The EU’s Cyber Resilience Act (CRA) is here, setting out tough new cybersecurity requirements for products with digital elements (PwDEs). While obligations are phased, preparation is vital. Here are the three big takeaways manufacturers need to know straight away:

• CRA is live but phased. The Act entered into force in December 2024. Vulnerability reporting starts in September 2026, with full compliance and CE marking required from December 2027.
• Scope goes beyond RED. Unlike the Radio Equipment Directive (RED), which covers radio-connected products, the CRA applies to all PwDEs, including hardware, software, apps, cloud services, and lifecycle processes.
• Preparation is essential. Compliance demands risk assessments, testing, and a vulnerability management process (including an SBOM). Starting now will help manufacturers avoid costly disruption later.

What is the CRA?

The CRA is EU legislation designed to strengthen the resilience of digital products. It sets essential cybersecurity requirements for any product with digital elements placed on the EU market.

Who does it apply to?

Manufacturers, importers, and distributors of products with digital elements, from connected devices and operating systems to apps, software libraries, and cloud services, all fall within scope.

How is it different from the Radio Equipment Directive (RED)?

The RED Delegated Act introduces cybersecurity requirements for radio products with wireless technologies such as Wi-Fi and Bluetooth. From 1 August 2025, these products must be tested against EN 18031 standards.

The CRA goes further. It applies to all PwDEs and extends compliance obligations to include associated software and processes. Manufacturers must demonstrate how they assess and mitigate risks across a product’s entire lifecycle and how they handle vulnerabilities.

When does it come into force?

• September 2026 – Vulnerability reporting obligations begin, including notifying ENISA of actively exploited vulnerabilities.
• December 2027 – Full compliance takes effect, including CE marking and conformity assessments.

What does compliance involve?

Organisations will need to:

1. Implement risk assessments covering planning, design, development, production, and maintenance.
2. Test products against essential requirements, such as access controls and authentication mechanisms.
3. Create a vulnerability management process, including reporting and maintaining a software bill of materials (SBOM).

European Standards Bodies (CEN/CENELEC and ETSI) are developing supporting standards to help demonstrate compliance. Products meeting requirements can then be CE marked and backed up with technical files including test reports and declarations of conformity.

How SafeShark can help

SafeShark supports companies preparing for CRA compliance through pre-assessments mapped to ENISA’s requirements. We are directly involved in the standards process, so we can provide the latest insights on how requirements are evolving.

Until CRA deadlines apply, manufacturers must still comply with RED. From 1 August 2025, connected radio products entering the EU market must be tested against EN 18031 standards. SafeShark offers straightforward EN 18031 compliance testing at our dedicated cybersecurity lab in central London, helping ensure your products are ready for market.