out different &#8220;modules&#8221; for conformity assessment, which are just standardised procedures for proving you meet the requirements. The path you follow hinges on whether your product is classified as &#8216;Default&#8217;, &#8216;Critical Class I&#8217;, or &#8216;Critical Class II&#8217;.</p>



<ul class="wp-block-list">
<li><strong>Default Products (Internal Control):</strong> For the vast majority of products with digital elements that aren&#8217;t deemed critical, you can perform a self-assessment. This is done through an internal control procedure, known as <strong>Module A</strong>. You are responsible for testing your own product, compiling the technical documentation, and declaring that it meets all the CRA’s security rules.</li>



<li><strong>Critical Class I Products (Third-Party Assessment):</strong> If your product falls into this class, you must involve a Notified Body. The most common route is a mix of your own internal controls combined with a mandatory third-party assessment of key elements. This usually means following <strong>Module B</strong> (EU-type examination) plus <strong>Module C</strong> (conformity to type based on internal production control).</li>



<li><strong>Critical Class II Products (Full Quality Assurance):</strong> As the most stringent category, Class II requires comprehensive oversight from a third party. The typical route here is <strong>Module H</strong> (conformity based on full quality assurance). This involves a Notified Body auditing your <em>entire</em> quality management system for design, development, and production to ensure security is baked in from start to finish.</li>
</ul>



<p>Understanding these routes early is non-negotiable for manufacturers. To map out your strategy effectively, it helps to walk through a detailed <a href="https://goregulus.com/cra-compliance/cyber-resilience-act-compliance-roadmap/">Cyber Resilience Act compliance roadmap</a> to guide your planning.</p>



<p>To make this clearer, let&#8217;s look at how the conformity routes and Notified Body involvement change based on product classification.</p>



<h3 class="wp-block-heading">CRA Conformity Assessment Routes at a Glance</h3>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Product Classification</th><th>Applicable Modules</th><th>Notified Body Involvement</th><th>Practical Example</th></tr><tr><td><strong>Default</strong></td><td><strong>Module A</strong> (Internal Production Control)</td><td><strong>None</strong> (Self-assessment)</td><td>Smart Thermostat, Connected Toy</td></tr><tr><td><strong>Critical Class I</strong></td><td><strong>Module B + C</strong> (EU-Type Examination + Internal Control) or <strong>Module H</strong> (Full Quality Assurance)</td><td><strong>Mandatory</strong></td><td>Network Firewall, Smart Home Hub</td></tr><tr><td><strong>Critical Class II</strong></td><td><strong>Module H</strong> (Full Quality Assurance)</td><td><strong>Mandatory &amp; Comprehensive</strong></td><td>Industrial Control System (PLC), Hardware Security Module (HSM)</td></tr></tbody></table></figure>



<p>As you can see, the higher the risk classification, the deeper the involvement of an independent third party, moving from simple self-assessment to a full-system audit.</p>



<h3 class="wp-block-heading">Practical Examples of Assessment Routes</h3>



<p>Let&#8217;s make this tangible. Imagine your company is developing three very different products.</p>



<p><strong>1. The Smart Thermostat (Default Class)</strong><br>Your product is a smart thermostat that lets people control their home&#8217;s temperature from a mobile app. It’s connected to a network, but its failure doesn&#8217;t create a systemic risk. Under the CRA, this would almost certainly be a <strong>Default class product</strong>.</p>



<ul class="wp-block-list">
<li><strong>Your Route:</strong> You can use <strong>Module A</strong> (internal control). You’ll run your own cybersecurity risk assessment, test for vulnerabilities, generate the Software Bill of Materials (SBOM), and pull together all the technical documentation yourself. No Notified Body is needed, but your documentation had better be solid enough to pass an inspection from a market surveillance authority if they come knocking.</li>
</ul>



<p><strong>2. The Network Firewall (Critical Class I)</strong><br>Next up, you&#8217;re building a network firewall designed for small businesses. The product&#8217;s entire purpose is security, and if it fails, it could expose a customer’s whole network. This is a textbook <strong>Critical Class I product</strong>.</p>



<ul class="wp-block-list">
<li><strong>Your Route:</strong> You&#8217;ll most likely follow the <strong>Module B + C</strong> path. First, you submit your technical documentation and a sample of the firewall to a Notified Body for an EU-type examination (Module B). They will put the design through its paces and, if it passes, issue an EU-type examination certificate. From then on, your internal production controls (Module C) must ensure that every single firewall you manufacture is identical to the certified type.</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The core difference is the introduction of an independent check. While you still manage production, the design&#8217;s security has been validated by an accredited third party, providing a higher level of assurance.</p>
</blockquote>



<p><strong>3. The Industrial Control System (Critical Class II)</strong><br>Finally, your company builds a Programmable Logic Controller (PLC) used in a municipal water treatment plant. A compromise here could have devastating consequences for public safety. This lands you squarely in <strong>Critical Class II</strong>.</p>



<ul class="wp-block-list">
<li><strong>Your Route:</strong> You have to follow a much more rigorous procedure, like <strong>Module H</strong> (Full Quality Assurance). A Notified Body won&#8217;t just look at the final product; they will audit your entire quality management system. They’ll dig into your secure development lifecycle, your risk management framework, your vulnerability handling processes, and how you guarantee security from the drawing board to the product&#8217;s end-of-life. This is a deep, process-level audit to certify that your organisation is built to produce secure products consistently.</li>
</ul>



<h2 class="wp-block-heading">Preparing Your Technical Documentation for Audit</h2>



<p>Your technical documentation is the single most important file you will present to a Notified Body. Don&#8217;t think of it as just a folder of miscellaneous documents. It&#8217;s the structured, evidence-based story that proves your product meets every essential security requirement under the Cyber Resilience Act. The best analogy is a complete case file a lawyer prepares for court—every claim must be backed by solid proof.</p>



<p>This file is what your entire audit will be based on. A well-organised technical file makes the Notified Body&#8217;s job simpler, which means a smoother, faster, and less expensive assessment for you. On the other hand, a disorganised or incomplete file is a fast track to non-conformity findings, delays, and frustrating rework.</p>



<h3 class="wp-block-heading">Mapping Annex II to Annex VII</h3>



<p>The CRA gives you a clear map for what your technical documentation must contain. <strong>Annex II</strong> lists the essential security requirements your product must meet, while <strong>Annex VII</strong> outlines the structure of the technical documentation you need to create to prove it. The goal is to build a direct, traceable line from every requirement in <strong>Annex II</strong> to the corresponding evidence in your <strong>Annex VII</strong> file.</p>



<p><strong>Practical Example: A Smart Lock Manufacturer</strong></p>



<p>Imagine your company builds a Wi-Fi-enabled smart lock for homes, a product that would likely be classified as &#8220;Critical Class I&#8221;. Here is how you would map key requirements from <strong>Annex II</strong> to your documentation in <strong>Annex VII</strong>:</p>



<ul class="wp-block-list">
<li><strong>Annex II Requirement: &#8220;Protect Confidentiality&#8221;</strong>: The lock sends an unlock command from a user&#8217;s phone. To prove this is secure, your technical file (<strong>Annex VII</strong>) needs to contain hard evidence of your encryption methods. This would include test reports verifying your implementation of <strong>TLS 1.3</strong> for data in transit and <strong>AES-256</strong> for data at rest.</li>



<li><strong>Annex II Requirement: &#8220;Protect Integrity&#8221;</strong>: Your lock gets firmware updates over the air. Your documentation must include architectural diagrams showing the secure boot process and the cryptographic signature verification for every update. This proves that an attacker can’t inject malicious firmware.</li>



<li><strong>Annex II Requirement: &#8220;Control Access&#8221;</strong>: Your documentation must detail your access control policies. This means showing that the product ships with <strong>no default passwords</strong> and forces the user to create a unique, strong password during setup, directly satisfying the secure-by-default principle.</li>
</ul>



<p>To help manage the complexity of preparing these files, many teams are now using advanced <a href="https://odysseygpt.ai/agents/technical-doc-assistant">technical documentation assistants</a> to structure and populate the required evidence.</p>



<h3 class="wp-block-heading">Building Your Core Documentation Artefacts</h3>



<p>Beyond just mapping requirements to evidence, your technical file needs several substantial documents that form the backbone of your security case. These aren’t just check-the-box exercises; they are the living records of your security posture.</p>



<p>For our smart lock manufacturer, this core set of documents would include:</p>



<ol class="wp-block-list">
<li><strong>Cybersecurity Risk Assessment</strong>: This document must identify all credible threats to the smart lock. For instance, it should analyse the risk of a denial-of-service attack that stops a user from opening their door, or a replay attack where an old command is used to illicitly unlock the door. It must also consider physical attacks, like an attempt to disassemble the lock to extract firmware.</li>



<li><strong>Software Bill of Materials (SBOM)</strong>: You need a detailed inventory of every single software component in the lock&#8217;s firmware. This means listing the operating system (e.g., FreeRTOS v10.4.3), cryptographic libraries (like OpenSSL 3.0.2), and any third-party drivers. The SBOM is crucial for managing vulnerabilities; if a flaw is found in a specific version of OpenSSL, you can immediately tell if your product is affected.</li>



<li><strong>Vulnerability Handling Policies</strong>: This is your formal, written process explaining how you will manage vulnerabilities after the lock is sold. It must include your coordinated disclosure policy, defined timelines for patching (e.g., &#8220;critical vulnerabilities patched within <strong>30 days</strong>&#8220;), and the exact mechanism for delivering updates to customers (e.g., &#8220;automatic over-the-air updates pushed to all connected devices&#8221;).</li>



<li><strong>Secure Development Lifecycle Evidence</strong>: You have to provide proof that security is built into your development process from the start. This could include records of mandatory security training for your developers, reports from static analysis (SAST) tools run on your codebase, and logs from your code review process where security checks were signed off.</li>
</ol>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A Notified Body auditor is always looking for traceability. They should be able to pick any security requirement from Annex II, find the corresponding section in your technical file, and follow a clear path straight to a piece of hard evidence like a test report or a policy document.</p>
</blockquote>



<p>Ultimately, preparing this documentation is about building a foundation of trust with your Notified Body. For a deeper dive into organising these elements, see our comprehensive guide on creating a <a href="https://goregulus.com/cra-documentation/cra-technical-file-structure/">CRA technical file structure</a> that will stand up to scrutiny. A clear, well-supported file shows professionalism and a real commitment to security, making the entire <strong>CRA notified body requirements</strong> process far more efficient.</p>



<h2 class="wp-block-heading">The Notified Body Assessment Process Step-by-Step</h2>



<p>Understanding the <strong>CRA notified body requirements</strong> is one thing, but knowing what to expect during the audit itself is another. The process is a structured, multi-stage journey, and a lack of preparation can lead to significant delays and costs. Think of it as moving from theory to practice, where your documentation and your product are put to the test.</p>



<p>This walkthrough breaks down the entire audit, from the moment you submit your application to the final certification decision. Knowing these phases helps you manage internal expectations, prepare your team, and align your product milestones with the compliance schedule.</p>



<h3 class="wp-block-heading">Phase 1: Application and Scoping</h3>



<p>The journey begins when you formally apply to your chosen Notified Body. This isn&#8217;t just about filling out a form; it&#8217;s a critical scoping exercise. You&#8217;ll need to provide high-level details about your product, its intended use, and its risk classification under the CRA (e.g., <strong>Critical Class I</strong>).</p>



<p>The Notified Body uses this information to confirm they have the technical competence to assess your product. Based on this, they provide an initial quote, a project plan, and assign auditors with the right expertise.</p>



<p><strong>Practical Example:</strong> A manufacturer of an industrial gateway, likely a <strong>Critical Class I</strong> product, would submit an application detailing its functions, network interfaces, and supported industrial protocols (e.g., Modbus, OPC-UA). The Notified Body would then assign auditors with deep experience in operational technology (OT) security to lead the assessment.</p>



<h3 class="wp-block-heading">Phase 2: Documentation Review</h3>



<p>Once the engagement is formalised, the auditors start a meticulous review of your technical documentation. This is the moment where all the effort you invested in preparing your <strong>Annex VII</strong> file really counts. Auditors will scrutinise your cybersecurity risk assessment, your Software Bill of Materials (SBOM), your vulnerability handling policies, and evidence from your secure development lifecycle.</p>



<p>They are looking for three things: clarity, completeness, and traceability. Can they easily trace a requirement from <strong>Annex II</strong> to a specific piece of evidence in your file? If your documentation is disorganised or has obvious gaps, this phase will drag on with endless requests for more information.</p>



<p><strong>Practical Example:</strong> The auditor sees in your SBOM that you use <code>log4j</code>. They will immediately look for documentation proving you are not using a vulnerable version, or if you are, that you have implemented specific mitigating controls and documented the rationale. A missing link here is an immediate non-conformity.</p>



<figure class="wp-block-image size-large"><img decoding="async" width="1344" height="768" src="https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-process-flow.jpg" alt="A diagram illustrating the CRA Technical File Process Flow with steps: Risk Assessment, SBOM, and Secure Dev." class="wp-image-2498" srcset="https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-process-flow.jpg 1344w, https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-process-flow-300x171.jpg 300w, https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-process-flow-1024x585.jpg 1024w, https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-process-flow-768x439.jpg 768w" sizes="(max-width: 1344px) 100vw, 1344px" /></figure>



<p>The process flow above highlights the core pillars of a CRA technical file: risk assessment, SBOM creation, and secure development. These are the primary focus of the documentation review. A strong showing here gives the Notified Body confidence before they even power on the product.</p>



<h3 class="wp-block-heading">Phase 3: Product Audit and Testing</h3>



<p>With the documentation reviewed, the hands-on testing begins. This phase involves a deep dive into the product itself to verify the claims made in your documentation. The exact scope depends on the conformity module you&#8217;ve chosen (e.g., <strong>Module B</strong> vs. <strong>Module H</strong>) and your product&#8217;s complexity.</p>



<p>Auditors may perform a range of tests, including:</p>



<ul class="wp-block-list">
<li><strong>Vulnerability Scanning:</strong> Using automated tools to find known vulnerabilities in your product&#8217;s software and firmware stacks.</li>



<li><strong>Penetration Testing:</strong> Simulating real-world attacks to test the resilience of your security controls, like access control mechanisms or encryption implementations.</li>



<li><strong>Functional Verification:</strong> Checking that security features described in the documentation—such as secure boot or update mechanisms—actually work as intended.</li>
</ul>



<p><strong>Practical Example:</strong> For a smart lock, an auditor might use a software-defined radio to attempt to capture and replay the &#8220;unlock&#8221; signal from the mobile app. This tests the anti-replay mechanisms claimed in your documentation. If the lock opens, it&#8217;s a major non-conformity.</p>



<p>To better grasp the principles of such an evaluation, it can be useful to review a <a href="https://www.maced.ai/cloud-security-assessment">complete guide to cloud security assessment</a>, as it covers similar evidence-based verification concepts.</p>



<h3 class="wp-block-heading">Phase 4: Non-Conformity Reporting and Remediation</h3>



<p>It’s extremely rare for any product to pass its first audit with a perfect score. When the Notified Body finds a gap between your product and the CRA&#8217;s requirements, they issue a <strong>non-conformity report</strong>. These findings are typically categorised by severity, such as major or minor.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>You will be given a specific timeframe to address these findings. This remediation phase is a critical loop; you must fix the issues, update your documentation, and resubmit the evidence to the Notified Body for verification.</p>
</blockquote>



<p><strong>Practical Example:</strong> A &#8220;major&#8221; non-conformity could be the discovery of a hardcoded password. A &#8220;minor&#8221; one might be a missing detail in the end-user documentation about how to report a security issue. The former requires an immediate firmware update, while the latter requires a simple document change.</p>



<p>Failing to address these findings properly is one of the fastest ways to derail your certification timeline.</p>



<h3 class="wp-block-heading">Phase 5: Final Review and Certification Decision</h3>



<p>Once all non-conformities have been successfully closed out, the lead auditor compiles the complete assessment file for a final, independent review. This is usually done by a separate technical reviewer within the Notified Body who was not involved in the initial audit. This final check ensures the process was conducted correctly and that all requirements are truly met.</p>



<p>If the review is positive, the Notified Body issues your certificate—an <strong>EU-type examination certificate</strong> for Module B or a <strong>quality system approval</strong> for Module H. This certificate is the key that unlocks CE marking for your product, granting you access to the entire EU market.</p>



<h2 class="wp-block-heading">Avoiding Common Gaps in Your CRA Submission</h2>



<p>Getting through your first Cyber Resilience Act (CRA) audit can feel like navigating a minefield. There are a handful of common pitfalls that consistently trip up manufacturers, even those with a solid security posture. The key is knowing where others stumble so you can build a submission that’s truly audit-proof.</p>



<p>Think of it this way: <strong>CRA notified body requirements</strong> aren&#8217;t about proving you have flawless security. They’re about proving you have a perfectly documented, transparent, and repeatable security <em>process</em>. Auditors aren&#8217;t just taking your word for it; their job is to find concrete evidence that backs up every single claim. Vague statements and missing paperwork are the fastest way to get hit with non-conformity findings and expensive delays.</p>



<p>This is where being forewarned is being forearmed. Let&#8217;s walk through the most common gaps auditors find and, more importantly, how to make sure your technical file stands up to scrutiny.</p>



<h3 class="wp-block-heading">Incomplete Cybersecurity Risk Assessments</h3>



<p>One of the most frequent and critical failures we see is a cybersecurity risk assessment that&#8217;s too narrow. Many teams do a great job analysing risks when the product is first unboxed but completely ignore the threats that will inevitably emerge over its operational life and eventual end-of-life.</p>



<ul class="wp-block-list">
<li><strong>The common mistake:</strong> Your risk assessment for a new smart thermostat only covers threats during the initial setup, like a user picking a weak password. It fails to consider what happens when your cloud provider has a data breach two years from now, or the security implications when you eventually stop pushing updates.</li>



<li><strong>What auditors need to see:</strong> A robust risk assessment models threats across the <em>entire</em> product lifecycle. It must cover supplier risks (like a compromised chip), operational risks (a new zero-day exploit in an open-source library you use), and end-of-life risks (ensuring data is properly wiped when the device is thrown away). It must be a living document, not a one-and-done report.</li>
</ul>



<h3 class="wp-block-heading">Vague Vulnerability Handling Processes</h3>



<p>Simply writing &#8220;we manage vulnerabilities&#8221; in your documentation is a guaranteed red flag. A Notified Body needs to see a formal, documented process that spells out every step, from how a vulnerability is reported to how the patch is deployed. Ambiguity suggests a chaotic, reactive approach to security—exactly what the CRA is designed to prevent.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A Notified Body needs to see a clear, repeatable, and time-bound process. Your vulnerability handling policy is not just a document; it’s a contractual commitment to your customers and the regulators.</p>
</blockquote>



<p><strong>A practical example: Defining your patching timeline</strong></p>



<ul class="wp-block-list">
<li><strong>The vague approach:</strong> Your policy just says, &#8220;Critical vulnerabilities will be patched in a timely manner.&#8221; This is subjective, unenforceable, and will not pass an audit.</li>



<li><strong>The compliant approach:</strong> Your policy defines specific Service-Level Agreements (SLAs). For instance: &#8220;Upon confirmation of a <strong>critical</strong> vulnerability (CVSS score 9.0-10.0), a patch will be developed, tested, and released to all affected users within <strong>30 calendar days</strong>.&#8221; This is specific, measurable, and auditable.</li>
</ul>



<p>For more insights into structuring this evidence, our guide on the <a href="https://goregulus.com/uncategorized/cra-compliance-evidence-pack/">CRA compliance evidence pack</a> offers practical templates.</p>



<h3 class="wp-block-heading">Insufficient Proof of Secure Development</h3>



<p>Claiming you follow a secure development lifecycle (SDL) is easy. Proving it is another matter entirely. Auditors need to see hard evidence that security is woven into every stage of your development process, not just bolted on as an afterthought. Without that proof, your claims are just empty words.</p>



<p>This table shows exactly how to turn those empty claims into the kind of concrete evidence an auditor is looking for.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Vague Claim</th><th>Actionable Evidence</th></tr><tr><td>&#8220;We perform code reviews.&#8221;</td><td>Show them the logs from your version control system (like GitHub) that prove every pull request for security-sensitive code required an explicit sign-off from a designated security champion.</td></tr><tr><td>&#8220;Our developers are trained.&#8221;</td><td>Present the training records. We&#8217;re talking dates, topics covered (e.g., OWASP Top 10), and completion certificates for every single developer on the project team.</td></tr><tr><td>&#8220;We test for vulnerabilities.&#8221;</td><td>Provide the unredacted reports from your static analysis (SAST) and dynamic analysis (DAST) tools, along with the Jira or DevOps tickets that prove critical findings were actually fixed before the release.</td></tr></tbody></table></figure>



<p>By anticipating these common gaps and preparing detailed, evidence-backed documentation from the start, you can transform your audit from a major roadblock into a straightforward validation of your commitment to cybersecurity. This proactive mindset is the secret to successfully meeting your <strong>CRA notified body requirements</strong>.</p>



<h2 class="wp-block-heading">Your Actionable Checklist for Notified Body Readiness</h2>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="576" src="https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance-checklist.jpg" alt="Clipboard checklist showing completed SBOM, Vulnerability Policy, and Mock Audit, with calendar and gears." class="wp-image-2499" srcset="https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance-checklist.jpg 1024w, https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance-checklist-300x169.jpg 300w, https://goregulus.com/wp-content/uploads/2026/06/cra-notified-body-requirements-compliance-checklist-768x432.jpg 768w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p>Turning the complex <strong>CRA notified body requirements</strong> into a concrete project plan is the final hurdle before engaging an auditor. This checklist is designed to get you &#8216;audit-ready&#8217; by breaking the enormous task into manageable phases.</p>



<p>Working through these steps systematically helps you build a strong compliance posture and spot gaps early. You’ll approach a Notified Body from a position of strength, saving everyone a lot of time and money. This isn’t just about ticking boxes; it’s about building a solid foundation of evidence that proves your commitment to security.</p>



<h3 class="wp-block-heading">Phase 1: Internal Scoping and Strategy</h3>



<p>Before you start creating documents, you need to get your internal teams aligned and define your strategy. This first phase ensures everyone understands the scope of the project and their role in the compliance journey ahead.</p>



<ul class="wp-block-list">
<li><strong>Task 1: Finalise Product Classification.</strong> Formally decide if your product falls under &#8216;Default&#8217;, &#8216;Critical Class I&#8217;, or &#8216;Critical Class II&#8217;. This decision dictates your entire conformity assessment route and is the very first question a Notified Body will ask.</li>



<li><strong>Task 2: Select Your Conformity Assessment Route.</strong> Based on your classification, choose your module (e.g., Module B + C for Class I, Module H for Class II). Document this choice and, crucially, the reasoning behind it.</li>



<li><strong>Task 3: Assemble a Cross-Functional Team.</strong> Put together a dedicated CRA compliance team with people from engineering, product security, legal, and quality assurance. Define clear roles and responsibilities so everyone knows what they own.</li>
</ul>



<h3 class="wp-block-heading">Phase 2: Evidence Gathering and Documentation</h3>



<p>This is where you build the core of your technical file. Each item must be a concrete artefact, not a vague promise. The goal is to create a library of evidence that directly maps to the CRA&#8217;s essential requirements.</p>



<p><strong>Practical Example: Creating a Complete SBOM</strong><br>A common task is generating a Software Bill of Materials (SBOM). It’s not good enough to just list a few libraries. You must use a standard format like SPDX or CycloneDX and include every single component, its version, supplier, and licence information for all your firmware and software. For instance, an entry might look like: <code>Component: OpenSSL, Version: 3.0.2, Supplier: OpenSSL Software Foundation, License: Apache-2.0</code>.</p>



<p>With that in mind, focus on these critical tasks:</p>



<ol class="wp-block-list">
<li><strong>Generate a complete SBOM</strong> for all software and firmware components, including every dependency.</li>



<li><strong>Conduct and document a comprehensive cybersecurity risk assessment</strong> that covers the product&#8217;s entire lifecycle, from design all the way to end-of-life.</li>



<li><strong>Formalise your vulnerability handling process</strong>, which must include a public Coordinated Vulnerability Disclosure (CVD) policy with defined patching timelines (e.g., &#8220;critical vulnerabilities patched within <strong>30 days</strong>&#8220;).</li>



<li><strong>Collate evidence of your secure development lifecycle (SDL)</strong>, such as developer training records, code review logs, and static analysis (SAST) tool reports.</li>
</ol>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The quality of your documentation directly reflects the maturity of your security programme. A well-organised, evidence-rich technical file tells an auditor that you are a serious, professional partner.</p>
</blockquote>



<h3 class="wp-block-heading">Phase 3: Pre-Assessment Review and Refinement</h3>



<p>Before you spend any money on a formal audit, conduct your own internal review. This final phase is all about finding and fixing your own gaps before an auditor does it for you.</p>



<ul class="wp-block-list">
<li><strong>Task: Conduct a mock audit against Annex II.</strong> Have an internal team (or a friendly third party) audit your technical documentation against the essential requirements in Annex II. This dry run is invaluable for spotting weak points in your evidence.</li>



<li><strong>Task: Refine documentation based on findings.</strong> Use the feedback from your mock audit to strengthen weak sections, add missing evidence, and improve the traceability between your requirements and your proof.</li>
</ul>



<p>By methodically completing this checklist, you shift from a reactive to a proactive compliance stance. You will enter the formal assessment process with confidence, ready to demonstrate that your product truly meets the high bar set by the Cyber Resilience Act.</p>



<h2 class="wp-block-heading">Frequently Asked Questions About CRA Notified Bodies</h2>



<p>As you start planning for the Cyber Resilience Act, practical questions about Notified Bodies are bound to come up. This FAQ tackles the most common queries we hear from manufacturers, giving you the direct answers needed to prepare for a successful conformity assessment.</p>



<h3 class="wp-block-heading">When Should We Start Engaging with a CRA Notified Body?</h3>



<p>You should start the conversation with potential Notified Bodies as soon as your product design is stable. In our experience, this means making initial contact <strong>9 to 12 months</strong> before your planned market launch.</p>



<p><strong>Practical Example:</strong> If you plan to launch your new smart alarm system in the EU for the 2027 holiday season, you should be shortlisting and contacting Notified Bodies by December 2026 at the latest. This gives you time to get quotes, schedule the audit, and leave a buffer for any potential remediation work.</p>



<p>With demand for CRA auditors expected to spike dramatically before the <strong>December 2027</strong> deadline, securing your place early is a smart move that prevents last-minute chaos.</p>



<h3 class="wp-block-heading">Can We Use Our Existing Notified Body for the CRA?</h3>



<p>It&#8217;s a strong possibility. Many Notified Bodies that already assess products under other EU regulations, like the Radio Equipment Directive (RED), are looking to get designated for the CRA. Sticking with a single body that already knows your product and quality management system can be a huge efficiency win.</p>



<p>Your best bet is to ask them directly. When you next speak with your current Notified Body, ask if they are pursuing or have a clear plan to achieve designation for the Cyber Resilience Act. This can help you consolidate your EU compliance work and audit activities under one roof.</p>



<h3 class="wp-block-heading">What Happens if a Notified Body Finds a Non-Conformity?</h3>



<p>Finding a non-conformity is a normal, even expected, part of any rigorous audit. It’s not a final failure. The Notified Body will issue a formal report that pinpoints exactly where your product or technical file falls short of the <strong>CRA notified body requirements</strong>.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>You&#8217;ll be given a set timeframe to resolve the findings. This could mean patching a software vulnerability, updating your technical documentation, or refining a process. Once you’ve made the corrections, you resubmit the evidence for review, and only then can a certificate be issued.</p>
</blockquote>



<h3 class="wp-block-heading">How Much Does a CRA Notified Body Assessment Cost?</h3>



<p>Costs vary widely. The final price tag depends on your product&#8217;s complexity, its risk classification (<strong>Critical Class I</strong> vs. <strong>Class II</strong>), and the Notified Body’s own fee structure.</p>



<p><strong>Practical Example:</strong> A <strong>Critical Class I</strong> smart home hub might require a Module B+C assessment costing €20,000-€40,000. A <strong>Critical Class II</strong> industrial control system undergoing a full Module H quality system audit could easily exceed €100,000, especially if it involves multiple site visits and extensive product testing.</p>



<p>The only way to know for sure is to request formal quotes from several Notified Bodies early in your budgeting cycle to get a realistic financial picture.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Ready to build a clear, actionable plan for the Cyber Resilience Act? <strong>Regulus</strong> provides the tailored roadmaps, templates, and guidance you need to prepare for your Notified Body assessment with confidence. Gain clarity and reduce compliance costs at <a href="https://goregulus.com">https://goregulus.com</a>.</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-notified-body-requirements/">CRA Notified Body Requirements: Your Path to Certification in 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>CRA Remote Data Processing Solutions Scope Explained</title>
		<link>https://goregulus.com/cra-basics/cra-remote-data-processing-solutions-scope/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Tue, 09 Jun 2026 19:47:26 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA remote data processing solutions scope]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU Product Compliance]]></category>
		<category><![CDATA[IoT Security Rules]]></category>
		<category><![CDATA[RDPS Compliance]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2199</guid>

					<description><![CDATA[<p>Figuring out if your remote solution falls under the EU&#8217;s Cyber Resilience Act (CRA) is a major question for manufacturers. The short answer is this: if a remote data processing solution is essential for a product&#8217;s main function, it&#8217;s almost certainly within the CRA remote data processing solutions scope. The physical product and its necessary [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-remote-data-processing-solutions-scope/">CRA Remote Data Processing Solutions Scope Explained</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Figuring out if your remote solution falls under the EU&#8217;s Cyber Resilience Act (CRA) is a major question for manufacturers. The short answer is this: if a <strong>remote data processing solution is essential for a product&#8217;s main function</strong>, it&#8217;s almost certainly within the <strong>CRA remote data processing solutions scope</strong>. The physical product and its necessary remote counterpart are treated as a single unit.</p>



<h2 class="wp-block-heading">Is Your Remote Solution Covered by the CRA?</h2>



<p>The Cyber Resilience Act introduces a new level of scrutiny for any <strong>&#8220;product with digital elements&#8221; (PDE)</strong> placed on the European market. This broad category covers everything from smart home devices and wearables to standalone software applications. The rules don&#8217;t stop at the device or software you sell; they extend to services operating in the background.</p>



<p>This is where the concept of a <strong>&#8220;remote data processing solution&#8221;</strong> becomes critical. The CRA defines this as any solution, designed by or under the responsibility of the manufacturer, that a product needs to perform one of its functions. Think of it as a mandatory digital partner to your physical product.</p>



<h3 class="wp-block-heading">The Essential Functionality Test</h3>



<p>So, how do you determine if your remote service is captured? The key is the <strong>&#8220;essential functionality&#8221;</strong> test. Ask yourself: can my product perform its primary intended purpose without this remote solution? If the answer is no, then the solution is in scope.</p>



<ul class="wp-block-list">
<li><p><strong>Practical Example 1: Smart Security Camera</strong><br>The hardware is the camera itself. The remote data processing solution is the manufacturer-operated cloud service that processes video, detects motion, and sends alerts to your phone. Without this service, the camera is just a lens; it cannot perform its core security function. Therefore, both the camera and the cloud service fall under the CRA.</p></li>



<li><p><strong>Practical Example 2: Connected Car</strong><br>A modern vehicle uses a remote server to receive critical over-the-air (OTA) updates for its engine control unit (ECU). These updates are vital for safety and performance. The car is the product, and the manufacturer&#8217;s update server is the essential remote solution. Both are within the CRA&#8217;s reach.</p></li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A common mistake is assuming that only paid services are in scope. The CRA applies if the product is part of a commercial activity, which includes free products supported by advertising or data monetisation. The dependency on the remote solution is the deciding factor, not its price tag.</p>
</blockquote>



<p>Understanding this relationship is the first step toward compliance. For a deeper analysis of whether the CRA applies to your specific products, you might be interested in our guide on <a href="https://goregulus.com/cra-basics/cyber-resilience-act-applicability/">Cyber Resilience Act applicability</a>. This linkage between a physical product and its digital brain is central to determining the full <strong>CRA remote data processing solutions scope</strong> for your portfolio.</p>



<p>Right, so how do you know if your remote data processing solution is actually caught by the Cyber Resilience Act? This is where a lot of confusion comes in, but the test regulators will use is actually quite straightforward.</p>



<p>It all boils down to one critical question: is the remote solution <strong>necessary for the product to perform its main function</strong>? We&#8217;re not talking about nice-to-have features or optional extras. If the product simply cannot do what you sold it to do without that remote connection, then the solution is almost certainly in scope.</p>



<p>Think of it this way: if the core value proposition advertised to the customer disappears when the internet connection drops, the CRA will see the product and the remote service as a single, inseparable entity.</p>



<h3 class="wp-block-heading">The Core Functionality Test In Action</h3>



<p>Let’s make this concrete with a couple of real-world examples. The line between in-scope and out-of-scope often depends on what makes the product &#8220;smart&#8221; in the first place.</p>



<p>Here is a simple table to help you think through this test for your own solutions.</p>



<h4 class="wp-block-heading">CRA Scope Test for Remote Data Processing Solutions</h4>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Functionality Test</th><th>In-Scope Example (Likely)</th><th>Out-of-Scope Example (Likely)</th></tr><tr><td><strong>Is the solution required for the product&#8217;s primary advertised function?</strong></td><td>A smart lock that authenticates users via a cloud server to unlock the door. Without the server, the main &#8220;keyless entry&#8221; feature fails.</td><td>An electric toothbrush that sends usage data to the manufacturer for product improvement analytics. The brush still cleans teeth without this connection.</td></tr><tr><td><strong>Would a customer consider the product &#8220;broken&#8221; without the remote connection?</strong></td><td>A security camera that streams live video to a mobile app via the manufacturer&#8217;s cloud. No cloud, no live stream. The product is useless.</td><td>A smart fridge that sends maintenance alerts to the manufacturer&#8217;s server. The fridge continues to cool food even if the server is offline.</td></tr><tr><td><strong>Is the remote processing integral to the product&#8217;s identity?</strong></td><td>A voice assistant speaker that processes commands on a remote server. Without the server, it&#8217;s just a speaker—not a voice assistant.</td><td>A connected car that offers an optional in-car weather app. The car&#8217;s primary function (driving) is entirely separate from the weather service.</td></tr></tbody></table></figure>



<p>As you can see, the distinction is about necessity, not convenience. If the remote component is fundamental to the user experience you&#8217;ve promised, you need to treat it as part of the product for CRA purposes.</p>



<p>This decision tree helps visualise the logic. If your remote solution is essential for the product’s core purpose, the CRA treats them as one and the same.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-remote-data-processing-solutions-scope-decision-tree.jpg" alt="Flowchart illustrating the CRA scope decision process for products and remote solutions."/></figure>



<h3 class="wp-block-heading">A Closer Look at Exclusions and Grey Areas</h3>



<p>Even with this test, there’s still a lot of debate, particularly around cloud services that support products. Industry groups are actively lobbying for clearer lines to be drawn. The big question is whether a service that is <em>integral</em> to a product with digital elements automatically inherits all CRA obligations.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>A July 2023 position paper from DIGITALEUROPE proposes <strong>nine specific exclusion criteria (E1–E9)</strong> for Remote Data Processing Solutions (RDPS). It argues that services not providing core product functionality, or offline manufacturer activities like compiling software updates before they are sent, should be exempt.</p>
</blockquote>



<p>This ongoing discussion means it&#8217;s more important than ever for manufacturers to carefully document <em>why</em> a specific remote service is or is not essential to the product&#8217;s main function. Your documented rationale will be your first line of defence in any regulatory conversation. For a deeper dive on this, you can <a href="https://goregulus.com/cra-basics/cra-scope/">read also our guide on the CRA scope</a>.</p>



<h3 class="wp-block-heading">Pinpointing When Your Compliance Clock Starts</h3>



<p>Another crucial piece of the <strong>CRA remote data processing solutions scope</strong> is knowing when your obligations officially begin. The trigger isn&#8217;t your development kick-off or service launch date. Your compliance clock starts the moment a product is <strong>&#8220;placed on the market&#8221;</strong> in the EU for the first time.</p>



<p>This means the very first instance an individual product unit is made available for distribution or use in the EU as part of a commercial activity. Getting this timing right is absolutely vital for planning your development, documentation, and launch schedules.</p>



<p>So what does &#8220;placing on the market&#8221; mean in practice for remote solutions?</p>



<ul class="wp-block-list">
<li><strong>For Bundled Products:</strong> Your obligations begin when the first hardware unit that relies on your remote service is sold or supplied in the EU. For example, if a French retailer receives the first shipment of a new smart thermostat model, the manufacturer&#8217;s CRA clock has started.</li>



<li><strong>For Standalone Software:</strong> It&#8217;s the moment the software is first downloaded or accessed by a user in the EU under a commercial agreement. For example, when a German company purchases a subscription and its employee first logs into a SaaS project management tool.</li>



<li><strong>For Services Updated Post-Launch:</strong> If you push a <strong>substantial modification</strong> to a product already on the market that changes its core function or security posture, that product is considered &#8220;newly&#8221; placed on the market. For instance, if a smart watch receives an update that adds a new health monitoring feature using a new cloud algorithm, that update re-triggers the full set of CRA obligations.</li>
</ul>



<p>Understanding this specific trigger point is non-negotiable. It ensures your conformity assessments, technical documentation, and CE marking are all buttoned up <strong>before</strong> that first unit ever reaches a customer in the EU. A mistake here can result in costly recalls, market-access delays, and serious penalties.</p>



<h2 class="wp-block-heading">How the CRA Reshapes Your Supply Chain</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-remote-data-processing-solutions-scope-supply-chain.jpg" alt="Diagram showing the product supply chain from manufacturer to importer and distributor, with compliance checks."/></figure>



<p>The Cyber Resilience Act’s reach extends far beyond the original product developer. It establishes a clear chain of accountability that follows a product from design to distribution, especially when it comes to the <strong>CRA remote data processing solutions scope</strong>.</p>



<p>Compliance is no longer a solo effort; it&#8217;s a team sport where every player in the supply chain—the <strong>manufacturer</strong>, <strong>importer</strong>, and <strong>distributor</strong>—has specific, legally binding duties. Knowing your role is crucial for keeping products moving into the EU market without facing major disruptions or legal penalties.</p>



<p>Let’s put this into practice. Imagine a German engineering firm that builds a smart sensor for industrial automation. This sensor is the &#8220;product with digital elements,&#8221; but it depends entirely on the company’s cloud server for real-time analytics and alerts. That server is its essential &#8220;remote data processing solution.&#8221;</p>



<h3 class="wp-block-heading">The Manufacturer’s Core Duties</h3>



<p>As the <strong>manufacturer</strong>, the German firm shoulders the heaviest compliance burden. Before that sensor can be sold, they are responsible for conducting a full cybersecurity risk assessment and a conformity assessment. This must prove that the entire product system—both the physical sensor and its remote server—meets the CRA’s essential requirements.</p>



<p>This process involves building out extensive technical documentation. This file serves as the definitive proof of compliance, detailing everything from the product’s architecture and security-by-design choices to its Software Bill of Materials (SBOM) and vulnerability handling plan.</p>



<p>Only after this is complete can the manufacturer draw up the EU Declaration of Conformity and affix the <strong>CE marking</strong> to the sensor. This mark is their public promise that the product and its remote solution are fully compliant.</p>



<h3 class="wp-block-heading">The Importer as the First Gateway</h3>



<p>Now, let&#8217;s say a French company wants to import these sensors to sell them within the EU. As the <strong>importer</strong>, this firm becomes the first official gateway into the Union market and has its own set of critical verification duties. They can&#8217;t just take the manufacturer&#8217;s word for it.</p>



<p>The importer is legally required to verify that the manufacturer has:</p>



<ul class="wp-block-list">
<li>Performed the correct conformity assessment procedure.</li>



<li>Assembled the required technical documentation.</li>



<li>Correctly affixed the <strong>CE marking</strong> to the product.</li>
</ul>



<p>They must also add their own name and contact address to the product to ensure traceability. If an importer suspects a product is non-compliant, they <strong>must not place it on the market</strong>. For example, if the packaging lacks the importer&#8217;s address or the CE mark looks fraudulent, they are obligated to halt the process and inform both the manufacturer and the relevant market surveillance authorities.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>By placing a product on the EU market, an importer is staking its own legal and financial reputation on that product&#8217;s compliance. They act as the regulatory backstop, preventing non-compliant goods from entering circulation.</p>
</blockquote>



<h3 class="wp-block-heading">The Distributor’s Final Checkpoint</h3>



<p>Once the sensors are in the EU, a Spanish distribution company buys them from the French importer to sell to local factories. This <strong>distributor</strong> is the final link in the chain before the end-user, and their role is to act with <strong>“due care.”</strong></p>



<p>Before making the product available to customers, the distributor must verify that it has the CE marking and comes with all necessary instructions and information, presented in a language their customers can easily understand. They also double-check that the manufacturer and importer have included their names and addresses for traceability.</p>



<p>If a distributor spots an issue, their obligation is the same as the importer’s: stop the sale and notify the parties up the supply chain. A practical example: if the distributor notices the user manual is only in German and they are selling in Spain, they must contact the importer to rectify this before selling the sensors. This model of shared accountability creates multiple checkpoints to catch non-compliant products, a topic we explore further in our overview of <a href="https://goregulus.com/cra-basics/supply-chain-softwares/">supply chain requirements for software</a>.</p>



<h2 class="wp-block-heading">Real-World Examples of In-Scope Remote Solutions</h2>



<p>Definitions and theory only get you so far. To really understand the <strong>CRA remote data processing solutions scope</strong>, you need to see it applied to real products. The line between an in-scope and out-of-scope remote solution often boils down to a single, powerful question: is the remote processing essential for the product to do its main job?</p>



<p>Let’s walk through a few concrete scenarios. These examples are designed to give your product and engineering teams a clear mental model for spotting CRA-scoped solutions in your own product line-up.</p>



<h3 class="wp-block-heading">Example 1: Connected Delivery Drones</h3>



<p>Think about a company running a fleet of autonomous delivery drones. These drones aren&#8217;t just flying on their own; they’re designed to navigate busy cities, avoid no-fly zones, and land safely with their packages.</p>



<ul class="wp-block-list">
<li><strong>The Product:</strong> The physical delivery drone.</li>



<li><strong>The Remote Data Processing Solution:</strong> A central command server, operated by the manufacturer, that provides real-time flight path calculations, geofencing updates, and emergency override commands.</li>
</ul>



<p>Here, the dependency is absolute. Without a constant link to that command server, the drone simply cannot perform its core function of &#8220;autonomous delivery.&#8221; It can&#8217;t navigate safely, react to new obstacles, or follow flight regulations. The remote server isn&#8217;t an optional extra; it&#8217;s a non-negotiable part of the system. This makes it fall squarely within the CRA’s scope.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>When a product’s safety and core function are tied directly to a remote service, the CRA treats them as a single entity. The drone and its server are not seen as separate—both must meet the CRA&#8217;s essential cybersecurity requirements.</p>
</blockquote>



<h3 class="wp-block-heading">Example 2: The Modern Smart Thermostat</h3>



<p>Now consider a popular smart thermostat. Its main selling point is its ability to learn a household’s habits to automatically optimise heating and cooling, ultimately saving money on energy bills.</p>



<ul class="wp-block-list">
<li><strong>The Product:</strong> The smart thermostat unit on the wall.</li>



<li><strong>The Remote Data Processing Solution:</strong> A cloud service that analyses historical usage data, runs machine learning models to predict heating needs, and pushes optimised schedules back to the device.</li>
</ul>



<p>Sure, you can still walk up to the thermostat and change the temperature manually if the internet is down. But the &#8220;smart&#8221; features—the very reason customers chose this product—are completely dependent on the cloud. All the heavy lifting, the learning algorithms and data processing, happens on the manufacturer&#8217;s remote servers. Because its primary advertised function is &#8220;intelligent energy saving,&#8221; a function that is impossible without the remote service, that solution is in scope.</p>



<h3 class="wp-block-heading">Example 3: Industrial Robotics and Remote Configuration</h3>



<p>Imagine a factory that has just installed a new generation of high-precision industrial robots on its assembly line. A key feature of these robots is their adaptability—they can be reconfigured for different production runs and receive critical updates remotely.</p>



<ul class="wp-block-list">
<li><strong>The Product:</strong> The industrial robot arm itself.</li>



<li><strong>The Remote Data Processing Solution:</strong> The manufacturer&#8217;s remote platform, used to push critical safety patches, update firmware, and upload new task configurations for different manufacturing jobs.</li>
</ul>



<p>In this scenario, the remote platform is vital for the robot&#8217;s ongoing security, safety, and functionality. If the robot couldn&#8217;t receive a critical security patch, it could expose the entire factory network to a cyber-attack. If it couldn&#8217;t be reconfigured remotely for a new task, it would lose a huge part of its value. This direct link to both security and core functionality puts the remote platform firmly within the <strong>CRA remote data processing solutions scope</strong>.</p>



<p>The logic in each case is the same. The remote solution isn&#8217;t just a nice-to-have feature; it’s fundamental to the product&#8217;s primary purpose, safety, or identity. This dependency is the definitive test your teams should use when assessing your own products.</p>



<h2 class="wp-block-heading">Your Documentation and Vulnerability Response Plan</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-remote-data-processing-solutions-scope-security-pillars.jpg" alt="Two pillars illustrate key cybersecurity elements: Documentation (risk assessment, SBOM, tech file) and 24h Vulnerability Response."/></figure>



<p>Once you’ve confirmed your remote data processing solution falls under the CRA, it’s time to move from theory to action. Compliance isn’t just about having good intentions; it’s about proving them. This proof rests on two pillars: <strong>comprehensive documentation</strong> and a <strong>robust vulnerability management</strong> plan.</p>



<p>These aren&#8217;t just administrative box-ticking exercises. They are core operational requirements that demonstrate your product is secure by design and that you have a concrete plan to keep it that way. The CRA demands a clear, auditable trail—informal or purely reactive security practices simply won&#8217;t cut it anymore.</p>



<h3 class="wp-block-heading">The First Pillar: Building Your Technical Documentation</h3>



<p>Think of your technical documentation as the central evidence file for your product&#8217;s compliance. It’s the first thing market surveillance authorities will ask for, and it needs to tell a convincing story. Under Annex II, this file must be meticulously organised and hold several critical components.</p>



<ul class="wp-block-list">
<li><p><strong>Cybersecurity Risk Assessment:</strong> This is your foundation. You must document a thorough analysis of every potential cybersecurity risk tied to your product and its remote solution. It’s not a simple checklist. It’s a deep dive into threats, their potential impact, and the specific mitigations you’ve put in place. For a smart lock, for instance, you&#8217;d assess risks from replay attacks to credential stuffing on the remote server.</p></li>



<li><p><strong>Software Bill of Materials (SBOM):</strong> You are required to create a detailed, machine-readable SBOM that lists every single software component. This covers your proprietary code and, crucially, all the open-source libraries used in your product and the remote solution. An SBOM for a fitness tracker&#8217;s app would detail every third-party library for Bluetooth, data sync, and UI elements.</p></li>



<li><p><strong>Security-by-Design Evidence:</strong> You must prove security was baked in from the start, not bolted on at the end. This means documenting your secure development lifecycle (SDL), including evidence of threat modelling sessions, code reviews, and penetration testing reports. For example, you might include the report from a third-party pen test performed on your remote API before launch.</p></li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>Your documentation must tell the complete story of your product’s security journey. It should show a regulator that every security decision was deliberate, from initial design to the final build, covering the entire <strong>CRA remote data processing solutions scope</strong>.</p>
</blockquote>



<h3 class="wp-block-heading">The Second Pillar: Structuring Your Vulnerability Response</h3>



<p>The CRA’s rules on vulnerability handling are strict, time-sensitive, and will likely change how you manage security flaws forever. You are now on the hook for managing vulnerabilities for the product’s entire support period—which is typically at least <strong>five years</strong>.</p>



<p>The most dramatic change is the reporting timeline. Manufacturers must notify ENISA (the EU Agency for Cybersecurity) and the relevant national CSIRT of any <strong>actively exploited vulnerability within 24 hours</strong> of becoming aware of it. That tiny window demands a highly efficient, well-rehearsed internal process. For more on this, our detailed explanation of <a href="https://goregulus.com/uncategorized/cra-reporting-obligations-article-14/">CRA reporting obligations under Article 14</a> can help you prepare.</p>



<p>To meet these demands, you absolutely need a formal plan.</p>



<ol class="wp-block-list">
<li><p><strong>Establish a Coordinated Disclosure Policy:</strong> Publicly post how security researchers can report vulnerabilities to you. Define your scope, the right communication channels (like a dedicated security email), and what they can expect from you in terms of response times.</p></li>



<li><p><strong>Define Internal Triage and Assessment:</strong> Create a clear workflow for what happens the moment a vulnerability report lands. Who validates the issue? How will you score its severity using a standard like CVSS? And critically, who has the authority to declare it &#8220;actively exploited&#8221;?</p></li>



<li><p><strong>Prepare for Rapid Reporting:</strong> Don&#8217;t try to figure this out during a live incident. Have a pre-defined process and designated people ready to make that 24-hour notification to ENISA. A SaaS company, for example, must have a 24/7 on-call security rotation empowered to make that call. Your plan should also address modern challenges, such as <a href="https://supportgpt.app/blog/how-to-prevent-ai-hallucinations">preventing AI hallucinations</a> in any AI-driven systems.</p></li>
</ol>



<p>By building out these two pillars, you turn abstract regulatory threats into a clear, manageable operational plan.</p>



<h2 class="wp-block-heading">Your Compliance Roadmap to the 2027 Deadline</h2>



<p>That <strong>December 2027</strong> deadline for full Cyber Resilience Act compliance isn’t some far-off concept anymore. It&#8217;s a hard date that demands a clear plan, especially for organisations whose products fall under the <strong>CRA remote data processing solutions scope</strong>. A structured roadmap isn’t just a nice-to-have; it&#8217;s the only way to avoid a last-minute crisis.</p>



<p>Trying to tackle this in the final year is a recipe for failure. The work involves deep technical assessments, overhauling documentation, and making fundamental operational changes—none of which can be rushed. The only way to keep your products on the EU market without interruption is to start now with a methodical, phased approach.</p>



<h3 class="wp-block-heading">Phase 1: Starting Now</h3>



<p>The first and most important step is getting a complete picture of your product portfolio. You simply can’t secure what you don’t know you have. This initial phase is all about discovery.</p>



<p>Your immediate priority needs to be a full <strong>product portfolio audit</strong>. The goal here is to identify every single product—both software and hardware—that has a remote data processing element as part of its core function.</p>



<ul class="wp-block-list">
<li><strong>Action:</strong> Build a master inventory of every product you sell or plan to sell in the EU.</li>



<li><strong>Example:</strong> A smart home device manufacturer would list its smart plugs, cameras, and thermostats. For each, they’d need to document the cloud services used for control and data analysis, as these are the in-scope remote solutions.</li>



<li><strong>Outcome:</strong> You&#8217;ll end up with a comprehensive list of all potential &#8220;products with digital elements&#8221; and the remote services they depend on.</li>
</ul>



<h3 class="wp-block-heading">Phase 2: Late 2024 to Early 2025</h3>



<p>Once your inventory is locked down, the next phase is all about risk classification and deep analysis. This is where you shift from identifying <em>what</em> you have to understanding <em>how</em> the CRA applies to each product.</p>



<p>At this stage, you&#8217;ll apply the CRA&#8217;s risk criteria directly to your products. You&#8217;ll classify them based on their potential cybersecurity impact, which in turn determines the conformity assessment path you must follow.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>Under the CRA, products are categorised by risk. The vast majority will be &#8220;Default Class,&#8221; but products listed as &#8220;Important&#8221; or &#8220;Critical&#8221; face much stricter conformity assessment procedures, often requiring third-party involvement.</p>
</blockquote>



<p>Your key tasks are:</p>



<ol class="wp-block-list">
<li><strong>Classify Products:</strong> Go through your list and determine if your products are Default Class or if they fall into the higher-risk &#8220;Important&#8221; or &#8220;Critical&#8221; categories defined by the European Commission. A practical example: a consumer-grade smart lightbulb is likely Default Class, while an industrial control system for a power grid would be Critical Class.</li>



<li><strong>Conduct Detailed Risk Assessments:</strong> For every in-scope product, you need to perform a thorough cybersecurity risk assessment as outlined in the CRA. This means identifying threats, analysing their potential impact, and documenting the security controls you have in place.</li>
</ol>



<h3 class="wp-block-heading">Phase 3: Mid-2025 to Mid-2027</h3>



<p>This final stretch is the most intensive. It&#8217;s focused on execution—pulling together all your evidence and formalising your compliance processes before the clock runs out.</p>



<p>During this period, you’ll be finalising all the required documentation and getting your organisation ready for its ongoing post-market obligations. As you build out your documentation and vulnerability response plans, it&#8217;s wise to look at established industry certifications; learning about <strong><a href="https://bluenotaryonline.com/soc-2-compliance-ron-platforms-data-security/">SOC 2 Compliance for RON Platforms</a></strong> can offer valuable insights into data security and integrity best practices.</p>



<p>Your final steps include:</p>



<ul class="wp-block-list">
<li><strong>Complete Technical Documentation:</strong> Assemble the complete technical file required by Annex II. This includes your risk assessment, SBOM, and all evidence of your security-by-design approach.</li>



<li><strong>Perform Conformity Assessments:</strong> Carry out the self-assessment (for Default Class) or the third-party assessment (for higher-risk classes) and officially issue the EU Declaration of Conformity.</li>



<li><strong>Operationalise Post-Market Processes:</strong> Finalise and test your vulnerability handling and <strong>24-hour</strong> reporting workflows. You need to be sure you can meet these ongoing obligations from day one.</li>
</ul>



<h2 class="wp-block-heading">Frequently Asked Questions</h2>



<p>Working out how the <strong>CRA remote data processing solutions scope</strong> applies to your own products can be confusing. Below are some clear, practical answers to the most common questions we hear from manufacturers and product security teams.</p>



<h3 class="wp-block-heading">Does a Simple API for Data Retrieval Fall Under the CRA?</h3>



<p>It all boils down to a test of &#8220;necessity&#8221;. Ask yourself: if the remote solution stopped working, would the product still be able to perform its main advertised function?</p>



<p>For instance, an API that feeds real-time stock prices to a financial tracking app is absolutely essential. The app can&#8217;t do its core job without it, so that remote solution is definitely in scope. On the other hand, an API that just lets a user download a PDF manual is a secondary feature, not a core function, placing it outside the CRA’s direct reach.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>The critical factor is dependency. If the product&#8217;s advertised purpose relies on the data from the remote solution, that solution becomes part of the regulated system.</p>
</blockquote>



<h3 class="wp-block-heading">Who Is Responsible if My Product Uses AWS for Backend Processing?</h3>



<p>You, the product manufacturer, are. The Cyber Resilience Act is unambiguous here: the manufacturer of the final product placed on the EU market must ensure the entire system is compliant.</p>



<p>While a cloud provider like <a href="https://aws.amazon.com/">AWS</a> gives you secure infrastructure, that’s just one piece of the puzzle. You are still responsible for making sure your specific application, its configurations, and all your data handling practices running <em>on top</em> of that infrastructure meet every single CRA cybersecurity requirement. You cannot simply delegate or outsource this final legal accountability.</p>



<h3 class="wp-block-heading">What if My Remote Data Processing Solution Is Hosted Outside the EU?</h3>



<p>The physical location of your servers makes no difference. The CRA’s authority is tied to where the product is <strong>placed on the market</strong>, not where the manufacturer or its infrastructure is physically located.</p>



<p>This means if you sell your product to customers anywhere in the EU, it must comply with the CRA. A classic example is a product sold in Germany that relies on a remote server in the United States for its functionality. The whole system—both the physical product in Germany and the US-based server—must be fully compliant with CRA regulations.</p>



<p>Importers have a legal duty to verify this compliance <em>before</em> placing the product on the EU market. This makes global compliance a basic requirement for market access, rendering geography irrelevant to your obligations.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Navigating the complexities of the CRA and understanding its scope for your products can be a major challenge. <strong>Regulus</strong> provides a clear, step-by-step software platform to assess applicability, map requirements, and build your compliance documentation efficiently. Gain clarity and confidence in your path to the <strong>2027</strong> deadline by visiting <a href="https://goregulus.com">https://goregulus.com</a>.</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-remote-data-processing-solutions-scope/">CRA Remote Data Processing Solutions Scope Explained</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Your Guide to CRA CE Marking Requirements</title>
		<link>https://goregulus.com/cra-basics/cra-ce-marking-requirements/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 01 Jun 2026 15:08:47 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CE Marking Guide]]></category>
		<category><![CDATA[CRA CE marking requirements]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU Cybersecurity Law]]></category>
		<category><![CDATA[Product Compliance]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2190</guid>

					<description><![CDATA[<p>For years, the CE mark on a product has been a quiet symbol of trust. It tells you a device meets the EU’s essential health, safety, and environmental standards. But with the Cyber Resilience Act (CRA), that familiar mark is getting a major cybersecurity upgrade. Think of the new CE mark as a cybersecurity passport [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-ce-marking-requirements/">Your Guide to CRA CE Marking Requirements</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>For years, the CE mark on a product has been a quiet symbol of trust. It tells you a device meets the EU’s essential health, safety, and environmental standards. But with the Cyber Resilience Act (CRA), that familiar mark is getting a major cybersecurity upgrade.</p>



<p>Think of the new CE mark as a cybersecurity passport for any <strong>product with digital elements</strong> you sell in the EU. It’s your formal declaration that the product is secure by design, has a solid plan for managing vulnerabilities, and comes with clear, transparent security information for users. Without this passport, your product simply won’t be allowed into the market.</p>



<h2 class="wp-block-heading">What Are the CRA CE Marking Requirements?</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-ce-marking-requirements-product-security.jpg" alt="Sketch of an open book with CE passport, secure design, vulnerability management, and smart devices."/></figure>



<p>The Cyber Resilience Act fundamentally transforms the CE mark from a general safety promise into a legally binding statement about your product’s digital security. Where a CE mark on an IoT device once signified electrical safety or electromagnetic compatibility, it will now also prove the product meets a tough set of cybersecurity rules.</p>



<p>This isn’t a small change. It means manufacturers can no longer afford to treat security as a feature or an afterthought. It has to be baked into the product from day one. More importantly, compliance isn’t a one-off task you can tick off a list; it’s a continuous commitment that lasts for the entire product lifecycle.</p>



<p>To get a better sense of the core requirements, we&#8217;ve put together a quick summary table. This breaks down the main pillars you&#8217;ll need to build your compliance strategy on.</p>



<h3 class="wp-block-heading">Core Pillars of CRA CE Marking at a Glance</h3>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Pillar</th><th>What It Means for You</th><th>Key Deadline</th></tr><tr><td><strong>Secure by Design &amp; Default</strong></td><td>Your product must be developed with security built-in, not bolted on. This includes minimising the attack surface and ensuring it ships with a secure configuration out of the box.</td><td>Late 2027</td></tr><tr><td><strong>Technical Documentation</strong></td><td>You need to maintain a detailed technical file, including a cybersecurity risk assessment and a complete Software Bill of Materials (SBOM), ready for inspection by authorities.</td><td>Late 2027</td></tr><tr><td><strong>Vulnerability Management</strong></td><td>You must have a public, structured process for receiving, assessing, and fixing security vulnerabilities. This isn&#8217;t optional; it&#8217;s a core operational requirement.</td><td>Late 2027</td></tr><tr><td><strong>Lifecycle Support</strong></td><td>You are legally obligated to provide security updates for the product&#8217;s expected lifetime or a minimum of <strong>five years</strong>, and you must be transparent about the support period.</td><td>Late 2027</td></tr><tr><td><strong>Breach &amp; Vulnerability Reporting</strong></td><td>You must notify ENISA of any actively exploited vulnerabilities within <strong>24 hours</strong> and inform your users of serious incidents without undue delay. This obligation starts earlier than others.</td><td>Mid-2027</td></tr></tbody></table></figure>


<p>Ultimately, achieving CE marking under the CRA is about proving you have a handle on these five pillars. Each one represents a critical part of your product&#039;s journey to the EU market.</p>
<blockquote>
<p>Make no mistake: starting in 2027, any non-compliant products will be stopped at the border. This isn&#039;t just about avoiding hefty fines; it&#039;s a fundamental issue of market access. For any tech company selling in Europe, this has become a top business priority.</p>
</blockquote>
<p>Getting this right involves a structured process, from risk assessment to final declaration. You can learn more about how to <a href="https://goregulus.com/cra-basics/obtain-a-ce-certificate-for-the-cra/">obtain a CE certificate for the CRA</a> and what the full journey looks like. In the end, the new CE mark is designed to send a clear signal to everyone—from individual consumers to large enterprises—that your product can be trusted in our deeply connected world.</p>
<h2>Does the CRA Apply to Your Products</h2>
<p>The very first question on any Cyber Resilience Act compliance roadmap is simple: does this regulation even apply to my products? Getting this right from the start is absolutely critical. It stops you from wasting time and money on compliance for exempt items and lets you focus your resources where they’re actually needed.</p>
<p>The CRA’s scope is intentionally broad, designed to bring a baseline of cybersecurity to almost every piece of modern hardware and software sold in the EU. The regulation targets <strong>products with digital elements (PDEs)</strong>, which is a straightforward term for any product containing software or firmware that can connect, either directly or indirectly, to another device or network. This definition casts an incredibly wide net, capturing a huge range of items that go far beyond what you might think of as a typical &quot;IoT device.&quot;</p>
<h3>Defining Products with Digital Elements</h3>
<p>To get a handle on the scope, don&#039;t think in rigid categories. Instead, think about capabilities. If your product has any processing power and communicates digitally, it’s almost certainly in scope. That connection doesn&#039;t even have to be to the internet—a simple Bluetooth link between a device and a smartphone app is more than enough to qualify.</p>
<p>Here are a few practical examples of what falls under the PDE definition:</p>
<ul>
<li><strong>Smart Home Devices:</strong> This covers everything from smart TVs and connected baby monitors to intelligent thermostats and home security cameras.</li>
<li><strong>Computer Hardware &amp; Peripherals:</strong> Laptops, routers, and even computer mice with configurable software are all included.</li>
<li><strong>Standalone Software:</strong> A downloadable productivity app, a mobile game, or a photo editing program all count as products with digital elements.</li>
<li><strong>Industrial Components:</strong> Programmable Logic Controllers (PLCs), industrial sensors, and other operational technology (OT) used in manufacturing settings are firmly in scope.</li>
</ul>
<p>This broad reach means you really need to audit your entire product line. It isn&#039;t just about what you sell, either. Even products you offer for free are covered by the CRA if they are provided as part of a commercial activity, for example, by carrying your company&#039;s branding.</p>
<blockquote>
<p>The core principle is straightforward: if you place a product with digital elements on the EU market, the CRA’s rules apply. It doesn&#039;t matter if your company is based in Berlin or Boston; selling into the EU is the trigger.</p>
</blockquote>
<h3>Understanding Key Exemptions</h3>
<p>While the scope is wide, it isn&#039;t limitless. The CRA rightly acknowledges that some sectors are already covered by their own robust cybersecurity regulations. To avoid creating a confusing mess of overlapping legal duties, certain product categories are explicitly excluded.</p>
<p>Key exemptions from the CRA include:</p>
<ul>
<li><strong>Medical Devices:</strong> These are already governed by the Medical Devices Regulation (MDR).</li>
<li><strong>In-vitro Diagnostic Medical Devices:</strong> These fall under the In-vitro Diagnostic Regulation (IVDR).</li>
<li><strong>Automotive:</strong> Vehicles and their components are covered by specific UNECE regulations.</li>
<li><strong>Aviation:</strong> Products certified under existing aviation safety rules are exempt.</li>
<li><strong>Purely Open-Source Software:</strong> Software developed and supplied completely outside of any commercial activity is not covered. However, that exemption disappears the moment you integrate that software into a commercial product you&#039;re placing on the market.</li>
</ul>
<p><strong>Practical Example of an Exemption:</strong><br />A German company develops an advanced driver-assistance system (ADAS) that it sells to car manufacturers across the EU. Although this system is a product with digital elements, it is exempt from the CRA because it falls under existing UNECE automotive regulations, which have their own cybersecurity requirements. The company must comply with the automotive rules, not the CRA.</p>
<p>For instance, in Spain&#039;s bustling tech hubs like Barcelona and Madrid, IoT vendors are already racing to meet regulatory deadlines. The new CE marking process demands a structured conformity assessment that could literally make or break their market access. According to official timelines, full CRA obligations apply from <strong>11 December 2027</strong>, but the preparation needs to start now. With over <strong>500,000</strong> digital products imported annually into the ES region, Spanish authorities will be scrutinising CE marks under the CRA, adding a whole new cybersecurity layer to existing directives. You can read more about <a href="https://www.cyberresilienceact.eu/how-to-obtain-a-ce-certificate-for-the-cra/">how to prepare for CRA certification deadlines</a> and the necessary steps.</p>
<h2>Navigating Product Risk Classification</h2>
<p>Once you’ve confirmed the Cyber Resilience Act applies to your products, your next critical move is to classify them. The CRA doesn’t treat all products the same; it splits them into risk categories that will dictate your entire compliance strategy, budget, and timeline. Getting this right isn&#039;t just a box-ticking exercise—it&#039;s the strategic fork in the road for your CE marking journey.</p>
<p>At its heart, the CRA creates two main buckets. The vast majority of products land in the <strong>‘Default’</strong> or non-critical category. A smaller, more sensitive group gets labelled <strong>‘Critical’</strong>. The dividing line is simple: what’s the potential for widespread damage if the product’s security fails? Think of it like a smart home: a connected light bulb is a ‘Default’ product, but the central security hub managing your door locks and alarms is squarely in the ‘Critical’ camp.</p>
<p>This decision tree can help you visualise the first few steps in figuring out if your product falls under the CRA&#039;s scope, which then leads directly into this classification process.</p>
<p><figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-ce-marking-requirements-decision-tree.jpg" alt="CRA applicability decision tree flowchart outlining steps for digital products sold in EU, leading to applicable or not applicable." /></figure>
</p>
<p>As the flowchart shows, the key questions are straightforward. If you sell a digital product in the EU and it’s not specifically exempt, the CRA applies. Your next job is risk classification.</p>
<h3>Distinguishing Default from Critical Products</h3>
<p>Most products with digital elements will be considered <strong>&#039;Default&#039;</strong>. These are items that, on their own, don&#039;t pose a systemic cybersecurity risk. The good news here is that these products can usually follow a much simpler and more cost-effective path to compliance.</p>
<blockquote>
<p>For products in the &#039;Default&#039; category, manufacturers can perform a <strong>self-assessment</strong> of conformity. This lets you internally verify and document that your product meets all the essential security requirements laid out in Annex I of the Act.</p>
</blockquote>
<p>This route involves rigorous internal testing, creating all the required technical documentation, and signing the EU Declaration of Conformity yourself. It gives you more control but also puts the full weight of compliance squarely on your shoulders.</p>
<p><strong>Practical Example of a &#039;Default&#039; Product:</strong><br />A company in Valencia develops a smart garden watering system. Its device connects to a mobile app via Bluetooth to let users schedule watering times. A security failure would be annoying, for sure, but it’s highly unlikely to cause widespread harm. The company can therefore self-assess its product against the CRA&#039;s security rules, build its technical file, and affix the CE mark without involving a third-party auditor.</p>
<h3>Identifying Critical Products in Class I and Class II</h3>
<p>&#039;Critical&#039; products are a different beast entirely. These are specifically listed in <strong>Annex III</strong> of the CRA and are broken down into two further sub-categories: <strong>Class I</strong> and <strong>Class II</strong>, where Class II represents the highest level of risk. We’re talking about products whose failure could disrupt critical infrastructure, threaten public safety, or trigger massive data breaches.</p>
<p>The criteria for a &#039;critical&#039; designation are all tied to the product&#039;s core function. If your product does any of the following, it’s almost certainly going to be considered critical:</p>
<ul>
<li><strong>Security Functions:</strong> This includes products like password managers, antivirus software, and virtual private networks (<a href="https://en.wikipedia.org/wiki/Virtual_private_network">VPNs</a>).</li>
<li><strong>Network Control:</strong> Think routers, modems, firewalls, and industrial switches.</li>
<li><strong>System Administration:</strong> This covers products used to manage operating systems, servers, or other high-privilege environments.</li>
<li><strong>Industrial Automation:</strong> This bucket includes industrial control systems (ICS), SCADA systems, and programmable logic controllers (PLCs) running factories and power plants.</li>
</ul>
<p>For these high-stakes products, a self-assessment is off the table. They demand a far more stringent conformity assessment procedure that involves an external, independent auditor.</p>
<p><strong>Practical Example of a &#039;Critical&#039; Product:</strong><br />A tech firm in Barcelona builds industrial firewalls to protect factory networks. Because this product is a core security component for critical infrastructure, it falls squarely into the &#039;Critical&#039; category defined in Annex III. To get its CE mark, the company <em>must</em> hire a <strong>Notified Body</strong>—an accredited third-party organisation—to conduct an independent audit of the product&#039;s design, documentation, and security controls before it can be legally sold in the EU. This external validation adds significant time and cost but provides a much higher level of assurance.</p>
<h2>Understanding Your Role in the Supply Chain</h2>
<p>Achieving Cyber Resilience Act compliance is a team sport, not a burden that falls on the manufacturer alone. The regulation deliberately spreads responsibility across the entire supply chain, creating a clear chain of custody for cybersecurity. Every economic operator—whether you’re a <strong>manufacturer</strong>, <strong>importer</strong>, or <strong>distributor</strong>—has distinct legal duties to ensure only secure products reach EU consumers.</p>
<p>Think of it like building a house. The <strong>manufacturer</strong> is the architect and builder, responsible for designing a secure structure from the ground up and proving it meets the code. The <strong>importer</strong> is the building inspector who verifies the architect&#039;s plans and materials before anyone is allowed to move in. And the <strong>distributor</strong> is the estate agent, checking that the final property has its certificate of occupancy before listing it for sale.</p>
<p>If a single link in this chain fails, the whole structure is at risk, and liability is shared. This principle of collective responsibility is fundamental to the <strong>CRA’s CE marking requirements</strong>.</p>
<h3>The Manufacturer&#039;s Core Obligations</h3>
<p>As the product’s creator, the manufacturer carries the heaviest load. They are the source of compliance, performing the foundational work that everyone else in the supply chain depends on. Their duties are extensive and form the bedrock of the product’s security posture for its entire lifecycle.</p>
<p>Key obligations for manufacturers include:</p>
<ul>
<li><strong>Conducting a Conformity Assessment:</strong> This is the formal process of verifying and documenting that the product meets all the essential security requirements laid out in Annex I of the CRA.</li>
<li><strong>Creating the Technical Documentation:</strong> They must assemble a complete technical file, which acts as the evidence binder. This includes the cybersecurity risk assessment, a Software Bill of Materials (SBOM), and all security test results.</li>
<li><strong>Issuing the EU Declaration of Conformity (DoC):</strong> This is the legal document where the manufacturer formally declares that their product is CRA-compliant.</li>
<li><strong>Affixing the CE Mark:</strong> Once the DoC is signed, the manufacturer can place the CE mark on the product, its packaging, or its documentation.</li>
</ul>
<p>For a deeper dive into managing the security of components within your product, consider exploring the complexities of <a href="https://goregulus.com/cra-basics/supply-chain-softwares/">supply chain software security</a>. Getting this right is crucial for a complete and credible technical file.</p>
<h3>The Importer&#039;s Crucial Verification Duty</h3>
<p>Importers serve as the EU’s first line of defence for products originating outside the Union. They have a legal obligation to be active gatekeepers—they can&#039;t just passively assume the manufacturer has done their job correctly. Their role is one of verification, not blind trust.</p>
<p>Before placing any product on the EU market, an importer <strong>must</strong> confirm that the manufacturer has fulfilled their key obligations.</p>
<blockquote>
<p>An importer&#039;s liability is significant. If they place a non-compliant product on the market, they are held responsible as if they were the manufacturer themselves. Under the CRA, ignorance is no defence.</p>
</blockquote>
<p><strong>Practical Example of an Importer&#039;s Role:</strong><br />Imagine a Spanish importer in Madrid receives a shipment of smartwatches from a manufacturer in Asia. Before these watches can be sold to retailers, the importer is legally required to:</p>
<ol>
<li>Verify the manufacturer has actually performed a conformity assessment.</li>
<li>Confirm that a complete technical file exists and can be made available upon request by authorities.</li>
<li>Obtain and check the EU Declaration of Conformity to ensure it is correctly filled out and signed.</li>
<li>Make sure the CE mark is visibly and correctly affixed to the product or its packaging.</li>
</ol>
<p>Only after these checks are complete can the importer legally place the smartwatches on the EU market.</p>
<h3>The Distributor&#039;s Due Diligence</h3>
<p>Distributors are the final link in the chain before a product gets to the end-user. While their obligations are less intensive than those of manufacturers or importers, they still play a vital part in market surveillance. Their duty is to exercise <strong>due care</strong>.</p>
<p>A distributor must act with the diligence expected of a professional in their field, which means performing some basic but important checks. Before making a product available for sale, a distributor has to verify that:</p>
<ul>
<li>The product clearly bears the CE marking.</li>
<li>It comes with the required documentation, including user instructions, in a language easily understood by consumers in that Member State.</li>
</ul>
<p><strong>Practical Example of a Distributor&#039;s Role:</strong><br />An electronics retail chain in France receives a batch of new connected security cameras for its stores. Before putting them on the shelves, the manager must verify that each camera&#039;s box has a CE mark and that the instructions inside are written in French. If the CE mark is missing, the distributor cannot sell the cameras and must notify the importer who supplied them.</p>
<p>If a distributor has any reason to believe a product isn&#039;t compliant, they must not sell it. Instead, they are obligated to inform the manufacturer or importer and, if the risk is serious, the national market surveillance authorities. This final check helps ensure non-compliant products are caught before they ever reach a customer’s hands.</p>
<h2>Preparing Your Technical Documentation and EU Declaration</h2>
<p>Think of your technical documentation as the official evidence file for your product’s cybersecurity. It’s where you prove, on paper, that you’ve met all the <strong>CRA CE marking requirements</strong>. This isn’t about just writing another user manual; it&#039;s about systematically building a compelling case that your product is secure, resilient, and ready for the EU market.</p>
<p>This process is what turns abstract compliance goals into concrete, auditable proof. For market authorities, it’s the first place they’ll look to verify your claims. For you, it’s the master record of your due diligence, showing that security was baked in from the very first line of code.</p>
<p><figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-ce-marking-requirements-compliance-documents.jpg" alt="An illustration of compliance documents, including Technical Documentation, SBOM, EU Declaration, and a magnifying glass." /></figure>
</p>
<p>You’ll need to keep this technical documentation for at least <strong>10 years</strong> after the product is first sold, ready for inspection by market surveillance authorities at any time.</p>
<h3>What Goes into the Technical File</h3>
<p>The CRA, in <strong>Annex VII</strong>, is quite specific about what this documentation must contain. It’s a comprehensive collection of reports, assessments, and records that tell the full story of your product&#039;s security journey from concept to deployment.</p>
<p>Key components you’ll need to have in order are:</p>
<ul>
<li><strong>A Detailed Product Description:</strong> This should cover the product&#039;s intended purpose, design, hardware and software versions, and clear user instructions.</li>
<li><strong>Cybersecurity Risk Assessment:</strong> You have to document every cybersecurity risk you identified and, just as importantly, the steps you took to mitigate them. This is the absolute cornerstone of your file.</li>
<li><strong>Software Bill of Materials (SBOM):</strong> A complete inventory of all your software components, from open-source libraries to commercial modules. This is non-negotiable under the CRA and provides critical transparency.</li>
<li><strong>Evidence of Security Testing:</strong> This includes the results from all your vulnerability scans, penetration tests, and secure code reviews. Show your work.</li>
</ul>
<p>To properly fulfil the technical documentation requirements, you need to embed robust <a href="https://www.cleffex.com/blog/software-security-best-practices/">software security best practices for resilience</a> into your development lifecycle, ensuring your product meets the CRA&#039;s essential security standards from the ground up.</p>
<p><strong>Practical Example: A Software Company&#039;s Technical File</strong><br />Imagine a software development firm in Seville preparing its new project management tool for the EU market. Its technical file would include a threat model analysing potential data breaches, a full SBOM generated in CycloneDX format, and penetration test reports from a third-party security firm. They’d also document their own secure coding standards and the results of static analysis security testing (SAST) scans run during development.</p>
<h3>The Final Step: The EU Declaration of Conformity</h3>
<p>Once your technical documentation is complete and you&#039;ve successfully passed the right conformity assessment, you reach the final, formal step: signing the <strong>EU Declaration of Conformity (DoC)</strong>. This is much more than just another piece of paper; it’s a legally binding attestation.</p>
<p>By signing the DoC, you—as the manufacturer—take full responsibility for your product’s compliance with the Cyber Resilience Act. It is your official, public statement declaring that the product meets every single essential security requirement.</p>
<blockquote>
<p>The EU Declaration of Conformity is the key that unlocks the CE mark. Without a signed DoC, you cannot legally affix the CE marking to your product. It’s the final, definitive step in proving your adherence to the CRA.</p>
</blockquote>
<p>This declaration must directly reference the Cyber Resilience Act and list any harmonised standards you used to demonstrate conformity. If a Notified Body was involved in a third-party assessment (as required for Critical products), their name and identification number must also be included. Our guide offers more detail on how to prepare the <a href="https://goregulus.com/cra-documentation/cra-declaration-of-conformity/">CRA Declaration of Conformity</a> correctly.</p>
<p>After signing the DoC, you can finally affix the CE mark to your product, its packaging, or its accompanying documents. That mark becomes the visible symbol of all the rigorous work you’ve documented, signalling to customers and regulators that your product is built on a foundation of security and trust.</p>
<h2>Your Actionable Checklist for CRA Compliance</h2>
<p>Let&#039;s move from theory to a practical roadmap. With the Cyber Resilience Act deadlines approaching, having a structured plan isn&#039;t just a good idea—it&#039;s essential for getting your <strong>CE marking</strong> in order. This checklist breaks down the journey from initial assessment to your final declaration, helping you see where to put your resources and how to track progress.</p>
<p>Waiting until the last minute simply won&#039;t work. Imagine you manufacture smart thermostats for the EU market. After the final deadline, your products can&#039;t be sold without the correct CE mark under the CRA. The penalties for getting this wrong are severe, with administrative fines reaching up to €15 million or <strong>2.5%</strong> of your total worldwide annual turnover. Even sooner, the obligation to report actively exploited vulnerabilities kicks in.</p>
<h3>Phase 1: Initial Assessment and Scoping</h3>
<p>The first phase is all about understanding where you stand and what&#039;s in scope. This foundational work is critical for focusing your efforts where they matter most.</p>
<ol>
<li>
<p><strong>Map Your Product Portfolio for CRA Applicability</strong><br />Get your legal and product teams in a room to audit every single product with digital elements sold in the EU. Your goal is a master list that clearly shows which items are in scope and which might be exempt under other rules, like those for medical devices or automotive systems.</p>
</li>
<li>
<p><strong>Classify All In-Scope Products by Risk</strong><br />Once you know what&#039;s covered, your product security team needs to classify each item. Is a product ‘Default’ or does it fall into one of the ‘Critical’ categories (Class I or II) as defined in Annex III? This decision steers your entire conformity assessment path.</p>
</li>
</ol>
<h3>Phase 2: Gap Analysis and Policy Development</h3>
<p>With your products mapped and classified, it&#039;s time to find the gaps in your current setup and build the internal processes you&#039;ll need. This phase is about creating the organisational muscle for ongoing compliance.</p>
<ul>
<li><strong>Conduct a Gap Analysis Against Annex I:</strong> Your engineering and security teams need to methodically check your existing product security features against the essential requirements laid out in Annex I. The output will be a clear list of technical debt and new security features to build.</li>
<li><strong>Establish a Vulnerability Disclosure Policy:</strong> Your legal and security teams should work together to draft and publish a clear, public-facing policy for how you receive and handle vulnerability reports. This is a core CRA requirement and the bedrock of your post-market surveillance.</li>
<li><strong>Design Your Reporting Workflow:</strong> You need a rock-solid internal procedure for notifying ENISA within <strong>24 hours</strong> of discovering an actively exploited vulnerability. Designate who is responsible and run drills to make sure you can hit that deadline reliably.</li>
</ul>
<blockquote>
<p>A common mistake is underestimating the effort needed for documentation. This isn&#039;t just about writing user manuals; it&#039;s about building a complete evidence file that proves your due diligence to regulators.</p>
</blockquote>
<h3>Phase 3: Documentation and Final Declaration</h3>
<p>This final phase is where you create the proof of your compliance. You&#039;ll assemble all the evidence into the formal documents required by market authorities.</p>
<ol>
<li>
<p><strong>Draft Your Technical Documentation</strong><br />As you prepare your technical documentation to show conformity, robust security assessments are a must. This often involves methods like <a href="https://titaniumcomputing.com/cyber-security/penetration-testing/">cybersecurity penetration testing</a> to really validate your product&#039;s resilience. Your engineering team will compile the risk assessment, SBOM, test results, and all other evidence into a complete technical file.</p>
</li>
<li>
<p><strong>Prepare the EU Declaration of Conformity</strong><br />With a complete technical file and a passed conformity assessment, your legal team can now draft the EU Declaration of Conformity. This is the final legal step you take before you can affix the CE mark to your product.</p>
</li>
</ol>
<p>This checklist gives you a high-level project plan. For a more granular, step-by-step tool to help manage your compliance journey, you can <strong>check out our comprehensive CRA checklist</strong> to build your own tailored roadmap.</p>
<h2>Frequently Asked Questions About the CRA</h2>
<p>As the Cyber Resilience Act comes into force, many manufacturers, importers, and developers are grappling with a new and complex set of rules. To help clear up some of the most common points of confusion, we’ve put together answers to the questions we hear most often about <strong>CRA CE marking requirements</strong>.</p>
<h3>What If My Product Was on the Market Before the CRA Deadline?</h3>
<p>The Cyber Resilience Act is not retroactive. If your product was placed on the EU market before the <strong>December 2027</strong> compliance date, it isn’t subject to these specific rules. This provides a clear cut-off point for legacy devices.</p>
<p>However, there&#039;s a crucial exception to be aware of. Any existing product that undergoes a <strong>“substantial modification”</strong> that could change its security posture will be pulled into the CRA&#039;s scope. Of course, any new product launched after the deadline must be fully compliant from day one and carry the updated CE mark.</p>
<p><strong>Practical Example:</strong> A company launched a smart coffee machine in 2026. This product is not subject to the CRA. However, in 2028, the company releases a major firmware update that adds a new cloud connectivity feature. This is a &quot;substantial modification,&quot; so the updated coffee machine must now become fully CRA compliant and obtain the correct CE mark.</p>
<h3>How Long Must I Provide Security Updates?</h3>
<p>Manufacturers have a legal obligation to provide security updates for a minimum of <strong>five years</strong> after placing a product on the market. This duty is a cornerstone of the CRA&#039;s post-market surveillance requirements, designed to ensure products stay secure long after the initial sale.</p>
<p>If a product&#039;s expected lifetime is shorter than five years, the support period can match that shorter duration. The key is that this support period must be clearly communicated to customers in the product&#039;s documentation, providing essential transparency.</p>
<blockquote>
<p><strong>Practical Example:</strong> A company sells a smart home camera with an expected lifetime of seven years. It must provide security patches for at least five of those years. If it sells a simpler connected toy with an expected lifetime of only three years, it is only obligated to support it for those three years.</p>
</blockquote>
<h3>Can I Use One Declaration of Conformity for Multiple EU Rules?</h3>
<p>Yes, you can. If your product is also covered by other EU legislation that requires a Declaration of Conformity—like the Radio Equipment Directive (RED), for example—you are permitted to create a single, consolidated EU Declaration of Conformity. This is a practical measure to help simplify the administrative burden.</p>
<p>This single document must clearly list all the applicable EU acts your product complies with. It serves as your formal statement that the product meets all relevant requirements from each piece of legislation, not just the CRA.</p>
<h3>What Is a Software Bill of Materials (SBOM) and Why Do I Need It?</h3>
<p>A Software Bill of Materials (SBOM) is a detailed, structured inventory of all the software components, libraries, and modules that make up your product. The simplest way to think about it is as a list of ingredients for your software.</p>
<p>The CRA mandates that an SBOM be included as part of your technical documentation. Its purpose is to create much-needed transparency in the software supply chain. By maintaining this list, you, your customers, and regulatory authorities can quickly identify and manage potential vulnerabilities found in the third-party code your product depends on.</p>
<hr>
<p>Navigating the complexities of the Cyber Resilience Act can be a major challenge. <strong>Regulus</strong> provides a software platform designed to simplify CRA compliance. Our solution unifies applicability assessments, product classification, and requirements mapping, generating a tailored roadmap to help you confidently place compliant products on the EU market. <a href="https://goregulus.com">Learn more about how Regulus can help your business prepare for the CRA</a>.</p><p>La entrada <a href="https://goregulus.com/cra-basics/cra-ce-marking-requirements/">Your Guide to CRA CE Marking Requirements</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>CRA Market Surveillance Authorities Powers: A Practical Guide</title>
		<link>https://goregulus.com/cra-basics/cra-market-surveillance-authorities-powers/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 25 May 2026 13:48:28 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA Market Surveillance Authorities Powers]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU Compliance]]></category>
		<category><![CDATA[MSA Enforcement]]></category>
		<category><![CDATA[product security]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2183</guid>

					<description><![CDATA[<p>Under the Cyber Resilience Act (CRA), the powers of market surveillance authorities are getting a serious upgrade. They are being given a full toolkit to investigate, restrict, and penalise non-compliant digital products. These new &#8220;digital watchdogs&#8221; can demand your technical documentation, order product recalls, and hit you with multi-million euro fines to enforce cybersecurity standards [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-market-surveillance-authorities-powers/">CRA Market Surveillance Authorities Powers: A Practical Guide</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Under the Cyber Resilience Act (CRA), the powers of market surveillance authorities are getting a serious upgrade. They are being given a full toolkit to <strong>investigate, restrict, and penalise non-compliant digital products</strong>.</p>



<p>These new &#8220;digital watchdogs&#8221; can demand your technical documentation, order product recalls, and hit you with multi-million euro fines to enforce cybersecurity standards across the EU.</p>



<h2 class="wp-block-heading">Understanding the New Digital Watchdogs</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-market-surveillance-authorities-powers-market-surveillance.jpg" alt="Illustration of a magnifying glass examining a device, surrounded by EU stars and a checkmark, with MSA text."/></figure>



<p>The Cyber Resilience Act isn&#8217;t just more paperwork. It kicks off a new era for digital product safety, enforced by powerful national regulators known as Market Surveillance Authorities (MSAs). These bodies are the engine room of the CRA&#8217;s enforcement strategy, responsible for making sure every product with digital elements sold in the EU is secure.</p>



<p>Think of an MSA as a new breed of digital safety inspector for the European Union. They now have the authority to proactively examine any product—from a smart thermostat to industrial control software—for potential security weaknesses, even if no incident has been reported. A practical example could be France&#8217;s ANSSI deciding to test the security of all connected baby monitors available on the French market to check for unauthorized access vulnerabilities.</p>



<h3 class="wp-block-heading">The MSA&#8217;s Core Mandate</h3>



<p>At its heart, an MSA&#8217;s mission is to shield the single market from insecure products. Their job is to check that manufacturers, importers, and distributors are meeting their obligations all the way through a product’s lifecycle.</p>



<p>This breaks down into three key activities:</p>



<ul class="wp-block-list">
<li><strong>Verifying Compliance:</strong> Checking that products carry the correct CE marking and are backed by a complete and accurate EU Declaration of Conformity. For example, an MSA could purchase a popular smart lock from an online store and first check if the CE mark is present on the product and its packaging, and then request the Declaration of Conformity from the importer.</li>



<li><strong>Investigating Risks:</strong> Proactively testing products and demanding technical files to find vulnerabilities before they can be exploited. For instance, an authority could perform penetration testing on a new connected car&#8217;s infotainment system to see if it can be hacked to control critical functions.</li>



<li><strong>Enforcing Rules:</strong> Taking corrective actions against non-compliant products to get them off the market and protect consumers. A real-world scenario would be an MSA ordering a manufacturer to stop selling a line of smart TVs after discovering they transmit user data without encryption.</li>
</ul>



<p>To truly grasp the scope of an MSA’s authority, you need to understand the principles of <a href="https://www.documind.chat/blog/what-is-statutory-interpretation">statutory interpretation</a>, as these govern how their mandates are defined and ultimately put into practice.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>An MSA’s power isn&#8217;t just reactive. They are empowered to conduct &#8220;sweeps&#8221; of specific product categories, such as IoT home devices or connected toys, to gauge the overall security level of the market and root out bad actors.</p>
</blockquote>



<p>For instance, the Spanish National Cybersecurity Institute (INCIBE) could decide to investigate all smart plugs sold in Spain. They would have the power to request technical documentation, including risk assessments and vulnerability handling processes, from every single manufacturer.</p>



<p>If a manufacturer can&#8217;t produce this evidence, or if their product is found to be insecure, INCIBE can order an immediate sales ban. You can get more insight into what regulators expect by reading the European Commission&#8217;s <a href="https://goregulus.com/uncategorized/cra-implementation-guidance-european-commission/">CRA implementation guidance</a>.</p>



<h2 class="wp-block-heading">MSA Investigations: Information and Access Rights</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-market-surveillance-authorities-powers-compliance-review.jpg" alt="An MSA request document, security reports, source code, SBOM files, and a clock, with a person pointing, illustrate a compliance process."/></figure>



<p>Market Surveillance Authorities (MSAs) are armed with serious investigative powers to check for Cyber Resilience Act (CRA) compliance, and they aren&#8217;t just waiting for a problem to be reported. These authorities can proactively demand access to your company’s most sensitive technical data to make sure your products are secure from the ground up.</p>



<p>This proactive approach marks a fundamental shift. Instead of only reacting to incidents, MSAs are now empowered to run planned and unplanned audits to verify that your products conform to the regulation. This is a core part of the <strong>CRA market surveillance authorities powers</strong>, designed to catch security flaws before they can be widely exploited.</p>



<h3 class="wp-block-heading">The Scope of Information Requests</h3>



<p>When an MSA opens an investigation, its right to access information is incredibly broad. This is far from a simple box-ticking exercise; authorities have the power to dig deep into your product’s architecture and your company&#8217;s internal security processes.</p>



<p>They can demand a whole range of documents and data, including:</p>



<ul class="wp-block-list">
<li><strong>Technical Documentation:</strong> Required under Annex VII of the CRA, this is the master file for your product’s compliance journey. It needs to contain everything from the product’s intended use and design to the results of your cybersecurity risk assessment.</li>



<li><strong>Software Bill of Materials (SBOM):</strong> An MSA will want to see a full inventory of all software components, covering everything from open-source libraries to commercial third-party code. This helps them assess your supply chain security and see how you handle vulnerabilities in your dependencies.</li>



<li><strong>Security Assessments and Test Reports:</strong> This includes solid proof from penetration tests, vulnerability scans, and secure code reviews. You must be able to show that you&#8217;ve actively looked for weaknesses in your product.</li>



<li><strong>Vulnerability Handling Processes:</strong> Authorities will carefully examine your internal procedures for finding, evaluating, and fixing vulnerabilities after your product is on the market.</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>In exceptional and fully justified cases, the <strong>CRA market surveillance authorities powers</strong> even extend to requesting <strong>access to your product’s source code</strong>. This is seen as a last resort, usually reserved for high-risk products when all other documentation isn&#8217;t enough to confirm compliance.</p>
</blockquote>



<h3 class="wp-block-heading">A Practical Example of an MSA Request</h3>



<p>Imagine your company builds a popular line of connected thermostats sold across the EU. One morning, you get a formal information request from Spain&#8217;s National Cybersecurity Institute (INCIBE), the region&#8217;s designated MSA. The notice says they&#8217;re running a compliance check on smart home devices.</p>



<p>The request demands that within <strong>10 business days</strong>, you provide the complete technical documentation for your main thermostat model. This includes the full SBOM, records of all security updates from the last <strong>24 months</strong>, and a detailed report on how you fixed three specific Common Vulnerabilities and Exposures (CVEs) found in an open-source library used in your firmware.</p>



<p>This scenario shows you the level of detail and tight deadlines you could be up against. Failing to provide this information accurately and on time would be a direct breach of the CRA, leading to immediate corrective measures and possible fines.</p>



<h3 class="wp-block-heading">Remote and Physical Product Access</h3>



<p>Beyond asking for documents, the <strong>CRA market surveillance authorities powers</strong> give them the right to directly inspect and test your products. This can happen in a couple of ways.</p>



<p>First, an authority can carry out <strong>remote inspections</strong>. They might use network tools to check your product for open ports, weak encryption, or other security flaws that can be spotted from the outside. For instance, an MSA could use a tool like Shodan to scan for internet-connected devices from a specific manufacturer and test if they are using default, easily guessable passwords.</p>



<p>Second, they have the right to <strong>request or buy a product sample for physical evaluation</strong>. This lets them perform detailed laboratory testing, including reverse engineering and forensic analysis, to find hidden vulnerabilities that remote scanning would miss. If they uncover a serious risk, they can order you to take immediate action. A practical example is Germany&#8217;s BSI purchasing a connected doorbell, taking it to their lab, and using hardware-level attacks to extract its encryption keys.</p>



<p>These broad access rights are backed by real enforcement. You can discover more insights about the <a href="https://www.taylorwessing.com/en/insights-and-events/insights/2025/11/cyber-resilience-act-overview">Cyber Resilience Act&#8217;s rollout on taylorwessing.com</a>. This just goes to show how critical it is for manufacturers to have their documentation organised and ready for scrutiny at a moment&#8217;s notice.</p>



<h2 class="wp-block-heading">The Consequences of Non-Compliance: Corrective Actions and Fines</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-market-surveillance-authorities-powers-product-recall.jpg" alt="Diagram illustrates product withdrawal from a shelf, a camera, and recall from a house, with a financial warning tag."/></figure>



<p>Failing to meet your obligations under the Cyber Resilience Act isn&#8217;t a minor administrative slip-up. It&#8217;s an invitation for serious penalties that can directly threaten your market access and your bottom line. When a Market Surveillance Authority (MSA) identifies a non-compliant product, it has a powerful set of tools designed to remove that risk from the EU single market—swiftly and decisively.</p>



<p>Understanding these enforcement actions is central to grasping the full scope of <strong>CRA market surveillance authorities&#8217; powers</strong>. The consequences aren&#8217;t just financial; they can stop your sales cold, inflict lasting damage on your brand, and force you into complex and costly logistical operations.</p>



<h3 class="wp-block-heading">Product Withdrawal vs. Recall: A Critical Distinction</h3>



<p>When an MSA finds a non-compliant product, its first priority is to contain the risk. The two main tools for this are product withdrawals and recalls, and it’s vital you understand the difference.</p>



<ul class="wp-block-list">
<li><strong>Product Withdrawal:</strong> This is the first line of defence. An MSA can order you to <strong>stop the product from being made further available</strong> on the market. This action hits the supply chain, forcing distributors and retailers to pull your product from their physical and online shelves. For example, if a new model of a smart fridge is found to have a security flaw, the MSA can order all electronics stores and online retailers in the EU to immediately stop selling it.</li>



<li><strong>Product Recall:</strong> This is a much more drastic step, reserved for products that pose a significant cybersecurity risk and are already in the hands of end-users. A recall requires you to <strong>retrieve the product from customers</strong>—a far more complicated and expensive undertaking. For example, if a popular fitness tracker is found to have a vulnerability that leaks personal health data, the MSA could order the manufacturer to contact all registered users and arrange for the product to be returned for a fix or replacement.</li>
</ul>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>Picture this: your company makes a popular IoT security camera. An MSA discovers a critical vulnerability that allows unauthorised remote access. They would first order a <strong>withdrawal</strong> to halt all new sales. If the vulnerability can&#8217;t be patched remotely and poses a severe risk, they would escalate to a <strong>recall</strong>, forcing you to contact every customer and arrange for their cameras to be returned.</p>
</blockquote>



<p>Beyond these measures, MSAs can also mandate specific corrective actions. They could force you to issue a critical security patch by a strict deadline or require you to publish public disclosures about the vulnerability to ensure all users are aware of the risks.</p>



<h3 class="wp-block-heading">The Staggering Financial Penalties</h3>



<p>The CRA doesn&#8217;t just rely on corrective actions; it backs them up with some of the most significant financial penalties seen in product regulation, echoing the structure of the GDPR. The fines are deliberately designed to make non-compliance a far more expensive gamble than investing in security from the outset.</p>



<p>The regulation uses a tiered system for fines, based on the severity of the infringement. These penalties are calculated as either a maximum fixed sum or a percentage of your company&#8217;s total worldwide annual turnover from the preceding financial year—whichever is higher.</p>



<p>This approach gives MSAs the flexibility to penalise organisations proportionally. For a detailed breakdown of the violations that can trigger these sanctions, our guide on <strong><a href="https://goregulus.com/cra-compliance/cra-penalties-enforcement/">CRA penalties and enforcement actions</a></strong> offers more clarity.</p>



<h4 class="wp-block-heading">CRA Enforcement Actions and Penalties at a Glance</h4>



<p>The table below outlines the potential enforcement actions and the staggering financial penalties that an MSA can impose for non-compliance with the Cyber Resilience Act.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Violation Type</th><th>Potential Corrective Action</th><th>Maximum Penalty (Whichever Is Higher)</th></tr><tr><td>Violating essential cybersecurity requirements or core reporting obligations</td><td>Product recall, withdrawal, or sales ban</td><td><strong>€15 million or 2.5% of global turnover</strong></td></tr><tr><td>Failing to meet other CRA obligations (e.g., documentation, vulnerability handling)</td><td>Corrective action orders, public warnings</td><td><strong>€10 million or 2% of global turnover</strong></td></tr><tr><td>Providing incorrect, incomplete, or misleading information</td><td>Information request orders, administrative fines</td><td><strong>€5 million or 1% of global turnover</strong></td></tr></tbody></table></figure>


<p>As the table shows, the penalties are structured to ensure that failing to invest in cybersecurity is simply not a viable business strategy. A practical example for the highest tier could be a software vendor that fails to patch a known, actively exploited vulnerability in their enterprise software, leading to a major data breach for their customers. The MSA could impose a fine of up to 2.5% of their global turnover for this severe negligence.</p>
<p>These are not just theoretical numbers. The powers of market surveillance authorities are already being put to use. As you can see from <a href="https://cms.law/en/che/legal-updates/there-are-around-2-000-ai-market-surveillance-authorities-in-the-eu">recent legal analyses of EU authority actions</a>, this case highlights the very real financial stakes of getting CRA compliance wrong.</p>
<h2>Navigating Cross-Border Enforcement in the EU</h2>
<p>If you sell a non-compliant digital product in one EU country, you’ve just created a cybersecurity risk for all 27 member states. The EU’s single market is only as strong as its weakest link, which is precisely why the Cyber Resilience Act (CRA) builds powerful tools for cross-border cooperation and uniform enforcement.</p>
<p>This framework is designed to dismantle national silos and stop non-compliant manufacturers from hopping between countries to find a safe haven. For any business with a pan-European strategy, understanding these cooperative <strong>CRA market surveillance authorities powers</strong> is essential. It proves that compliance must be solid across the entire EU, not just in one or two key markets.</p>
<h3>The Principle of Mutual Assistance</h3>
<p>At the heart of the CRA&#039;s cross-border muscle is the principle of <strong>mutual assistance</strong>. This is a legal mechanism that allows a Market Surveillance Authority (MSA) in one country to formally request that an MSA in another country take action. It ensures enforcement can follow a non-compliant product, no matter where the manufacturer is based or where the product was first sold.</p>
<p>Think of it as a law enforcement pact for product security. If a product poses a risk anywhere in the EU, authorities can work together to pull it from the market <em>everywhere</em>.</p>
<blockquote>
<p>An MSA can ask its counterpart to run inspections, demand your technical documentation, or even impose corrective measures like a product withdrawal on its behalf. This closes the loophole where a manufacturer might ignore an order from an authority in a country where it has no office or staff.</p>
</blockquote>
<p>For example, imagine a software company in Ireland sells a new project management tool across the EU. If Germany’s MSA (the BSI) finds a critical vulnerability, its power doesn&#039;t stop at the German border. It can formally ask Ireland&#039;s MSA to investigate the company directly and, if needed, enforce a sales ban that applies across the entire market.</p>
<h3>Intelligence Sharing and Coordinated Actions</h3>
<p>For mutual assistance to work in practice, MSAs need to share intelligence. The CRA leans on established information-sharing networks to make sure an alert raised in one country is immediately visible to all others, triggering swift, coordinated responses.</p>
<p>The key platforms and groups making this happen include:</p>
<ul>
<li><strong>EU Safety Gate (formerly RAPEX):</strong> A rapid alert system for dangerous non-food products. An alert about a non-compliant smart thermostat or a vulnerable software component gets circulated to all national authorities almost instantly. A practical example: if the Dutch MSA finds that a popular brand of connected light bulbs can be easily hijacked to join a botnet, they would issue a Safety Gate alert, and within hours, authorities in Poland, Italy, and Sweden could begin their own investigations or order retailers to stop sales.</li>
<li><strong>ADCO Groups (Administrative Cooperation Groups):</strong> These are expert groups where MSAs coordinate their market surveillance work for specific laws, including the CRA. They plan joint inspection projects and work to apply the rules consistently. For instance, the CRA ADCO might organize a &quot;joint action&quot; where multiple MSAs simultaneously test the security of mobile banking apps offered in their respective countries.</li>
</ul>
<p>The data proves how cross-border cooperation multiplies the reach of <strong>CRA market surveillance authorities powers</strong>. For a closer look at the legal text, you can explore the <a href="https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Article_41_15.9.2022.html">European Cyber Resilience Act&#039;s legal text</a>.</p>
<p>This integrated enforcement model sends a clear message: geography offers no protection from scrutiny. A flaw found by one authority quickly becomes a problem for you across the entire European Union.</p>
<h2>Preparing Your Defence Against Enforcement</h2>
<p>Knowing about MSA powers is one thing, but actively preparing for scrutiny is how you protect your business and maintain market access. A strong defensive posture isn&#039;t about scrambling to react when an inspector calls; it&#039;s about making readiness a part of your daily operations.</p>
<p>The best approach turns these complex regulatory duties into a manageable, repeatable plan. A solid defence is a continuous cycle built on three core activities: <strong>comprehensive documentation</strong>, <strong>vigilant monitoring</strong>, and a <strong>rapid response capability</strong>. Think of it as having your evidence organised and your team ready to act long before you&#039;re ever questioned.</p>
<p>This process flow shows how these core activities fit together in a strong CRA defensive strategy.</p>
<p><figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-market-surveillance-authorities-powers-process-flow.jpg" alt="A CRA Defense Process Flow diagram illustrating three steps: Documentation, Monitoring, and Response." /></figure>
</p>
<p>As the visual shows, this isn&#039;t a one-off project. It&#039;s a cycle that ensures you&#039;re always prepared for an inspection from market surveillance authorities.</p>
<h3>Step 1: Establish Watertight Technical Documentation</h3>
<p>Your technical documentation, as required by Annex VII of the CRA, is the absolute cornerstone of your defence. It&#039;s the first thing an MSA will demand to verify your product’s compliance. If that file is incomplete, disorganised, or out of date, your defence can crumble before it even begins.</p>
<p>A robust technical file isn&#039;t just a document dump. It must clearly contain:</p>
<ul>
<li><strong>A Detailed Product Description:</strong> This should cover the product’s intended purpose, its complete architecture, and all software and firmware versions.</li>
<li><strong>The Cybersecurity Risk Assessment:</strong> This is your proof that you have methodically identified, evaluated, and mitigated potential security risks.</li>
<li><strong>A Complete Software Bill of Materials (SBOM):</strong> A full inventory of every single software component, from your own code to open-source libraries and third-party dependencies.</li>
<li><strong>Vulnerability Handling Processes:</strong> Clear, documented procedures that explain exactly how you discover, assess, and fix vulnerabilities after the product is on the market.</li>
</ul>
<p>Using a dedicated compliance platform can make this far more manageable. For instance, a platform can help you generate a tailored requirements matrix and provide ready-to-use templates for Annex VII. This helps you systematically structure all the necessary evidence into an audit-ready <strong><a href="https://goregulus.com/uncategorized/cra-compliance-evidence-pack/">CRA compliance evidence pack</a></strong> that you can present to an MSA on demand.</p>
<h3>Step 2: Implement a Robust Post-Market Surveillance Process</h3>
<p>Your duties don&#039;t stop once a product ships. The CRA mandates a continuous post-market surveillance process to monitor for new and emerging vulnerabilities. A weak or non-existent surveillance process is a huge red flag for MSAs, signalling that you aren&#039;t taking your ongoing security obligations seriously.</p>
<p>A practical workflow here should include:</p>
<ol>
<li><strong>Systematic Monitoring:</strong> Actively and continuously scan vulnerability databases (like the NVD), security feeds, and other intelligence sources for threats that could affect your product’s components. For example, if your product uses the OpenSSL library, your process should include daily checks for any new vulnerabilities reported for that library.</li>
<li><strong>Triage and Assessment:</strong> When a potential vulnerability is identified, you need a process to promptly assess its severity (e.g., using CVSS scores) and actual impact on your product.</li>
<li><strong>Clear Reporting Channels:</strong> Define an internal process for escalating significant vulnerabilities to the right teams for immediate remediation.</li>
<li><strong>Coordinated Disclosure:</strong> Establish a clear workflow for handling the mandatory <strong>24-hour</strong> reporting of actively exploited vulnerabilities to ENISA and the relevant national CSIRT.</li>
</ol>
<h3>Step 3: Define Your Response and Disclosure Workflow</h3>
<p>When an MSA launches an investigation or a critical vulnerability is discovered, a chaotic, ad-hoc response can be just as damaging as the issue itself. A predefined workflow ensures you can respond with confidence and control, not panic.</p>
<p>This means assembling a dedicated response team well in advance, with representatives from legal, engineering, and compliance. Everyone should know their role. A practical example of a role would be the &#039;Legal Liaison&#039;, who is the sole point of contact for communicating with the MSA to avoid conflicting statements from different parts of the company.</p>
<p>It can also be useful to understand the legal mechanics for challenging an MSA&#039;s claims early in the process. For example, knowing the principles behind <strong><a href="https://www.termcraft.ai/blog/motion-to-dismiss-format/">mastering the motion to dismiss</a></strong> can provide a solid framework for contesting unfounded allegations from a legal standpoint.</p>
<p>By turning these three defensive pillars into routine business operations, you transform CRA compliance from a daunting regulatory burden into a structured, manageable process that safeguards your access to the entire EU market.</p>
<p>Use this checklist to assess your organisation&#039;s readiness for an MSA inspection and overall CRA compliance. It&#039;s a simple way to see where you stand and what gaps need closing.</p>
<h3>Your CRA Compliance Readiness Checklist</h3>


<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><th>Compliance Area</th><th>Key Action Item</th><th>Status (Not Started / In Progress / Complete)</th></tr><tr><td><strong>Technical Documentation</strong></td><td>Is your Annex VII technical file complete, up-to-date, and audit-ready?</td><td></td></tr><tr><td><strong>Risk Assessment</strong></td><td>Have you conducted and documented a thorough cybersecurity risk assessment?</td><td></td></tr><tr><td><strong>SBOM</strong></td><td>Do you maintain a complete and accurate SBOM for every product version?</td><td></td></tr><tr><td><strong>Post-Market Surveillance</strong></td><td>Do you have a documented process for monitoring new vulnerabilities?</td><td></td></tr><tr><td><strong>Vulnerability Handling</strong></td><td>Is there a clear internal process for triaging and remediating vulnerabilities?</td><td></td></tr><tr><td><strong>24-Hour Reporting</strong></td><td>Is your team prepared to report actively exploited vulnerabilities to ENISA within 24 hours?</td><td></td></tr><tr><td><strong>Response Team</strong></td><td>Have you formally designated a response team with clear roles (legal, tech, compliance)?</td><td></td></tr><tr><td><strong>Disclosure Workflow</strong></td><td>Is your process for disclosing vulnerabilities to customers and authorities defined and tested?</td><td></td></tr></tbody></table></figure>


<p>Once you have this foundation in place, you&#039;re not just compliant—you&#039;re resilient. You&#039;ve built a system that not only meets regulatory demands but also makes your products fundamentally more secure.</p>
<h2>How to Respond to an MSA Information Request</h2>
<p>Receiving an official notice from a Market Surveillance Authority (MSA) can be unsettling, but your response sets the tone for the entire interaction. An information request isn’t an accusation; it’s a standard procedure under the <strong>CRA market surveillance authorities powers</strong> to verify compliance. A calm, organised and professional reply can make all the difference.</p>
<p>Think of it as an open-book exam where you’ve already done the homework. With your documentation in order and a clear plan, you can navigate the process confidently, demonstrating cooperation while protecting your organisation’s interests.</p>
<h3>Your Step-by-Step Response Playbook</h3>
<p>When an information request lands, the last thing you want is a panicked scramble. Instead, follow a structured process to ensure your response is timely, accurate and complete. A methodical approach shows the MSA that you are organised and take your compliance duties seriously.</p>
<ol>
<li>
<p><strong>Assemble Your Response Team:</strong> Immediately bring together your designated point people. This team should include representatives from <strong>legal, engineering (product security), and compliance</strong>. Each person has a critical role—legal to review the request’s scope, engineering to gather the technical data, and compliance to oversee the entire submission.</p>
</li>
<li>
<p><strong>Verify the Request&#039;s Legitimacy:</strong> Before you do anything else, confirm the request is from a genuine MSA and falls within its legal mandate. For example, check that the email comes from an official government domain (like <code>@bsi.bund.de</code> for Germany&#039;s BSI) and cross-reference the contact person on the MSA&#039;s official website. This crucial first step stops you from accidentally sharing sensitive information with unauthorised parties.</p>
</li>
<li>
<p><strong>Analyse and Clarify the Scope:</strong> Read the request carefully with your team. Pinpoint exactly which documents, data, and time periods are required. If any part of the request is ambiguous, it is perfectly acceptable—and often wise—to contact the MSA for clarification. A practical example: if the request asks for &quot;all security test reports&quot; but your product is five years old, you could ask, &quot;Can you clarify if you require reports for all historical versions or just for versions released in the last 24 months?&quot; A precise understanding prevents you from providing either too little or too much information.</p>
</li>
<li>
<p><strong>Gather the Required Documents:</strong> This is where your proactive documentation efforts pay off. Pull the specific evidence from your technical file, such as the Software Bill of Materials (SBOM), risk assessments, vulnerability handling records and test reports. Ensure every piece of evidence directly addresses the MSA&#039;s query.</p>
</li>
</ol>
<blockquote>
<p>A well-organised company can pull a complete evidence pack in hours. A disorganised one might spend weeks searching through disconnected files and emails. That difference in response time and quality sends a powerful message to the authority about your company’s maturity.</p>
</blockquote>
<h3>A Tale of Two Responses</h3>
<p>Consider two companies that both make smart lighting systems. Company A receives an MSA request and, using its compliance platform, generates a complete, audit-ready report with all requested documentation in under two days. Their response is prompt, professional and precise.</p>
<p>Company B, however, relies on spreadsheets and shared drives. The request triggers a frantic search for documents. Their final submission is late, incomplete and contains outdated information, immediately raising red flags for the MSA and inviting deeper scrutiny. For more details on what authorities expect, you can learn about the specific <strong><a href="https://goregulus.com/uncategorized/cra-reporting-obligations-article-14/">CRA reporting obligations under Article 14</a></strong>.</p>
<h2>Answering Your Top Questions About CRA Enforcement</h2>
<p>When it comes to the Cyber Resilience Act, the enforcement powers of national regulators are a major point of concern for many manufacturers. Let&#039;s tackle some of the most common questions we hear about what <strong>CRA market surveillance authorities</strong> can actually do.</p>
<h3>Can an MSA Really Demand Access to Our Source Code?</h3>
<p>Yes, they can. However, this is a power of last resort, not a routine check.</p>
<p><strong>Article 41</strong> of the CRA gives a Market Surveillance Authority (MSA) the right to request your source code, but only when it is considered <strong>strictly necessary</strong> to confirm whether a product is compliant. This is typically reserved for high-risk products where a critical vulnerability is suspected and reviewing the technical documentation isn&#039;t enough to get a clear picture.</p>
<p>Imagine a widely-used industrial controller is found to have a flaw that could take down critical infrastructure. If standard inspection methods fail to clarify the risk, an MSA might then demand to see the source code. This underscores how vital it is to maintain well-organised and documented codebases, just in case.</p>
<h3>What If We Disagree with a Recall Decision?</h3>
<p>You have the right to challenge it. Before an MSA can force a restrictive measure like a product recall, you are entitled to be heard and to present your own evidence to make your case.</p>
<p>If the authority still moves forward with the decision, both the CRA and national laws give you a path to challenge it in court. Be warned, though: this route is almost always expensive and time-consuming.</p>
<p>A <strong>practical example</strong> might be a smart home hub manufacturer that receives a recall order. They could challenge it by providing independent test reports showing that the vulnerability in question has already been patched via an over-the-air update for 99.8% of active devices, arguing that a full recall is disproportionate to the residual risk. The takeaway is clear: proactive compliance and rock-solid documentation are your best, and most cost-effective, lines of defence.</p>
<h3>Do These Powers Only Apply to Hardware?</h3>
<p>No. The CRA’s scope is extremely broad and covers all &quot;products with digital elements.&quot; This is a crucial point to understand. It includes:</p>
<ul>
<li><strong>Hardware</strong> with embedded software, like IoT devices and smart appliances. (e.g., a connected coffee machine)</li>
<li><strong>Standalone software</strong>, including mobile apps, desktop programs, and operating systems. (e.g., a photo editing software or a password manager)</li>
<li><strong>Firmware</strong> that controls how a piece of hardware operates. (e.g., the software running on a network router)</li>
</ul>
<p>Whether you develop software, manufacture devices, or import them, if your product has a digital component and you sell it in the EU, you are subject to these enforcement powers.</p>
<h3>Are Importers Held to the Same Standard?</h3>
<p>While the manufacturer holds primary responsibility for a product’s conformity, importers and distributors have their own distinct and critical obligations. They are required to verify that the manufacturer has done their job, make sure the product carries the CE marking, and cooperate fully with MSAs during any investigation.</p>
<blockquote>
<p>An MSA can take action against any economic operator in the supply chain. If an importer brings a non-compliant product into the EU market, they can be held directly accountable and face fines or orders to withdraw the product. For instance, if a European importer distributes a non-compliant drone from a non-EU manufacturer, the MSA can fine the importer and order them to manage the product withdrawal from all retailers, even though they didn&#039;t create the product.</p>
</blockquote>
<hr>
<p>Navigating CRA compliance can be complex, but <strong>Regulus</strong> provides the clarity and tools you need. Our platform helps you assess applicability, generate tailored requirement matrices, and build audit-ready technical documentation to confidently meet your obligations. <a href="https://goregulus.com">Prepare for the CRA with Regulus</a>.</p><p>La entrada <a href="https://goregulus.com/cra-basics/cra-market-surveillance-authorities-powers/">CRA Market Surveillance Authorities Powers: A Practical Guide</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>A Practical Guide to CRA CSIRT Reporting Requirements</title>
		<link>https://goregulus.com/cra-basics/cra-csirt-reporting-requirements/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 11 May 2026 14:09:04 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA CSIRT reporting requirements]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[ENISA Reporting]]></category>
		<category><![CDATA[EU Cybersecurity]]></category>
		<category><![CDATA[Vulnerability Disclosure]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2177</guid>

					<description><![CDATA[<p>Under the Cyber Resilience Act, manufacturers face a strict new obligation: if you become aware of a severe security incident or an actively exploited vulnerability in your products, you must notify your designated national Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA) within 24 hours. This initial &#8220;early warning&#8221; is [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-csirt-reporting-requirements/">A Practical Guide to CRA CSIRT Reporting Requirements</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Under the Cyber Resilience Act, manufacturers face a strict new obligation: if you become aware of a severe security incident or an actively exploited vulnerability in your products, you must notify your designated national Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA) within <strong>24 hours</strong>.</p>



<p>This initial &#8220;early warning&#8221; is a cornerstone of the CRA. It’s designed to kickstart a rapid, coordinated response to cyber threats as they emerge across the European Union. For example, if your company discovers that a flaw in your smart security cameras is being used by attackers to view live feeds, the CRA mandates you alert authorities within a day, not after you&#8217;ve developed a fix.</p>



<h2 class="wp-block-heading">Why CRA CSIRT Reporting Is Now Mission Critical</h2>



<p>The EU&#8217;s Cyber Resilience Act (CRA) isn&#8217;t just another set of guidelines; it fundamentally rewires the cybersecurity obligations for any organisation selling products with digital elements in the EU market. It marks a major shift away from voluntary best efforts and toward a legally binding framework.</p>



<p>Prompt, transparent communication is no longer just good practice—it&#8217;s the law. The CRA’s CSIRT reporting requirements are the operational heart of this new regulation, turning a technical task into a critical business function.</p>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-csirt-reporting-requirements-reporting-network.jpg" alt="European map illustrating cybersecurity reporting pathways between manufacturers, CSIRTs, ENISA, and devices."/></figure>



<p>Think of it as a coordinated emergency response network for digital products. When a serious vulnerability is discovered and exploited, it triggers a mandatory chain of notifications that pulls everyone—the manufacturer, national authorities, and ENISA—into alignment. For instance, if a German manufacturer of industrial controllers finds an exploited vulnerability, their report to Germany&#8217;s BSI (the national CSIRT) is quickly shared with other EU countries via ENISA, protecting critical infrastructure across the continent.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>Under the CRA, silence is no longer an option. Failing to report a known exploited vulnerability is a direct violation that can result in significant penalties and market exclusion. This makes CSIRT reporting a mission-critical function for maintaining EU market access.</p>
</blockquote>



<h3 class="wp-block-heading">The Key Players in CRA Reporting</h3>



<p>To stay compliant, you first need to understand who you&#8217;re reporting to. Your process will primarily involve two key bodies:</p>



<ul class="wp-block-list">
<li><strong>National CSIRTs:</strong> Each EU member state designates a CSIRT to act as the primary contact point for manufacturers within its jurisdiction. When you discover a reportable incident, this is your first port of call. For a company headquartered in Spain, this role is handled by INCIBE. For a business in Ireland, it&#8217;s the NCSC-IE.</li>



<li><strong>ENISA (The EU Agency for Cybersecurity):</strong> ENISA acts as the central coordinator for the entire system. Once you’ve notified your national CSIRT, that information is channelled to ENISA, which then ensures all other relevant member states are alerted. This hub-and-spoke model saves you from the nightmare of reporting to 27 different countries individually.</li>
</ul>



<p>Grasping why these obligations are so critical comes down to understanding the principles of <a href="https://www.logicalcommander.com/post/regulatory-compliance-risk-management">regulatory compliance risk management</a>. The CRA effectively elevates product vulnerabilities from purely technical issues to major business risks with serious legal and financial consequences.</p>



<h3 class="wp-block-heading">Core Reporting Triggers and Initial Deadlines</h3>



<p>The CRA sets out clear triggers that activate your duty to report. The table below gives a high-level summary of the primary events that mandate a report and the extremely tight initial notification window.</p>



<h3 class="wp-block-heading">CRA Reporting Triggers and Initial Deadlines</h3>



<p>This table summarises the primary events that mandate a report to a CSIRT under the Cyber Resilience Act and the first notification window.</p>



<figure class="wp-block-table"><table><tr>
<th align="left">Reportable Event</th>
<th align="left">Initial Notification Deadline</th>
<th align="left">Primary Recipient</th>
<th align="left">Example</th>
</tr>
<tr>
<td align="left">An actively exploited vulnerability.</td>
<td align="left"><strong>Within 24 hours</strong></td>
<td align="left">National CSIRT/ENISA</td>
<td align="left">Your team finds malware in the wild that uses a flaw in your VPN software.</td>
</tr>
<tr>
<td align="left">A severe incident impacting product security.</td>
<td align="left"><strong>Within 24 hours</strong></td>
<td align="left">National CSIRT/ENISA</td>
<td align="left">A DDoS attack on your update servers prevents users from patching a known flaw.</td>
</tr>
<tr>
<td align="left">A vulnerability found in a third-party component.</td>
<td align="left">Without undue delay</td>
<td align="left">The component&#039;s maker</td>
<td align="left">You discover a flaw in an open-source library used in your product; you must inform the library&#039;s maintainers promptly.</td>
</tr>
</table></figure>


<p>As you can see, the timelines demand well-rehearsed internal processes. There’s simply no time to figure it out once an incident happens. You can read more about the current state of play regarding these regulations.</p>
<h2>Who Reports and What Triggers a Report</h2>
<p>The Cyber Resilience Act casts a wide net, fundamentally changing how security responsibilities are managed. For any technology company, the first two questions are always the most urgent: ‘Does this apply to my products?’ and ‘Which specific events force us to act immediately?’ Nailing down the answers is the foundation for building a compliant reporting process.</p>
<p>The answer to that first question is refreshingly direct. The reporting obligation falls squarely on the <strong>manufacturer</strong> of any ‘product with digital elements’ placed on the European Union market. This is a deliberately broad definition, designed to cover today&#039;s massive ecosystem of connected technology.</p>
<p>That means everything from consumer gadgets like smart speakers and connected thermostats to complex industrial control systems and enterprise software suites. If you create a product with software or firmware that can connect to a network and you sell it in the EU, the CRA’s reporting duties apply to you. For example, a French company that manufactures smart lighting systems sold across Europe is considered a manufacturer and must comply.</p>
<h3>Identifying Your Reporting Triggers</h3>
<p>Not every bug or glitch demands a 24-hour alert to European authorities. The CRA makes a crucial distinction between minor issues and significant threats that require a coordinated response. Your primary triggers for a CSIRT report are:</p>
<ul>
<li><strong>An actively exploited vulnerability:</strong> This is a security flaw in your product that attackers are already aware of and are actively using to compromise systems.</li>
<li><strong>A severe incident:</strong> This refers to a security event that has a significant impact on your product or its users, even if the root cause isn&#039;t a specific vulnerability in your code. A practical example could be a misconfigured cloud storage bucket exposing sensitive user data from your connected product.</li>
</ul>
<p>Think of it as the difference between a leaky tap and a burst water main. A minor UI bug is a leaky tap—you fix it in the next update. But a vulnerability letting attackers remotely seize control of thousands of smart locks? That&#039;s a burst water main demanding an immediate, all-hands-on-deck emergency response. This is precisely what triggers the CRA CSIRT reporting requirements.</p>
<blockquote>
<p>According to the CRA, an ‘actively exploited vulnerability’ means a vulnerability for which there is reliable evidence that an attacker has leveraged it to compromise a system or network. This official definition grounds your response in observable reality, not theoretical risk.</p>
</blockquote>
<h3>Practical Examples of Reporting Triggers</h3>
<p>Learning to distinguish between a routine bug and a reportable incident is a critical skill your team must develop. Let’s walk through some practical examples to make the distinction crystal clear.</p>
<p><strong>Scenario A: The Non-Trigger</strong></p>
<p>A user reports that a specific menu in your photo-editing software occasionally freezes, requiring a restart.</p>
<ul>
<li><strong>Analysis:</strong> This is a performance or usability bug. It doesn&#039;t compromise security in any meaningful way (confidentiality, integrity, or availability). This would be handled through your normal patching cycle, not a CSIRT report.</li>
</ul>
<p><strong>Scenario B: The Clear Trigger</strong></p>
<p>Your security team discovers a flaw in your smart camera’s firmware that allows an unauthenticated attacker to access the live video feed. Online forums show proof-of-concept code and chatter from threat actors discussing how to use it.</p>
<ul>
<li><strong>Analysis:</strong> This is a textbook example of an <strong>actively exploited vulnerability</strong>. It has a severe impact on user privacy and confidentiality. This mandates an immediate 24-hour notification to your CSIRT and ENISA.</li>
</ul>
<p>Understanding this distinction is vital. As an ES-based IoT vendor, for example, you must grasp the CRA&#039;s CSIRT stats: from <strong>2026</strong>, you will report exploited vulnerabilities and <strong>severe incidents</strong> affecting <strong>products with digital elements</strong>, such as firmware flaws causing impacts for over <strong>1,000 users</strong>. This represents a historical shift; pre-CRA, vulnerability disclosure in Spain had an average seven-day lag, but this will now be under 72 hours, a change which ENISA simulations project could cut exploit rates by <strong>45%</strong>. This is crucial, given that a 2025 INCIBE report noted <strong>85% of ES attacks</strong> hit unpatched IoT devices. You can <a href="https://www.incibe.es/en/press/news/what-do-we-know-about-cyber-resilience-act">read more about the current state of play regarding these regulations</a> to better prepare your teams.</p>
<p>Under the Cyber Resilience Act, time isn&#039;t just a factor—it&#039;s the single most critical element of compliance. The regulation introduces a fast-paced, multi-stage reporting lifecycle that forces organisations to act with incredible speed and precision the moment a serious issue comes to light.</p>
<p>This isn&#039;t your typical technical clean-up. Incident response under the CRA is a highly structured communication protocol with European authorities. You have to master three key reporting milestones: the <strong>24-hour &#039;early warning&#039;</strong>, the <strong>72-hour &#039;main notification&#039;</strong>, and the subsequent <strong>final reports</strong>. Getting this rhythm right is fundamental to meeting your CRA CSIRT reporting requirements.</p>
<p>The flow chart below maps out the basic process, from a manufacturer&#039;s discovery to the mandatory reporting action.</p>
<p><figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-csirt-reporting-requirements-process-flow.jpg" alt="A process flow diagram illustrating CRA triggers from manufacturer to trigger event and final report." /></figure>
</p>
<p>This simple diagram highlights a core principle of the CRA: awareness of a trigger event immediately starts the clock, and that clock leads directly to a mandatory report.</p>
<h3>The 24-Hour Early Warning</h3>
<p>The second you become aware of either an <strong>actively exploited vulnerability</strong> or a <strong>severe security incident</strong>, the clock starts ticking. You have just <strong>24 hours</strong> to submit an &quot;early warning&quot; to both your designated national CSIRT and to ENISA.</p>
<p>This initial report isn&#039;t meant to be a full forensic analysis. Think of it as an emergency flare. Its primary job is to give authorities a high-level, immediate heads-up so they can start coordinating a potential EU-wide response, even before you have all the answers.</p>
<p>Let&#039;s say you manufacture smart thermostats. Your security team finds forum posts with proof-of-concept code that lets attackers remotely control home heating systems, and your own telemetry confirms it&#039;s being actively used in the wild. You must send an early warning within <strong>24 hours</strong> of that discovery.</p>
<p>Your initial alert just needs the basics:</p>
<ul>
<li>Your company’s name and contact details.</li>
<li>The affected product name and version (e.g., &quot;SmartComfort Thermostat Model X, firmware v2.1&quot;).</li>
<li>A brief, high-level description of the vulnerability or incident.</li>
<li>Any immediate mitigation advice you can give to users.</li>
</ul>
<h3>The 72-Hour Main Notification</h3>
<p>After sending the early warning, your team needs to dig deeper. Within <strong>72 hours</strong> of that initial awareness, you have to follow up with a &quot;main notification&quot; that adds crucial technical context to your first report.</p>
<p>This is where you provide the substance. It requires a much more thorough assessment of the vulnerability&#039;s nature, severity, and potential impact.</p>
<p>Going back to our smart thermostat example, the 72-hour report would need to add some serious specifics:</p>
<ul>
<li>A <strong>technical description</strong> of the vulnerability, including its type (e.g., &quot;unauthenticated remote code execution&quot;).</li>
<li>The <strong>estimated severity</strong>, which often means including a CVSS (Common Vulnerability Scoring System) score. A flaw like this would almost certainly be rated &#039;Critical&#039;.</li>
<li>Details on the <strong>potential impact</strong>, like the ability for attackers to crank up heating to dangerous levels or shut it down completely in the dead of winter.</li>
</ul>
<h3>Final Reports and Resolution</h3>
<p>The CRA reporting clock doesn&#039;t stop at 72 hours. The final stage is all about providing closure and detailing the long-term fix, though the deadlines here are conditional.</p>
<p>Imagine your team detects an actively exploited vulnerability in one of your connected IoT devices. Within <strong>24 hours</strong> of becoming aware, you notify the designated <strong>CSIRT</strong> and <strong>ENISA</strong>. By the <strong>72-hour</strong> mark, you submit the more detailed &#039;main&#039; notification. Because the vulnerability was actively exploited, you must then follow up with a final report within <strong>14 days</strong> of making a patch or mitigation available. For severe incidents, the final wrap-up is due <strong>one month</strong> after the 72-hour report.</p>
<p>A complete final report proves the threat has been properly handled. It should cover the root cause, the mitigation steps you took, and clear instructions for users to apply the patch. To get a better handle on the full timeline, check out our guide on <a href="https://goregulus.com/cra-compliance/cra-deadlines-2025-2027/">important CRA deadlines between 2025 and 2027</a>.</p>
<h2>How to Report: Process and Data Requirements</h2>
<p>Knowing you have to report an incident is one thing; understanding the exact process, formats, and deadlines is a completely different challenge. The Cyber Resilience Act doesn&#039;t just deal in high-level principles—it specifies the practical mechanics of how and what you need to communicate during a security event.</p>
<p>The whole system is designed for efficiency. Instead of a chaotic scramble to notify multiple national authorities, the CRA establishes a single point of contact for all incident and vulnerability reporting.</p>
<p>At the core of this system is <strong>ENISA&#039;s single reporting platform</strong>. This will be the one and only place you submit your notifications. You won’t have to waste time figuring out which national CSIRT needs what information. Your job is to get one clear, comprehensive report into the system, which then handles the coordination.</p>
<h3>The Coordinated Reporting Mechanism</h3>
<p>The CRA&#039;s process is built on a simple but powerful idea: <strong>report once, inform many</strong>. This completely removes the administrative nightmare of individually notifying every single EU member state that might be affected by an incident.</p>
<p>In practice, the reporting cascade works like this:</p>
<ol>
<li>You submit your full report through the <strong>ENISA single reporting platform</strong>. For example, your incident response lead logs into the secure portal and fills out the web-based form.</li>
<li>The platform automatically directs your submission to the designated national CSIRT coordinator for your organisation.</li>
<li>Your national CSIRT then reviews the report and disseminates it to other relevant national CSIRTs and EU bodies through the same platform.</li>
</ol>
<p>This coordinated model ensures every necessary authority gets the alert without burying your team in bureaucracy during a crisis. It frees you up to focus on what really matters: investigating the incident and shipping a fix.</p>
<h3>Required Data for Your Notifications</h3>
<p>An effective report is all about providing the right information from the start. Vague or incomplete submissions just create more work, leading to follow-up questions and delays when time is critical. To be prepared, you need to know exactly which data fields are mandatory for both your 24-hour and 72-hour notifications.</p>
<p>Let&#039;s walk through a scenario. It&#039;s 2027, and your company&#039;s embedded software, shipped across the EU, has a severe incident affecting over <strong>10,000 users</strong> in Spain and Portugal. The CRA mandates a very specific escalation path. You must notify your national <strong>CSIRT coordinator</strong> and <strong>ENISA</strong> via the single platform. Your <strong>24-hour early warning</strong> alerts them to the breach, but it&#039;s the <strong>72-hour main report</strong> that must detail the impact on confidentiality, integrity, or availability.</p>
<p>For a company based in Spain, the national CSIRT coordinator is <strong>INCIBE</strong>. They would handle the initial intake and use the ENISA platform to share the cross-border details with their counterparts in Portugal. This coordination is critical, especially since statistics show that <strong>65% of IoT attacks</strong> often span multiple borders. <a href="https://www.onekey.com/resource/understanding-the-eu-cyber-resilience-act-and-achieve-product-cybersecurity-compliance">Learn more about the EU&#039;s approach to product cybersecurity compliance</a>.</p>
<p>Your main (72-hour) notification must be structured and packed with detail. The table below gives you a sample template you can use as a tangible starting point for building your internal reporting processes.</p>
<h3>Sample CRA CSIRT Notification Template</h3>
<p>This table shows an example structure for the main (72-hour) notification, outlining the key data fields manufacturers must provide.</p>


<figure class="wp-block-table"><table><tr>
<th align="left">Data Field</th>
<th align="left">Description</th>
<th align="left">Example Entry</th>
</tr>
<tr>
<td align="left"><strong>Product Identification</strong></td>
<td align="left">The specific product name, model, and software/firmware version affected.</td>
<td align="left">SmartHome Hub G3, Firmware v4.2.1</td>
</tr>
<tr>
<td align="left"><strong>Vulnerability Details</strong></td>
<td align="left">Technical information about the flaw, including its CWE type and CVSS v3.1 score.</td>
<td align="left">CWE-798: Use of Hard-coded Credentials, CVSS: 9.8 (Critical)</td>
</tr>
<tr>
<td align="left"><strong>Incident Description</strong></td>
<td align="left">A clear summary of the incident, how it was discovered, and its current status.</td>
<td align="left">A hard-coded admin password was discovered, allowing unauthenticated remote access. Actively exploited.</td>
</tr>
<tr>
<td align="left"><strong>Affected Member States</strong></td>
<td align="left">List of EU countries where affected users or systems are known to be located.</td>
<td align="left">Germany, France, Spain, Italy</td>
</tr>
<tr>
<td align="left"><strong>Impact Assessment</strong></td>
<td align="left">The effect on confidentiality, integrity, and availability (CIA).</td>
<td align="left">Compromises confidentiality (user data access) and integrity (system control).</td>
</tr>
<tr>
<td align="left"><strong>Mitigation Measures</strong></td>
<td align="left">Any immediate steps taken or recommended to reduce risk for users.</td>
<td align="left">Advised users to disconnect the device from the internet until a patch is deployed.</td>
</tr>
</table></figure>


<p>Having this data ready to go is non-negotiable. Building a complete <a href="https://goregulus.com/uncategorized/cra-compliance-evidence-pack/">CRA compliance evidence pack</a> in advance ensures your team can pull this information together quickly when the 72-hour clock is ticking.</p>
<h2>Your Practical Compliance Checklist for 2027</h2>
<p><figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-csirt-reporting-requirements-checklist.jpg" alt="A hand-drawn clipboard displays the &quot;2027 Checklist&quot; with most items checked, except for Templates and Monitoring." /></figure>
</p>
<p>Understanding the CRA&#039;s legal text is one thing; operational readiness is what actually guarantees compliance. When you&#039;re facing a <strong>24-hour</strong> deadline, you don&#039;t have time to figure things out during a live incident. This checklist breaks down the theory into a practical implementation plan.</p>
<h3>1. Establish Key Contacts and Teams</h3>
<p>First, build the human infrastructure for reporting. You need to know who to call externally and who’s responsible internally long before a crisis hits.</p>
<ul>
<li><strong>Identify Your Lead National CSIRT:</strong> Your main reporting contact is the designated CSIRT coordinator in the EU member state where your main establishment is located. If your company is headquartered in Spain, for example, this is INCIBE. Find your designated CSIRT now.</li>
<li><strong>Form a Dedicated Response Team:</strong> Create an internal incident response team with crystal-clear roles. For example, specify that the Head of Product Security is responsible for assessing severity, a technical writer drafts the report, and the CISO gives final approval before submission.</li>
</ul>
<h3>2. Develop and Pre-Approve Reporting Templates</h3>
<p>That <strong>24-hour</strong> clock starts ticking fast. You won&#039;t have time to write a report from scratch. Preparing templates in advance is one of the single most effective ways to guarantee both speed and accuracy.</p>
<p>Use the sample template from the previous section as a starting point. Create pre-filled documents for both the <strong>24-hour</strong> &quot;early warning&quot; and the <strong>72-hour</strong> &quot;main notification&quot;. Populate them with your company details, product lines, and contact information. Get these templates approved by legal and management now, so they are ready when you need them.</p>
<blockquote>
<p>A pre-approved template is more than a document; it&#039;s a pre-negotiated consensus. It eliminates internal debates over wording and content during a high-pressure event, allowing your team to focus solely on the technical facts of the incident.</p>
</blockquote>
<p>This step alone can slash your response time, making those tight deadlines far more manageable. For organisations still mapping out their compliance journey, it&#039;s also helpful to explore the role of <a href="https://goregulus.com/uncategorized/cra-harmonised-standards/">CRA harmonised standards</a> in providing a clear framework for these processes.</p>
<h3>3. Implement Monitoring and Automation Tools</h3>
<p>You can&#039;t report a vulnerability you don&#039;t know about. Robust monitoring is the bedrock of compliance. This means putting tools and processes in place that give you continuous visibility into your products&#039; security posture.</p>
<ul>
<li><strong>Continuous Vulnerability Scanning:</strong> Use Software Composition Analysis (SCA) tools to constantly monitor your code and its dependencies for newly disclosed vulnerabilities.</li>
<li><strong>Automate Draft Reports:</strong> Configure your security tooling to automatically generate a draft incident report whenever a high-severity or actively exploited vulnerability pops up in a production environment. For instance, if your SCA tool flags a critical flaw in a library like OpenSSL that is known to be exploited, it can trigger a ticket in your system with a pre-populated report draft.</li>
</ul>
<h3>4. Run Realistic Simulation Drills</h3>
<p>A plan on paper is not enough. You have to pressure-test it. Regular simulation drills are the only way to build the muscle memory your team needs to meet the CRA’s demanding timelines.</p>
<p>Run tabletop exercises that simulate a real-world discovery of an actively exploited vulnerability. Start the <strong>24-hour</strong> clock and make your team execute the full reporting process. A practical drill could involve a scenario where a security researcher privately discloses a critical remote code execution flaw in your flagship product. The team must then race against the simulated clock to validate the finding, draft the early warning, get approval, and submit it.</p>
<h3>5. Integrate CRA into Broader Security Policies</h3>
<p>Finally, make sure your CRA reporting process doesn&#039;t exist in a silo. It must be woven into your organisation&#039;s bigger security and disclosure frameworks.</p>
<p>Your <strong>Coordinated Vulnerability Disclosure (CVD)</strong> policy should specify that any incoming report meeting the CRA criteria immediately triggers your internal CSIRT notification workflow. Likewise, your post-market surveillance activities need a clear protocol for escalating security findings to the incident response team. For specialised assistance in meeting all regulatory demands, explore dedicated <a href="https://www.cloudorbis.com/cybersecurity-services/compliance-solutions">Compliance Solutions</a>.</p>
<h2>Your CRA Reporting Questions, Answered</h2>
<p>Once you move from the legal text of the Cyber Resilience Act to building real-world processes, practical questions always come up. The theory is one thing; day-to-day operational reality is another. Getting the details right in these grey areas is what separates a smooth compliance process from a scramble.</p>
<p>Here, we&#039;ll tackle some of the most common and pressing questions teams have about CRA reporting obligations.</p>
<h3>What Happens If We Notify the CSIRT but a Patch Is Not Ready?</h3>
<p>The CRA prioritises transparency and proactive communication. If you hit the reporting deadline but your patch isn’t ready, you must still submit the report on time. Your duty is to be upfront about the situation.</p>
<p>In your report, you need to give a clear status update. For example: &quot;We have confirmed the vulnerability and its severity. A patch is currently in development and undergoing QA testing. We anticipate releasing firmware version 2.5.1 to address this issue within the next 7 days. In the meantime, we advise users to disable remote access features.&quot; This kind of honest communication is far better than silence.</p>
<h3>Does Reporting to a CSIRT Make the Vulnerability Public Immediately?</h3>
<p>No, it doesn&#039;t. The initial reports you send to your national CSIRT and ENISA are confidential. This isn&#039;t about naming and shaming; the immediate goal is to allow a coordinated, behind-the-scenes response among national authorities and to figure out the potential EU-wide impact.</p>
<blockquote>
<p>The entire process is built to align with <strong>Coordinated Vulnerability Disclosure (CVD)</strong> principles. This means public disclosure is usually held back until a patch is developed and available, preventing attackers from getting a roadmap to an exploit before users can protect themselves.</p>
</blockquote>
<h3>How Does This Relate to Our Existing Bug Bounty Programme?</h3>
<p>Think of your bug bounty programme as a critical input to your CRA compliance workflow. It&#039;s one of the best tools you have for finding serious vulnerabilities before attackers do.</p>
<p>When a researcher reports a vulnerability through your programme that fits the CRA criteria—for instance, it&#039;s being <strong>&#039;actively exploited&#039;</strong> or is a <strong>&#039;severe incident&#039;</strong>—that&#039;s when your <strong>24-hour reporting clock starts ticking</strong>. You absolutely must have a bulletproof process to escalate these findings from your bug bounty platform to your incident response team, kicking off the formal CSIRT reporting workflow without any delay. A practical example would be a researcher submitting a video proof-of-concept showing how to bypass authentication on your smart doorbell. The moment your team validates that it works, the clock starts.</p>
<h3>What Are Our Responsibilities As an Importer or Distributor?</h3>
<p>While the manufacturer carries the primary reporting burden, importers and distributors are not off the hook. You are a crucial link in the safety chain and have your own distinct obligations. If you learn about a reportable incident involving a product you’re selling on the EU market, you are legally required to inform the manufacturer <strong>&#039;without undue delay.&#039;</strong></p>
<p>For example, if a large retail chain acting as an importer receives multiple customer complaints about their smart home hubs being hacked, they cannot ignore it. They must promptly notify the product&#039;s manufacturer so the CRA reporting process can be initiated. Turning a blind eye to this could leave you exposed to penalties and significant legal liability.</p>
<hr>
<p><strong>Regulus</strong> provides a unified platform to help you navigate the complexities of the Cyber Resilience Act. Our solution helps you assess applicability, classify products, and generate a tailored requirements matrix, including ready-to-use templates for documentation and a step-by-step roadmap to turn findings into an actionable compliance plan. Gain clarity, reduce costs, and confidently place compliant products on the European market with our software, which you can explore at <a href="https://goregulus.com">https://goregulus.com</a>.</p><p>La entrada <a href="https://goregulus.com/cra-basics/cra-csirt-reporting-requirements/">A Practical Guide to CRA CSIRT Reporting Requirements</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>CRA Substantial modification definition: EU Compliance Guide for 2026</title>
		<link>https://goregulus.com/cra-basics/cra-substantial-modification-definition/</link>
		
		<dc:creator><![CDATA[Igor Smith]]></dc:creator>
		<pubDate>Mon, 04 May 2026 14:39:44 +0000</pubDate>
				<category><![CDATA[CRA Basics]]></category>
		<category><![CDATA[CRA substantial modification definition]]></category>
		<category><![CDATA[Cyber Resilience Act]]></category>
		<category><![CDATA[EU Compliance]]></category>
		<category><![CDATA[product security]]></category>
		<guid isPermaLink="false">https://goregulus.com/?p=2165</guid>

					<description><![CDATA[<p>One of the most critical—and often misunderstood—concepts in the EU&#8217;s Cyber Resilience Act (CRA) is the &#8216;substantial modification&#8217;. Getting this wrong can turn what seems like a simple update into a full-blown compliance nightmare, forcing you to treat your product as brand new and start the entire conformity assessment from scratch. Decoding the CRA Substantial [&#8230;]</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-substantial-modification-definition/">CRA Substantial modification definition: EU Compliance Guide for 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>One of the most critical—and often misunderstood—concepts in the EU&#8217;s Cyber Resilience Act (CRA) is the <strong>&#8216;substantial modification&#8217;</strong>. Getting this wrong can turn what seems like a simple update into a full-blown compliance nightmare, forcing you to treat your product as brand new and start the entire conformity assessment from scratch.</p>



<h2 class="wp-block-heading">Decoding the CRA Substantial Modification Definition</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-substantial-modification-definition-construction-changes.jpg" alt="Illustrations showing a routine update with a paintbrush and a substantial modification with a hammer and blueprints."/></figure>



<p>Think of it like renovating a house. Painting a room or fixing a faucet is just routine maintenance; you don&#8217;t need to call the building inspector. But if you decide to add an extension or knock down a structural wall, you’ve fundamentally changed the building. That kind of work demands new plans, new permits, and new inspections.</p>



<p>The same logic applies to digital products under the CRA. A security patch or a minor bug fix is just routine upkeep. But if an update alters the product’s core purpose, introduces new risks, or weakens its security posture, it crosses the line into a <strong>substantial modification</strong>. For manufacturers, understanding precisely where that line is drawn is a major compliance challenge.</p>



<h3 class="wp-block-heading">The Legal Foundation</h3>



<p>The CRA establishes this compliance trigger in <strong>Article 3(30)</strong>. A substantial modification happens when a change made after the product is on the market either impacts its compliance with the essential cybersecurity requirements in Annex I or alters its original intended purpose.</p>



<p>The consequences are significant. Anyone making such a change effectively becomes the manufacturer, inheriting all the associated obligations. This means new documentation, a fresh security assessment, and updated conformity procedures.</p>



<p><strong>Practical Example:</strong> An importer takes a batch of smart home hubs and, before selling them, installs custom firmware that allows the hubs to control industrial equipment. This is a substantial modification. The importer is now considered the &#8220;manufacturer&#8221; under the CRA and is responsible for a full new conformity assessment, even though they didn&#8217;t build the original device.</p>



<h3 class="wp-block-heading">Drawing the Line Between Updates and Modifications</h3>



<p>The good news is that not every change forces you to restart your compliance journey. The key is distinguishing between routine, non-substantial updates and fundamental, substantial modifications.</p>



<p>To make this distinction clearer, the table below compares different types of changes and how they are typically classified under the CRA.</p>



<h3 class="wp-block-heading">Substantial Modification vs. Routine Update Under the CRA</h3>



<p>This table provides a clear comparison of changes that are considered substantial modifications versus those classified as routine, non-substantial updates, helping manufacturers quickly assess their product changes.</p>



<figure class="wp-block-table"><table><tr>
<th align="left">Type of Change</th>
<th align="left">Substantial Modification (Triggers Full Re-assessment)</th>
<th align="left">Non-Substantial Update (Part of Standard Maintenance)</th>
</tr>
<tr>
<td align="left"><strong>Functionality</strong></td>
<td align="left">Adding a major new feature that was not part of the original design, like enabling online payments in a previously offline application.</td>
<td align="left">Fixing bugs, improving performance efficiency, or making minor UI/UX adjustments that don&#039;t alter core behaviour.</td>
</tr>
<tr>
<td align="left"><strong>Intended Purpose</strong></td>
<td align="left">Re-purposing a smart home thermostat through a software update to control commercial HVAC systems in large buildings.</td>
<td align="left">Releasing a software patch that improves the thermostat’s energy efficiency algorithms within its existing home-use context.</td>
</tr>
<tr>
<td align="left"><strong>Security Architecture</strong></td>
<td align="left">Removing or fundamentally weakening a core security control, such as replacing multi-factor authentication with a simpler login method.</td>
<td align="left">Patching a known security vulnerability (e.g., a CVE) without changing the underlying security architecture or functionality.</td>
</tr>
<tr>
<td align="left"><strong>Data Handling</strong></td>
<td align="left">An update that begins to collect and process new categories of personal or sensitive data not covered in the original assessment.</td>
<td align="left">Optimising existing data processing workflows for better speed or efficiency, without changing the type of data collected.</td>
</tr>
</table></figure>



<p>This principle of re-evaluating risk based on significant change is becoming a common theme in technology regulation. For context, you can see similar concepts emerging in the California <a href="https://www.whisperit.ai/blog/california-ai-law">AI law</a>, where modifications to AI systems can also trigger new obligations.</p>



<p>Ultimately, correctly identifying a substantial modification is more than a box-ticking exercise. It&#8217;s about maintaining a clear, defensible, and continuous compliance strategy throughout your product&#8217;s lifecycle. For more details on the broader regulatory expectations, see our guide on the <a href="https://goregulus.com/uncategorized/cra-implementation-guidance-european-commission/">European Commission&#8217;s CRA implementation guidance</a>.</p>



<h2 class="wp-block-heading">The Two Main Triggers for a Substantial Modification</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-substantial-modification-definition-security-risk.jpg" alt="Two illustrations: a smart device on a building for 'Change of purpose' and a broken lock for 'Security impact'."/></figure>



<p>When you&#8217;re trying to figure out if a change to your product qualifies as a <strong>substantial modification</strong> under the Cyber Resilience Act, it really boils down to two key questions. Getting the <strong>CRA substantial modification definition</strong> right means understanding these triggers inside and out, as they&#8217;re the litmus test for deciding if an update is just routine maintenance or something that resets your compliance clock.</p>



<p>An update crosses the line into a substantial modification if it does one of two things:</p>



<ul class="wp-block-list">
<li>It alters the product’s <strong>original intended purpose</strong>.</li>



<li>It changes the product in a way that <strong>negatively affects its compliance</strong> with the CRA’s essential security requirements.</li>
</ul>



<p>If your update trips either of these wires, you’ve almost certainly made a substantial modification. Let&#8217;s break down exactly what each of these means with some real-world examples.</p>



<h3 class="wp-block-heading">Trigger 1: Changing the Intended Purpose</h3>



<p>The <strong>intended purpose</strong> is the bedrock of your product&#8217;s original risk assessment and compliance strategy. It defines what your product is meant to do, who it&#8217;s for, and the environment it&#8217;s designed to operate in. As soon as you push an update that expands this scope, you’ve fundamentally changed the product&#8217;s risk profile.</p>



<p><strong>Practical Example:</strong> A smart camera is originally marketed for indoor home monitoring. Its intended purpose is clear: helping a family keep an eye on their living room. A firmware update is released that adds features for outdoor, all-weather surveillance and integrates with a commercial security firm&#8217;s monitoring platform.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>This is a substantial modification. The change expands the original &#8220;use, context, and conditions of use,&#8221; turning a simple home gadget into a commercial-grade security tool. This isn&#8217;t just a new feature; it&#8217;s a completely new job for the product. The risks tied to a commercial security system—like data privacy in public spaces or resilience against sophisticated, targeted attacks—are miles apart from those of a basic indoor camera. That shift in purpose makes the original security assessment obsolete.</p>
</blockquote>



<h3 class="wp-block-heading">Trigger 2: Affecting Security Compliance</h3>



<p>The second trigger is any change that weakens the product&#8217;s ability to meet the essential cybersecurity requirements laid out in Annex I of the CRA. These requirements are the technical core of the regulation, covering everything from secure-by-design principles to vulnerability management.</p>



<p>A change becomes substantial if it degrades the product&#8217;s security posture or introduces new, unassessed risks.</p>



<p><strong>Practical Example:</strong> A developer of a connected industrial sensor releases an update. To boost data processing speed, the update disables Transport Layer Security (TLS) encryption for data sent to the cloud, reverting to an unencrypted protocol.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p>This move has an immediate and direct impact on compliance. By stripping away a critical security control (encryption in transit), the developer has left data exposed to interception. This compromises one of the CRA&#8217;s core security principles, making the change a substantial modification. A new, comprehensive conformity assessment would be mandatory. You can find out what that involves in our guide on how to perform a <a href="https://goregulus.com/cra-compliance/cra-risk-assessment/">CRA risk assessment</a>.</p>
</blockquote>



<p>Distinguishing these triggers from routine work has been a major point of discussion for the industry. It’s now clear that standard security patches, bug fixes, and minor functional tweaks like UI adjustments do <em>not</em> count. However, any change that introduces features handling sensitive data, alters security configurations, or adds new functions in a way that increases cybersecurity risk will almost always cross the substantial modification threshold.</p>



<h2 class="wp-block-heading">Real-World Examples of Substantial Modifications</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-substantial-modification-definition-tech-components.jpg" alt="Illustrations showing software with secure messages, firmware with a wireless camera, and hardware with a phone and chip."/></figure>



<p>The theory behind a substantial modification is one thing, but spotting it in the wild during a hectic development cycle is another. That grey area between a routine patch and a change that forces a full re-assessment is where many product teams will get caught out.</p>



<p>To really understand where the <strong>CRA substantial modification definition</strong> draws the line, we need to move from abstract rules to concrete scenarios. Let’s look at what this means for software, firmware, and hardware, linking each example back to the core triggers: changing the intended purpose or degrading the product’s ability to meet security requirements.</p>



<h3 class="wp-block-heading">Software Modification Adding a Sensitive Feature</h3>



<p>Let&#8217;s start with a common software scenario. A company has a simple messaging app for internal teams, designed and assessed for exchanging basic text on a trusted corporate network. The initial risk assessment was straightforward, focusing on a limited, low-risk use case.</p>



<p>Then, marketing decides the app needs a new file-sharing feature. The update lets users upload documents and share them directly with external business partners.</p>



<p>This isn&#8217;t just a feature bump; it&#8217;s a <strong>clear substantial modification</strong>. The reasoning is twofold:</p>



<ul class="wp-block-list">
<li><strong>Change in Intended Purpose:</strong> The app has morphed from an internal chat tool into an external collaboration platform. This new function was completely outside the scope of the original conformity assessment.</li>



<li><strong>Change in Data Handling &amp; Risk Profile:</strong> The product now handles potentially sensitive documents and transmits them outside the trusted network. This introduces a whole new class of risks—data exfiltration, unauthorised access by third parties—that the original security model never accounted for.</li>
</ul>



<p>Because the product’s risk profile has fundamentally changed, the original assessment is obsolete. A new, full conformity assessment is required to address the security implications of this new functionality.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>Practical Example:</strong> By adding a feature that processes new, more sensitive data types (e.g., financial reports, legal contracts) and expands the product&#8217;s use case to external collaboration, the developer has crossed the substantial modification threshold. The product’s core function and associated risks have been fundamentally altered.</p>
</blockquote>



<h3 class="wp-block-heading">Firmware Modification Enabling New Connectivity</h3>



<p>Now for a classic firmware example. A manufacturer makes industrial sensors used in factories to monitor machine temperatures. Their security model is simple because the product is designed for one thing: connecting to a private, air-gapped industrial network via an Ethernet cable. It’s never supposed to touch the public internet.</p>



<p>Later, the company pushes a firmware update that activates a dormant Wi-Fi chip inside the device. This seemingly minor change allows the sensor to connect directly to the internet for remote monitoring.</p>



<p>This is a textbook <strong>substantial modification</strong>. The original intended purpose was local monitoring in a physically secure, isolated environment.</p>



<ul class="wp-block-list">
<li><strong>Change in Context of Use:</strong> The update drags the product from a controlled private network into the hostile, open environment of the public internet.</li>



<li><strong>Impact on Security Compliance:</strong> This instantly creates a <strong>massive new attack surface</strong>. The security controls that were perfectly adequate for an isolated device are now dangerously insufficient for one exposed to global threats. This directly impacts compliance with the CRA&#8217;s essential security requirements.</li>
</ul>



<p>From a cybersecurity standpoint, this update has created an entirely new product. The manufacturer must now perform a full conformity re-assessment to prove it can withstand the threats of its new, internet-facing role.</p>



<h3 class="wp-block-heading">Hardware Modification Swapping a Critical Component</h3>



<p>Finally, let&#8217;s look at a hardware change that trips the wire. A company builds a popular smart lock for homes. A key part of its security architecture, and a central feature in its CRA technical file, is a certified secure element (SE) chip that stores cryptographic keys.</p>



<p>To cut costs, the product team decides to swap out the high-quality SE for a cheaper, general-purpose microcontroller that handles cryptography in software. To the end-user, the lock looks and works exactly the same.</p>



<p>Under the surface, however, this is a <strong>major substantial modification</strong>.</p>



<p>The intended purpose—locking a door—hasn’t changed at all. But the product&#8217;s ability to meet the CRA’s essential security requirements has been critically weakened. The original SE provided hardware-level protection against physical tampering and sophisticated side-channel attacks. The new, cheaper component offers no such guarantees, making the all-important cryptographic keys far more vulnerable.</p>



<p>This change invalidates the security claims made in the original conformity assessment. The manufacturer must go back to the beginning and re-certify the product with its new, less secure internal architecture.</p>



<h2 class="wp-block-heading">Consequences of Making a Substantial Modification</h2>



<p>So, you’ve made a change to your product. The big question is: does it count as a <strong>substantial modification</strong> under the Cyber Resilience Act? If the answer is yes, this isn&#8217;t just a minor administrative task—it’s a full compliance reset.</p>



<p>Making a <strong>substantial modification</strong> sets off a chain reaction of duties. It effectively treats your updated product as if it were brand new, forcing you to re-validate its security from the ground up.</p>



<p>The moment a change gets this classification, the person or company that made it takes on all the legal responsibilities of the original manufacturer. This is a critical point. Even if you’re an importer, a distributor, or a third-party integrator, making that change puts you squarely in the manufacturer&#8217;s shoes, along with every single obligation that comes with the title.</p>



<h3 class="wp-block-heading">The Compliance Domino Effect</h3>



<p>The most immediate consequence is that the product must undergo a <strong>completely new conformity assessment</strong>. The original assessment, along with all its supporting evidence and documentation, is no longer valid for the modified product. You have to start the entire process over again to prove the product meets the CRA&#8217;s essential cybersecurity requirements.</p>



<p>This isn&#8217;t just a paperwork exercise. It means a deep re-evaluation of the product&#8217;s security architecture, its risk profile, and how it handles data. Following this new assessment, you must create and sign a new EU Declaration of Conformity for the modified version. Our detailed guide on the <a href="https://goregulus.com/cra-documentation/cra-declaration-of-conformity/">CRA Declaration of Conformity</a> explains the specific requirements for this document.</p>



<h3 class="wp-block-heading">Overhauling Your Technical Documentation</h3>



<p>Alongside the new assessment, your technical documentation needs a complete overhaul. You can’t just add an addendum; you must update the entire file to reflect the product&#8217;s new state. This includes:</p>



<ul class="wp-block-list">
<li><strong>Revising the product description</strong> to include its new intended purpose or features.</li>



<li><strong>Updating the risk assessment</strong> to account for any new threats and vulnerabilities introduced by the modification.</li>



<li><strong>Documenting the new security architecture</strong>, including any new components or changed configurations.</li>



<li><strong>Providing evidence</strong> from the new conformity assessment to support your compliance claims.</li>
</ul>



<p>This reset ensures that market surveillance authorities have a complete and accurate picture of the product as it currently exists on the market, not as it was originally designed.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>Practical Example:</strong> The entity performing a substantial modification inherits the full legal weight of a manufacturer under the CRA. For instance, if a car mechanic flashes the engine control unit (ECU) of a car with software that fundamentally changes its performance and emissions controls, that mechanic may be deemed the manufacturer of the modified ECU, bearing all CRA obligations for that change. This underscores why correctly classifying a change is one of the most critical decisions a company can make.</p>
</blockquote>



<h3 class="wp-block-heading">The Impact on Hardware and Supply Chains</h3>



<p>This principle extends deep into the supply chain, creating complex challenges. For hardware manufacturers, <strong>substantial modification</strong> rules apply not only to firmware and software but also to hardware revisions.</p>



<p><strong>Practical Example:</strong> A manufacturer of network routers faces a chip shortage and decides to replace the original network interface controller (NIC) with a different, uncertified one from a new supplier. Even if it seems functionally equivalent, this hardware swap is a substantial modification because the security properties of the new chip have not been assessed, potentially introducing new vulnerabilities. This triggers a full reassessment and can seriously complicate compliance across distributed EU supply chains.</p>



<p>Ultimately, a <strong>substantial modification</strong> is a high-stakes event. It demands a significant investment of time and resources to re-establish compliance and carries serious legal responsibility. This makes the initial assessment of any product change a crucial step in managing your regulatory risk under the CRA.</p>



<h2 class="wp-block-heading">A Simple Checklist for Assessing Product Changes</h2>



<figure class="wp-block-image size-large"><img decoding="async" src="https://goregulus.com/wp-content/uploads/2026/03/cra-substantial-modification-definition-decision-tree.jpg" alt="A flowchart detailing the CRA Substantial Modification Decision Tree, guiding from product change to assessment requirements."/></figure>



<p>The decision tree above gives you the high-level workflow. Every change you make to a product has to be scrutinised to see if it’s substantial, which in turn dictates whether you need a new conformity assessment. This visual flow highlights why a structured evaluation process is so critical for every single update.</p>



<p>Of course, moving from a flowchart to your daily workflow is what really matters for consistent compliance. To figure out if a planned update crosses into substantial territory, your team needs a simple, repeatable process. This checklist offers a series of direct questions to guide your internal assessment for any proposed change.</p>



<p>Answering “yes” to any of these questions is a strong signal that you are dealing with a <strong>substantial modification</strong>. That means you’ll most likely need to perform a new conformity assessment and take on all the manufacturer’s obligations for the modified product.</p>



<h3 class="wp-block-heading">Question 1: Does the Change Alter the Original Intended Purpose?</h3>



<p>The <strong>intended purpose</strong> is the bedrock of your original CRA compliance. Any change that expands this scope demands careful review. You need to ask if the update allows the product to be used in a new environment, for a completely different task, or by a new type of user.</p>



<p><strong>Practical Example:</strong> A ‘yes’ here is a major red flag. Imagine updating a consumer-grade smart plug with firmware that lets it manage high-load industrial machinery. This changes its intended purpose from simple home convenience to factory automation, fundamentally altering the product&#8217;s risk profile and making your original assessment invalid.</p>



<h3 class="wp-block-heading">Question 2: Does It Introduce New Ways of Handling Data?</h3>



<p>Data is the lifeblood of cybersecurity. You absolutely must ask if the change alters how the product collects, processes, or transmits data—especially personal or sensitive information. Does it start gathering a new category of data that wasn&#8217;t covered in your original assessment?</p>



<p><strong>Practical Example:</strong> A fitness tracking app gets an update to collect detailed GPS location history to suggest new running routes. Previously, it only tracked steps and heart rate. That’s a clear ‘yes’. The app now handles sensitive geolocation data, creating new privacy and security risks that demand a fresh assessment to stay compliant with the CRA.</p>



<h3 class="wp-block-heading">Question 3: Does It Weaken or Remove a Security Feature?</h3>



<p>Sometimes, changes are made to boost performance or improve usability, but they come at the expense of security. You have to scrutinise any update that disables, bypasses, or weakens an existing security control, such as encryption, access controls, or secure boot mechanisms.</p>



<p><strong>Practical Example:</strong> To simplify user login, a software update for a business application replaces mandatory two-factor authentication (2FA) with a simple username/password system. This is a substantial modification because it removes a critical security control, directly weakening the product&#8217;s security posture. A good guide on <a href="https://www.vulnsy.com/blog/information-security-risk-assessment">mastering information security risk assessment</a> can help you evaluate these risks systematically.</p>



<h3 class="wp-block-heading">Question 4: Does It Add a New Third-Party Component?</h3>



<p>Modern products are built on incredibly complex supply chains. Ask whether your update integrates a new third-party software library, a hardware component, or an API. If it does, you are effectively inheriting the security posture of that component.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>Practical Example:</strong> A video-conferencing application adds a new AI-powered transcription feature by integrating an open-source library from an unknown developer. If this library has not been properly vetted for security vulnerabilities, its inclusion could introduce significant new risks into the application, potentially qualifying the update as a substantial modification.</p>
</blockquote>



<p>A ‘yes’ means you must perform due diligence on the new component&#8217;s security. By creating a structured process around these questions, you build a defensible and repeatable workflow. For a more exhaustive set of checks, you might be interested in our complete <a href="https://goregulus.com/resources/cra-checklist/">CRA compliance checklist</a> to guide your team.</p>



<h2 class="wp-block-heading">How to Streamline Your CRA Compliance Process</h2>



<p>Trying to manage your Cyber Resilience Act compliance using spreadsheets and manual trackers is a recipe for trouble. It&#8217;s not just inefficient; it’s risky. Deciding whether a change is a routine update or a <strong>substantial modification</strong> demands a consistent, documented process—something that’s incredibly difficult to maintain by hand. This is where a dedicated compliance platform stops being a luxury and becomes a core part of your strategy.</p>



<p>A platform like <a href="https://www.regulus.com/">Regulus</a> is built to manage this exact kind of complexity. Its primary job is to help you create a clear, official baseline for each product. By documenting the product’s original intended purpose and security features in one central place, you build a solid foundation to measure all future changes against.</p>



<h3 class="wp-block-heading">Establishing a Clear Baseline</h3>



<p>The first step toward simplifying compliance is to nail down what your product is <em>supposed</em> to do. Without a clearly defined <strong>intended purpose</strong>, every change turns into a subjective argument. A compliance platform provides built-in documentation templates and evidence management tools to formalise this baseline.</p>



<p>This process gives your team clarity, cuts down on human error, and creates a robust audit trail for market authorities.</p>



<p>The platform screenshot below shows how requirements can be mapped and tracked, giving you a clear view of your compliance status at a glance.</p>



<p>This dashboard centralises all CRA obligations, making it easy to see which requirements are met and which still need attention.</p>



<h3 class="wp-block-heading">Automating the Assessment of Changes</h3>



<p>Once your baseline is set, the platform can help flag proposed changes that are likely to be considered substantial. As organisations prepare for the <strong>December 11, 2027</strong>, deadline, they are building systematic ways to categorise every product change. A platform like Regulus assists by generating tailored requirement matrices that help differentiate permissible updates from substantial modifications needing a full reassessment. You can discover more insights about this and other aspects of the <a href="https://cycode.com/blog/cyber-resilience-act/">Cyber Resilience Act on cycode.com</a>.</p>



<p>This structured approach turns the <strong>CRA substantial modification definition</strong> from an abstract legal concept into a practical, data-driven workflow. Instead of relying on guesswork, your team can assess changes against a pre-defined set of criteria.</p>



<ul class="wp-block-list">
<li><strong>Requirements Matrix:</strong> Instantly see how a proposed change affects your product’s compliance with Annex I requirements.</li>



<li><strong>Documentation Templates:</strong> Use ready-made templates to document your assessment, justifying why a change is or is not substantial.</li>



<li><strong>Evidence Management:</strong> Link every decision back to concrete evidence, creating an audit trail that will stand up to scrutiny.</li>
</ul>



<p>By adopting a tool like this, you shift from risky, ad-hoc decisions to a systematic and defensible process. This doesn&#8217;t just prepare you for market authority inspections; it gives you the confidence and efficiency needed to navigate the complexities of CRA compliance.</p>



<h2 class="wp-block-heading">Common Questions About Substantial Modifications</h2>



<p>Understanding the Cyber Resilience Act often comes down to a few critical definitions, and none is more important than <strong>&#8216;substantial modification&#8217;</strong>. Getting this wrong can turn a simple update into a full-blown compliance nightmare.</p>



<p>Here, we answer the common questions that product managers, compliance officers, and engineering leads grapple with when deciding if a change triggers a new conformity assessment.</p>



<h3 class="wp-block-heading">Are Security Patches That Fix Vulnerabilities a Substantial Modification?</h3>



<p>Generally, no. A patch that fixes a known vulnerability without changing the product&#8217;s core function or security architecture is just routine maintenance. In fact, the CRA requires you to do this as part of your post-market duties.</p>



<p><strong>Practical Example:</strong> You discover a buffer overflow vulnerability (like CVE-2023-1234) in your smart thermostat&#8217;s firmware. Releasing a patch that corrects the flawed code to prevent the overflow is a non-substantial update. It simply restores the product&#8217;s security.</p>



<p>However, if fixing the vulnerability required you to remove the entire Wi-Fi module and force users to connect via Ethernet only, that would likely be a substantial modification because it fundamentally changes how the product operates.</p>



<h3 class="wp-block-heading">Who Is Responsible if a Third Party Makes the Modification?</h3>



<p>The responsibility falls squarely on whoever makes the change. The CRA is crystal clear on this: any person or company that performs a substantial modification is treated as the manufacturer of that newly-changed product.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p><strong>Practical Example:</strong> An importer buys generic security cameras and installs their own custom AI software that adds facial recognition capabilities before selling them. The importer is now legally the &#8220;manufacturer&#8221; of this modified product. They must conduct a new conformity assessment, create all technical documentation, and issue a new Declaration of Conformity. The original camera maker is only responsible for the camera as they sold it, without the AI software.</p>
</blockquote>



<h3 class="wp-block-heading">Does Changing the User Interface Count as a Substantial Modification?</h3>



<p>A purely cosmetic UI change—like updating colours, icon styles, or button layouts—is almost never a substantial modification. These changes don’t touch the product&#8217;s security posture or its intended purpose, so they don’t trigger a reassessment.</p>



<p>The story changes completely if the UI redesign adds new functionality. For example, if a new interface in a banking app adds a form to upload identity documents for verification, that is a substantial modification. It&#8217;s not a simple facelift; it introduces a new, high-risk data handling process that was not part of the original assessment.</p>



<h3 class="wp-block-heading">How Should We Document Our Decision That a Change Is Not Substantial?</h3>



<p>Meticulous record-keeping is your best defence. For every single product change, you need to document your assessment—especially when you conclude it is <em>not</em> substantial. This creates a defensible audit trail that shows regulators you’re performing due diligence.</p>



<p>Your technical file should contain a clear record of:</p>



<ul class="wp-block-list">
<li><strong>The Change Itself:</strong> A straightforward description of the update or modification (e.g., &#8220;Software version 2.1: Updated button colors and patched CVE-2024-5678&#8221;).</li>



<li><strong>Your Analysis:</strong> An explanation of how you evaluated the change against the CRA’s two main triggers (e.g., &#8220;The change does not alter the intended purpose of home climate control. The patch only corrects a known vulnerability and does not weaken other security controls.&#8221;).</li>



<li><strong>The Justification:</strong> A written conclusion explaining precisely why the change was classified as a non-substantial update (e.g., &#8220;Conclusion: Update 2.1 is non-substantial as it is a minor UI tweak and a standard security fix.&#8221;).</li>
</ul>



<p>This internal documentation proves you have a structured process and are actively managing your compliance obligations, not just hoping for the best.</p>



<hr class="wp-block-separator has-alpha-channel-opacity"/>



<p>Confidently assessing modifications and navigating the complexities of the CRA is far easier with the right tools. <a href="https://goregulus.com">Regulus</a> provides a structured platform to document your product’s intended purpose, manage technical files, and create a clear, auditable trail for every decision. Explore how <strong>Regulus</strong> can bring clarity to your compliance workflow and reduce risk.</p>
<p>La entrada <a href="https://goregulus.com/cra-basics/cra-substantial-modification-definition/">CRA Substantial modification definition: EU Compliance Guide for 2026</a> se publicó primero en <a href="https://goregulus.com">Regulus</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
