EU Cyber Resilience Act

European Union

6 domains

37 controls

Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (6)

Conformity Assessment

8 controls

Controls in the Conformity Assessment domain of EU Cyber Resilience Act — 8 controls
Code	Title	Description
Annex VI	Simplified Technical Documentation for Microenterprises and SMEs	Microenterprises and small enterprises may draw up technical documentation in a simplified form covering the elements se...
Art 27	Presumption of Conformity with Harmonised Standards	PDE and processes put in place by the manufacturer that conform to harmonised standards or parts thereof published in th...
Art 28	EU Declaration of Conformity	Manufacturer must draw up an EU declaration of conformity stating that the essential requirements have been demonstrably...
Art 30	CE Marking	The CE marking is subject to the general principles of Article 30 of Regulation (EC) 765/2008. It must be affixed visibl...
Art 31 + Annex VII	Technical Documentation	Manufacturer must draw up technical documentation before placing the PDE on the market and keep it up to date during the...
Art 32	Conformity Assessment Procedures	Manufacturer carries out a conformity assessment using one of: Module A (internal control, Annex VIII Part I) for ordina...
Art 32(2)-(3)	Conformity Assessment for Important and Critical PDE	Class I important PDE may use Module A only if a harmonised standard or common specification covering all essential requ...
Arts 35-45	Notification of Conformity Assessment Bodies	Member States must designate a notifying authority and establish procedures for notifying conformity assessment bodies....

Essential Requirements

7 controls

Controls in the Essential Requirements domain of EU Cyber Resilience Act — 7 controls
Code	Title	Description
Annex I Part I	Essential Cybersecurity Requirements (Properties)	PDE shall: be delivered without known exploitable vulnerabilities; have secure-by-default configuration; ensure protecti...
Annex I Part II	Vulnerability Handling Requirements	Manufacturers shall: identify and document vulnerabilities and components contained in PDE including SBOM; address and r...
Art 13(1)	Manufacturer Obligation: Design and Develop to Essential Requirements	Manufacturers must ensure PDE are designed, developed and produced in accordance with the essential cybersecurity requir...
Art 13(12)	Information and Instructions to Users (Annex II)	PDE must be accompanied by information and instructions to the user including manufacturer identity, single point of con...
Art 13(2)	Cybersecurity Risk Assessment	Manufacturer must perform an assessment of cybersecurity risks associated with the PDE and take the outcome into account...
Art 13(6)	Due Diligence on Third-Party Components	Manufacturers must exercise due diligence when integrating components, including free and open source software, sourced...
Art 13(8)	Support Period and Security Updates	Manufacturers must determine and communicate a support period during which security updates will be provided, reflecting...

Market Surveillance

4 controls

Controls in the Market Surveillance domain of EU Cyber Resilience Act — 4 controls
Code	Title	Description
Art 13(15)-(16)	Cooperation with Market Surveillance	Upon reasoned request from a market surveillance authority, manufacturer must provide all information and documentation...
Art 54	Procedure for PDE Presenting a Significant Cybersecurity Risk	Where MSA has sufficient reason to consider a PDE presents a significant cybersecurity risk, it carries out an evaluatio...
Art 64	Penalties	Non-compliance with essential cybersecurity requirements (Annex I) and manufacturer obligations (Arts 13 and 14) is subj...
Arts 46-49	Market Surveillance: Powers and Cooperation	Regulation (EU) 2019/1020 applies. Each Member State designates one or more market surveillance authorities for CRA. MSA...

Other

2 controls

Controls in the Other domain of EU Cyber Resilience Act — 2 controls
Code	Title	Description
Art 69 (Entry into force)	Application Dates and Transition	Regulation entered into force on 10 December 2024. Vulnerability and incident reporting obligations under Article 14 app...
Recital 36 + NIS2 interplay	Relationship with NIS2 and Sector Legislation	CRA is without prejudice to NIS2 (Directive (EU) 2022/2555). Reports under CRA Art 14 may also satisfy NIS2 incident rep...

Reporting

7 controls

Controls in the Reporting domain of EU Cyber Resilience Act — 7 controls
Code	Title	Description
Art 14(1)	Early Warning: 24-hour Notification of Actively Exploited Vulnerability	Manufacturer must submit an early warning notification of an actively exploited vulnerability contained in the PDE to th...
Art 14(10)-(11)	Voluntary Notification and Protection of Reporting Persons	Natural and legal persons may notify the CSIRT designated as coordinator of a vulnerability contained in a PDE on a volu...
Art 14(2)	Vulnerability Notification: 72-hour Update	Within 72 hours of becoming aware of the actively exploited vulnerability, manufacturer submits a vulnerability notifica...
Art 14(3)	Final Report on Vulnerability	Not later than 14 days after a corrective or mitigating measure is available, manufacturer submits a final report includ...
Art 14(4)	Severe Incident Reporting: 24/72-hour Notification	Manufacturer must notify any severe incident having an impact on the security of the PDE. Early warning within 24 hours...
Art 14(8)	User Notification of Exploited Vulnerabilities and Severe Incidents	Manufacturer must inform users of the PDE about the actively exploited vulnerability or severe incident and where applic...
Art 52	Union Single Reporting Platform	ENISA establishes and maintains a Single Reporting Platform for the submission of notifications under Article 14. The pl...

Scope

9 controls

Controls in the Scope domain of EU Cyber Resilience Act — 9 controls
Code	Title	Description
Art 13(19)	Authorised Representative for Non-EU Manufacturers	Manufacturers established outside the EU must appoint by written mandate an authorised representative established in the...
Art 19-21	Importer Obligations	Importers shall only place compliant PDE on the EU market. They must verify that manufacturer has carried out the confor...
Art 2	Scope: Products with Digital Elements (PDE)	Regulation applies to products with digital elements made available on the EU market whose intended or reasonably forese...
Art 22-23	Distributor Obligations	Distributors must act with due care and verify before making the PDE available that it bears CE marking, is accompanied...
Art 24	Cases Where Importers and Distributors Are Treated as Manufacturers	An importer or distributor is considered a manufacturer for purposes of the Regulation when they place a PDE on the mark...
Art 24a (FOSS Stewards)	Open Source Software Stewards	An open source software steward is a legal person other than a manufacturer that has the purpose or objective of systema...
Art 3	Definitions: Manufacturer, Importer, Distributor, Substantial Modification	Defines key roles. Manufacturer designs, develops or manufactures a PDE and places it under its name. Substantial modifi...
Art 6	Important Products with Digital Elements (Class I and Class II)	Designates important products listed in Annex III subject to enhanced conformity assessment. Class I (e.g., password man...
Art 7	Critical Products with Digital Elements	Critical PDE listed in Annex IV may be required to obtain a European cybersecurity certificate at assurance level substa...

Frequently Asked Questions

What is EU Cyber Resilience Act?

EU Cyber Resilience Act is a compliance framework from European Union with 6 domains and 37 controls. Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does EU Cyber Resilience Act have?

EU Cyber Resilience Act has 37 controls organised across 6 domains. The largest domains are Scope (9 controls), Conformity Assessment (8 controls), Essential Requirements (7 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does EU Cyber Resilience Act map to?

EU Cyber Resilience Act does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with EU Cyber Resilience Act compliance?

Start your EU Cyber Resilience Act compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about EU Cyber Resilience Act requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 37 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required