verified_user
Standardful
Homechevron_rightStandardschevron_rightEU CRA
ActiveInternational Standardupdate Standard Updated: December 2024fact_check Fact checked: Jun 28, 2026

EU CRA

Cyber Resilience Act — Regulation (EU) 2024/2847

apartmentPublishing Organization:European Union

Standard Introduction

EU CRA is an active standard published by European Union. It is commonly used across Technology, Electronics, Manufacturing, Services and applies in European Union, European Economic Area.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with EU CRA.

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define cybersecurity for products with digital elements scope

Identify the products, services, sites, systems, teams, jurisdictions, and stakeholders covered by EU Cyber Resilience Act. Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for product scope, essential cybersecurity requirements, secure design, vulnerability handling, conformity assessment, CE marking, technical documentation, incident reporting, and manufacturer/importer/distributor obligations.

2
Phase 2schedule Duration: 4-10 weeks

Assess gaps and prioritize risks

Compare current practices with the expected cybersecurity for products with digital elements approach. Review secure-by-design requirements, threat modeling, vulnerability management, security updates, SBOM or component records, conformity route selection, EU declaration, CE marking, and market-surveillance readiness, then prioritize gaps by legal exposure, safety impact, customer commitments, operational dependency, and audit or market-access readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and records

Deploy the required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain technical documentation, risk assessments, test results, vulnerability-handling procedures, update records, component inventories, conformity assessment files, EU declarations, incident reports, and distribution records as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, audit, and improve

Run internal reviews, management reporting, audits, corrective actions, and change assessments. Refresh the program when products, services, suppliers, technology, regulations, incidents, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and governance

checklist Controls and evidence

checklist Monitoring and improvement

Frequently Asked Questions

Who needs EU Cyber Resilience Act?

expand_more

EU Cyber Resilience Act is most relevant to manufacturers, importers, distributors, and open-source stewards involved with products with digital elements placed on the EU market. The exact scope depends on products, services, jurisdictions, customer commitments, and whether the organization needs certification, conformity evidence, regulatory readiness, or internal governance.

Is EU Cyber Resilience Act certifiable?

expand_more

The CRA is a product regulatory regime with conformity assessment, technical documentation, vulnerability handling, and reporting obligations rather than a management-system certificate.

What should the implementation focus on first?

expand_more

Start by defining scope and obligations, then build a current-state gap assessment. The most important early work is to confirm ownership, affected assets or processes, risk criteria, customer or legal drivers, and the evidence the organization must be able to produce.

What evidence is useful for EU Cyber Resilience Act?

expand_more

Useful evidence includes technical documentation, risk assessments, test results, vulnerability-handling procedures, update records, component inventories, conformity assessment files, EU declarations, incident reports, and distribution records. The evidence should be version-controlled, attributable to owners, and linked to risks, obligations, controls, decisions, and corrective actions.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever products, services, suppliers, operating environments, incidents, customer commitments, or regulations change. High-risk domains should use more frequent monitoring and management reporting.

Official Documentation

View All

Related Categories