EU Cyber Resilience Act (CRA)

Work in progress

Regulation (EU) 2024/2847 — cybersecurity requirements for products with digital elements

Reference page — not a data-backed framework yet

This page summarises the regulation for orientation. Unlike OWASP Top 10 or NIST 800-53, there is no authoritative technical crosswalk yet between CRA essential requirements and ATT&CK / CWE / NIST 800-53. CEN/CENELEC JTC 13 is drafting the harmonised standards. Mappings will be added once they become public or once we commit editorial mappings with sources.

Key dates

Entry into force
10 December 2024
Vulnerability-handling obligations apply
11 September 2026
Conformity-assessment bodies notification
11 June 2026
Full application (CE marking required)
11 December 2027

Article 14 reporting cadence

Manufacturers must notify the CSIRT of their main establishment and ENISA via the Single Reporting Platform (SRP) when they become aware of an actively exploited vulnerability or a severe incident impacting the security of the product.

Stage	Vulnerability	Severe incident	Trigger
Early warning	24 hours	24 hours	From becoming aware of an actively exploited vulnerability / severe incident
Notification	72 hours	72 hours	Vulnerability assessment + corrective measures / incident assessment
Final report	14 days post-mitigation	1 month post-notification	Root cause + mitigation / full incident details

Annex I — Part I: essential cybersecurity requirements

Products with digital elements (PDE) must be designed, developed, and produced to meet these essential requirements, based on a risk assessment.

1
Appropriate level of cybersecurity
Delivered with a level of cybersecurity appropriate to the risks.
2
No known exploitable vulnerabilities
Placed on the market without known exploitable vulnerabilities.
3
Secure by default configuration
Default configuration must be secure; reset to initial state must be possible.
4
Security updates
Vulnerabilities addressed through security updates, including automatic updates where appropriate, with an opt-out.
5
Access protection
Protection from unauthorised access via authentication, identity, or access management.
6
Confidentiality protection
Protect the confidentiality of stored, transmitted, or processed data (personal or other) — e.g. by encryption at rest and in transit.
7
Integrity protection
Protect the integrity of data, commands, programs, and configuration against unauthorised manipulation; report corruption.
8
Data minimisation
Only process data adequate, relevant, and limited to what is necessary ("minimisation of data").
9
Availability of essential functions
Protect availability of essential and basic functions, including resilience against and mitigation of DoS.
10
Minimise impact on others
Minimise negative impact on the availability of services provided by other devices or networks.
11
Limit attack surface
Designed, developed, and produced to limit attack surfaces, including external interfaces.
12
Reduce incident impact
Reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.
13
Security-relevant logging
Provide security-related information by recording and monitoring relevant internal activity, including access to or modification of data, services, or functions — with an opt-out.
14
Secure update mechanism
Ensure vulnerabilities can be addressed through security updates, including, where applicable, automatic updates and notification to users.
15
Secure decommissioning
Provide the possibility for users to securely and easily remove all data and settings on a permanent basis.

Annex I — Part II: vulnerability-handling requirements

Lifecycle obligations on manufacturers throughout the product’s support period (minimum 5 years unless the expected use is shorter).

VH-1
SBOM
Identify and document vulnerabilities and components by drawing up a software bill of materials in a commonly used machine-readable format covering the top-level dependencies.
VH-2
Vulnerability disclosure policy
Put in place a coordinated vulnerability disclosure policy.
VH-3
Timely remediation
Address and remediate vulnerabilities without delay, including by providing security updates.
VH-4
Regular testing
Apply effective and regular security tests and reviews of the product.
VH-5
Public disclosure of fixed vulnerabilities
Once a security update is made available, publicly disclose information on fixed vulnerabilities (CVEs, severity, impact, remediation).
VH-6
Facilitate information sharing
Share and publicly disclose information about potential vulnerabilities, including contact information for reports.
VH-7
Secure update distribution
Provide mechanisms to securely distribute updates to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable, for automatic updates.
VH-8
Free & timely security updates
Ensure that security updates are disseminated without delay and, unless otherwise agreed for tailor-made products, free of charge, along with advisories.

Product categories (Annex III & IV)

The conformity-assessment route depends on the product category. Higher classes require third-party assessment; critical products may require EU cybersecurity certification.

Default (non-important)
Games · Word processors · Photo-editing software · Consumer IoT unrelated to safety/security functions
Important — Class I
Password managers · Antivirus / endpoint protection · VPN clients · Network management tools · Remote-access software · Microcontrollers with security functions · Smart home assistants · Physical network interfaces
Important — Class II
Hypervisors & container runtimes · Firewalls · IDS / IPS · Tamper-resistant microprocessors / microcontrollers
Critical
Smart meter gateways · Secure elements & crypto hardware · Smartcards

References

Article 14 reporting cadence

Stage	Vulnerability	Severe incident	Trigger
Early warning	24 hours	24 hours	From becoming aware of an actively exploited vulnerability / severe incident
Notification	72 hours	72 hours	Vulnerability assessment + corrective measures / incident assessment
Final report	14 days post-mitigation	1 month post-notification	Root cause + mitigation / full incident details

Annex I — Part I: essential cybersecurity requirements

Products with digital elements (PDE) must be designed, developed, and produced to meet these essential requirements, based on a risk assessment.

Appropriate level of cybersecurity

Delivered with a level of cybersecurity appropriate to the risks.

No known exploitable vulnerabilities

Placed on the market without known exploitable vulnerabilities.

Secure by default configuration

Default configuration must be secure; reset to initial state must be possible.

Security updates

Vulnerabilities addressed through security updates, including automatic updates where appropriate, with an opt-out.

Access protection

Protection from unauthorised access via authentication, identity, or access management.

Confidentiality protection

Protect the confidentiality of stored, transmitted, or processed data (personal or other) — e.g. by encryption at rest and in transit.

Integrity protection

Protect the integrity of data, commands, programs, and configuration against unauthorised manipulation; report corruption.

Data minimisation

Only process data adequate, relevant, and limited to what is necessary ("minimisation of data").

Availability of essential functions

Protect availability of essential and basic functions, including resilience against and mitigation of DoS.

Minimise impact on others

Minimise negative impact on the availability of services provided by other devices or networks.

Limit attack surface

Designed, developed, and produced to limit attack surfaces, including external interfaces.

Reduce incident impact

Reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques.

Security-relevant logging

Provide security-related information by recording and monitoring relevant internal activity, including access to or modification of data, services, or functions — with an opt-out.

Secure update mechanism

Ensure vulnerabilities can be addressed through security updates, including, where applicable, automatic updates and notification to users.

Secure decommissioning

Provide the possibility for users to securely and easily remove all data and settings on a permanent basis.

Annex I — Part II: vulnerability-handling requirements

Lifecycle obligations on manufacturers throughout the product’s support period (minimum 5 years unless the expected use is shorter).

VH-1

SBOM

Identify and document vulnerabilities and components by drawing up a software bill of materials in a commonly used machine-readable format covering the top-level dependencies.

VH-2

Vulnerability disclosure policy

Put in place a coordinated vulnerability disclosure policy.

VH-3

Timely remediation

Address and remediate vulnerabilities without delay, including by providing security updates.

VH-4

Regular testing

Apply effective and regular security tests and reviews of the product.

VH-5

Public disclosure of fixed vulnerabilities

Once a security update is made available, publicly disclose information on fixed vulnerabilities (CVEs, severity, impact, remediation).

VH-6

Facilitate information sharing

Share and publicly disclose information about potential vulnerabilities, including contact information for reports.

VH-7

Secure update distribution

Provide mechanisms to securely distribute updates to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable, for automatic updates.

VH-8

Free & timely security updates

Ensure that security updates are disseminated without delay and, unless otherwise agreed for tailor-made products, free of charge, along with advisories.

Product categories (Annex III & IV)

The conformity-assessment route depends on the product category. Higher classes require third-party assessment; critical products may require EU cybersecurity certification.

Default (non-important)

Games · Word processors · Photo-editing software · Consumer IoT unrelated to safety/security functions

Important — Class I

Password managers · Antivirus / endpoint protection · VPN clients · Network management tools · Remote-access software · Microcontrollers with security functions · Smart home assistants · Physical network interfaces

Important — Class II

Hypervisors & container runtimes · Firewalls · IDS / IPS · Tamper-resistant microprocessors / microcontrollers

Critical

Smart meter gateways · Secure elements & crypto hardware · Smartcards