FAQs: Cyber Resilience Act (CRA)

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is a European Union regulation that sets horizontal cybersecurity requirements for all products with digital elements — including connected hardware and software, from IoT devices to standalone software applications. Unlike sector-specific laws, the CRA ensures a unified minimum level of cybersecurity across the entire EU market.

It requires manufacturers to consider cybersecurity throughout the entire product lifecycle — from design and development to maintenance and vulnerability handling. This means security can no longer be treated as an afterthought but must be built into products by design (“security by design” and “security by default”).

When will the CRA become applicable?

Although the CRA formally entered into force on 10 December 2024, it will only become fully applicable as of 11 December 2027. However, reporting obligations for vulnerabilities and incidents apply starting 11 September 2026. This transition period allows manufacturers and other stakeholders to adjust their development, compliance, and support processes in line with the new cybersecurity requirements. This transition period allows manufacturers and other stakeholders to adapt their development, quality assurance, and compliance processes to the new legal requirements.

After this date, any product with digital elements that is not compliant with CRA requirements cannot be legally placed on the EU market. Companies should therefore already start preparing by identifying which of their products fall under the CRA, and how existing standards and risk management processes can be aligned with it.

What happens to the Radio Equipment Directive Delegated Act (RED-DA)?

The RED Delegated Act (EU) 2022/30 — which currently defines cybersecurity requirements for certain radio-connected products — will be repealed on 11 December 2027, the same day the CRA becomes fully applicable.

From that point onward, the CRA will serve as the overarching legal framework for product cybersecurity, avoiding duplication of obligations. Until then, manufacturers must still comply with the RED-DA, and existing RED-DA compliance work will still support future CRA compliance.

How are RED-DA and CRA related?

Both the RED-DA and the CRA impose mandatory cybersecurity requirements enforceable via CE marking.

• RED-DA applies to internet-connected radio equipment.

• CRA applies to all digital products, including software-only products.

Many devices fall under both frameworks (e.g., smart home devices, routers, industrial gateways). Once the CRA applies, it will take precedence, creating a single streamlined cybersecurity framework.

What is “Module A” and how does it relate to the CRA?

“Module A” refers to the Internal Production Control conformity assessment procedure under EU law. Under the CRA, it allows manufacturers to self-declare conformity if they fully implement relevant harmonized standards. This is the typical assessment method for "Default" or uncategorized products like smart speakers or photo editors. If no applicable standards exist or are only partially relevant, third-party involvement or additional justification may be necessary to demonstrate compliance.

Manufacturers using Module A must implement an internal process to ensure their product meets all essential cybersecurity requirements. They then issue an EU Declaration of Conformity, taking full legal responsibility for the product’s compliance. This declaration confirms the product meets all applicable EU harmonization legislation, including the CRA.However, this simplified route is only possible if the manufacturer fully applies harmonized standards (hEN) referenced in the Official Journal of the EU. Without such standards, achieving full conformity becomes much more complex and riskier.

What is “Presumption of Conformity” (PoC)?

“Presumption of Conformity” means that a product is presumed to meet CRA requirements if it complies with harmonized standards (hENs) published in the Official Journal of the European Union. These standards are developed by recognized bodies like ETSI and CENELEC, based on a Standardisation Request (M/606). However, PoC only applies to the elements covered by the standard — manufacturers must address any remaining risks separately.

By following these standards, manufacturers can demonstrate compliance in a straightforward, recognized way — avoiding the need to prove from scratch that every security measure meets CRA requirements.

However, PoC only applies to the aspects covered by the standards. The presumption is "proportional"; if harmonized standards only partially cover the essential requirements, the manufacturer must prove compliance for the remaining requirements through other technical specifications or solutions. If a harmonized standard does not address a specific security risk, the manufacturer must perform additional assessments and document them in their technical file.

Note: As of now, no harmonized standards have been officially published under the CRA. This means that full Presumption of Conformity is not yet possible for any product. Manufacturers must either wait for these standards to be published in the Official Journal or use other assessment methods to demonstrate compliance in the interim. The list of references for harmonized standards can be monitored through the European Commission's dedicated summary page.

Can all products achieve full PoC under Module A?

No, not all products can currently achieve full Presumption of Conformity. Under the CRA, only Class I products listed in Annex III (so-called “important products with digital elements”) can achieve full PoC by applying harmonized standards. If a Class I product manufacturer does not apply (or only partially applies) harmonized standards, they must use a third-party assessment procedure involving a Notified Body (Module B+C or H).

For other product classes (e.g. Class II or those not listed in Annex III/IV), only partial PoC can be achieved through standards, meaning only certain requirements are covered. This is mainly because the full set of CRA-related harmonized standards is still being developed and will take time to finalize.

Currently, no harmonized standards are available under the CRA. This means that even Class I products listed in Annex III cannot yet claim full Presumption of Conformity. The European Commission is in the process of mandating and reviewing candidate standards (e.g. EN 18031 series), but until they are formally published in the OJEU, manufacturers must rely on alternative conformity methods and maintain appropriate documentation.

How do harmonized standards (hEN) support CRA compliance?

Harmonized standards serve as the technical backbone for demonstrating CRA compliance. The well-known EN 18031 series, originally created for the RED-DA, will likely form the basis for the CRA’s future harmonized standards. Additionally, new horizontal standards are being drafted specifically for the CRA, including prEN 40000-1-2 (Principles for Cyber Resilience) and prEN 40000-1-3 (Vulnerability Handling).

This continuity ensures that current efforts to align with RED-DA are not lost; on the contrary, they position manufacturers well for the upcoming CRA framework.

By applying harmonized standards, manufacturers can more easily prove that their products meet the CRA’s cybersecurity and vulnerability management requirements, ensuring both legal certainty and consumer trust across the EU market.

Important: While several candidate standards (such as the EN 18031-1/-2/-3 series) are being developed to support CRA compliance, none have yet been harmonized. The Official Journal of the EU will list recognized standards once they are approved. Until then, CRA compliance must be demonstrated through custom technical documentation and risk assessments.

How are EUCC and the CRA related?

The European Union Cybersecurity Certification (EUCC) scheme serves as a key compliance pathway for the CRA. While the CRA sets the legal requirements, the EUCC provides a standardized, Common Criteria-based framework to certify that ICT products meet unified security benchmarks.

For "Critical" products listed in Annex IV of the CRA, the European Commission may mandate the use of European cybersecurity certification, such as the EUCC, to demonstrate conformity. Furthermore, achieving an EUCC certificate at the "substantial" or "high" assurance level grants a presumption of conformity for the CRA requirements it covers. The EUCC also aligns with CRA expectations by integrating proactive vulnerability management and patch management protocols.

What to do next: Manufacturers of high-risk or critical digital products should evaluate if their current certification goals align with EUCC to streamline their future CRA compliance path.