EU Cyber Resilience Act
Regulation (EU) 2024/2847 (the Cyber Resilience Act, CRA) introduces horizontal cybersecurity requirements for Products with Digital Elements (PDEs) placed on the Union market and for their manufacturers, importers and distributors. PDEs cover hardware, software and remote data processing solutions that are connected directly or indirectly to a device or network and intended to be placed on the market separately or alongside a product. The Regulation imposes: (a) Article 13 manufacturer obligations including cybersecurity risk assessment, due diligence on third-party components, a documented support period and security updates throughout, compliance with the essential cybersecurity requirements (Annex I Part I) and the vulnerability handling requirements (Annex I Part II); (b) Article 14 reporting obligations including a 24-hour early-warning notification of actively exploited vulnerabilities to ENISA + CSIRT, 72-hour update, final report, and a parallel 24h/72h severe-incident notification regime, channelled through the single reporting platform under Article 16; (c) Articles 18-25 obligations for authorised representatives, importers, distributors, open-source software stewards and security attestations; (d) Articles 27-34 conformity assessment (Module A self-assessment for default products; Modules B+C / Module H notified-body involvement for important products under Article 7 and critical products under Article 8, with mandatory European cybersecurity certification under Regulation (EU) 2019/881 for critical products as the conformity-assessment route); (e) Articles 35-51 notification of conformity-assessment bodies; (f) Articles 52-60 market surveillance and the Union safeguard procedure; (g) Article 64 penalties (up to EUR 15 million or 2.5% of worldwide annual turnover for breach of essential requirements). Entered into force 10 December 2024; main obligations apply from 11 December 2027 with the Article 14 reporting regime applying from 11 September 2026.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
CRA - Conformity Assessment (Ch III)
| Code | Title |
|---|---|
| CRA-Art.27_28 | Presumption of conformity and EU declaration of conformity (Articles 27-28) |
| CRA-Art.29_30 | CE marking (Articles 29-30) |
| CRA-Art.31 | Technical documentation (Article 31 + Annex VII) |
| CRA-Art.32 | Conformity assessment procedures (Article 32) |
| CRA-Art.33 | SME and microenterprise support measures (Article 33) |
CRA - Delegation, Committee, Final Provisions (Ch VI-VIII)
| Code | Title |
|---|---|
| CRA-Art.61_62_63 | Delegation, committee procedure and confidentiality (Articles 61-63) |
| CRA-Art.69_70_71 | Transitional provisions, evaluation and entry into force (Articles 69-71) |
CRA - General Provisions and Scope (Ch I)
| Code | Title |
|---|---|
| CRA-Art.1 | Subject matter (Article 1) |
| CRA-Art.11_12 | Relationship with general product safety and AI Act (Articles 11-12) |
| CRA-Art.2 | Scope - Products with Digital Elements (Article 2) |
| CRA-Art.3 | Definitions (Article 3) |
| CRA-Art.6_7 | Important and critical products with digital elements (Articles 6-7) |
CRA - Manufacturer Obligations and Essential Requirements (Ch II Section 1)
| Code | Title |
|---|---|
| CRA-Art.13_AnnexI | Manufacturer obligations and essential requirements (Article 13 + Annex I) |
| CRA-Art.14_16 | Reporting obligations and the single reporting platform (Articles 14 and 16) |
CRA - Market Surveillance and Penalties (Ch V and Ch VII)
| Code | Title |
|---|---|
| CRA-Art.52 | Market surveillance and control (Article 52) |
| CRA-Art.54_55 | Significant cybersecurity risk procedure and Union safeguard (Articles 54-55) |
| CRA-Art.64 | Penalties (Article 64) |
CRA - Notified Bodies (Ch IV)
| Code | Title |
|---|---|
| CRA-Art.35_36_37 | Notification of conformity assessment bodies and notifying authority requirements (Articles 35-37) |
| CRA-Art.39_41 | Operational requirements for notified bodies and subsidiaries (Articles 39 and 41) |
CRA - Other Economic Operators (Ch II Section 2)
| Code | Title |
|---|---|
| CRA-Art.18 | Authorised representatives for non-EU manufacturers (Article 18) |
| CRA-Art.19_20 | Obligations of importers and distributors (Articles 19-20) |
| CRA-Art.21_22 | When importers and distributors are treated as manufacturers (Articles 21-22) |
| CRA-Art.23 | Identification of economic operators (Article 23) |
| CRA-Art.24_25 | Open-source software stewards (Articles 24-25) |
Your Compliance Coverage
If you comply with EU Cyber Resilience Act, you already cover:
EU Product Liability Directive (Directive (EU) 2024/2853)
13%
3 controls mapped
Compare →GDPR
13%
3 controls mapped
Compare →DORA
8%
2 controls mapped
Compare →+ 7 more: EU Machinery Regulation (Regulation (EU) 2023/1230) (8%), EU General Product Safety Regulation (GPSR, Regulation 2023/988) (8%)
See all 10 mapped frameworks ↓Maps to 10 other frameworks
Frequently Asked Questions
What is EU Cyber Resilience Act?
EU Cyber Resilience Act is a compliance framework from European Union with 7 domains and 24 controls. Regulation (EU) 2024/2847 (the Cyber Resilience Act, CRA) introduces horizontal cybersecurity requirements for Products with Digital Elements (PDEs) placed on the Union market and for their manufacturers, importers and distributors. PDEs cover hardware, software and remote data processing solutions that are connected directly or indirectly to a device or network and intended to be placed on the market separately or alongside a product. The Regulation imposes: (a) Article 13 manufacturer obligations including cybersecurity risk assessment, due diligence on third-party components, a documented support period and security updates throughout, compliance with the essential cybersecurity requirements (Annex I Part I) and the vulnerability handling requirements (Annex I Part II); (b) Article 14 reporting obligations including a 24-hour early-warning notification of actively exploited vulnerabilities to ENISA + CSIRT, 72-hour update, final report, and a parallel 24h/72h severe-incident notification regime, channelled through the single reporting platform under Article 16; (c) Articles 18-25 obligations for authorised representatives, importers, distributors, open-source software stewards and security attestations; (d) Articles 27-34 conformity assessment (Module A self-assessment for default products; Modules B+C / Module H notified-body involvement for important products under Article 7 and critical products under Article 8, with mandatory European cybersecurity certification under Regulation (EU) 2019/881 for critical products as the conformity-assessment route); (e) Articles 35-51 notification of conformity-assessment bodies; (f) Articles 52-60 market surveillance and the Union safeguard procedure; (g) Article 64 penalties (up to EUR 15 million or 2.5% of worldwide annual turnover for breach of essential requirements). Entered into force 10 December 2024; main obligations apply from 11 December 2027 with the Article 14 reporting regime applying from 11 September 2026. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does EU Cyber Resilience Act have?
EU Cyber Resilience Act has 24 controls organised across 7 domains. The largest domains are CRA - Conformity Assessment (Ch III) (5 controls), CRA - General Provisions and Scope (Ch I) (5 controls), CRA - Other Economic Operators (Ch II Section 2) (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does EU Cyber Resilience Act map to?
EU Cyber Resilience Act maps to 10 other compliance frameworks. The top mapping partners are EU Product Liability Directive (Directive (EU) 2024/2853) (13% coverage), GDPR (13% coverage), DORA (8% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with EU Cyber Resilience Act compliance?
Start your EU Cyber Resilience Act compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about EU Cyber Resilience Act requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 24 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 701 frameworks.
Get Started Free →Free forever — no credit card required