CRA Cyber Resilience Act Regulatory Controls

The Cyber Resilience Act (EU 2024/2847) defines regulatory controls in Annex I across two pillars: Part

1 sets essential cybersecurity requirements including security by design, access controls, data encryption and remediation of known vulnerabilities before market placement. Part

2 governs vulnerability handling including identification, documentation and provision of security updates. Manufacturers must maintain these controls throughout the entire product lifecycle and conduct a cybersecurity risk assessment informing all design and production decisions.

Annex I Part

1 requires: an appropriate level of cybersecurity based on risk assessment, protection against unauthorized access, confidentiality and integrity of data through encryption, minimal attack surface (security by default), availability of essential functions even during cyberattacks and the ability to receive security updates. Part

2 mandates active vulnerability handling with documented processes, coordinated disclosure and software bills of materials (SBOM). All controls must be maintained for at least

5 years after placing the product on the market.

CRA implementation follows a phased timeline: From

11 September 2026, reporting obligations take effect. Manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA within

24 hours. From

11 December 2027, all CRA requirements apply in full. Only compliant products may then be placed on the EU market. Organizations should begin gap analysis and implementation of regulatory controls now to meet both deadlines and avoid enforcement actions.

Conformity assessment depends on product category: Standard products can undergo self-assessment (Module A). Important products Class I (e.g. password managers, network management systems) require harmonized standards or third-party assessment. Class II (e.g. firewalls, hypervisors) and critical products (e.g. hardware security modules, smart cards) must always be assessed by notified bodies (Modules B+C or H). After successful assessment, the EU declaration of conformity is issued and the CE marking is affixed to the product.

Non-compliance with the essential cybersecurity requirements in Annex I carries fines up to EUR

15 million or 2.5 percent of global annual turnover. Breaches of other CRA obligations can result in penalties up to EUR

10 million or

2 percent. Providing false or incomplete information to authorities is punishable by up to EUR

5 million or

1 percent. Market surveillance authorities can additionally order product recalls or prohibit market placement entirely.

The CRA regulates product security: manufacturers must build cybersecurity controls into products with digital elements. NIS 2 regulates operator security: organizations in critical sectors must secure their own IT infrastructure. DORA regulates financial sector security: banks, insurers and financial service providers must demonstrate digital operational resilience. In practice, these regulations complement each other. An IoT manufacturer must deliver CRA-compliant products while its customer as a NIS 2 operator must deploy them securely.

ADVISORI provides end-to-end CRA implementation support: We begin by analyzing your current control landscape and conducting a gap analysis against Annex I requirements. Based on findings, we design a tailored control framework covering security by design, vulnerability handling and documentation. Implementation follows a phased approach with continuous monitoring. We prepare you for conformity assessment, support SBOM creation and establish processes for the 24-hour ENISA reporting obligation effective September 2026.