Cyber Resilience Act: What you need to know before December 2027
Mandatory SBOM, vulnerability reporting within 24 hours, fines up to 15 million euros
The European CRA regulation imposes new cybersecurity requirements for all digital products marketed in the EU.
Cyber Resilience Act Timeline
March 12, 2024
Parliament Adoption
Vote and adoption by the European Parliament
November 20, 2024
Official Publication
Publication in the EU Official Journal (2024/2847)
December 10, 2024
Entry into Force
The regulation officially enters into force
September 11, 2026
Reporting Obligations
Exploited vulnerabilities must be reported within 24 hours
December 11, 2027
Mandatory Enforcement
Compliance mandatory for all products placed on the EU market
Your concrete obligations under the CRA
What you must implement
Provide an SBOM
Inventory of software components in the product
- Machine-readable format (SPDX, CycloneDX)
- At minimum, first-level dependencies
- Not necessarily public, but available upon request (especially for market surveillance authorities)
Manage vulnerabilities
Detection and remediation process for security flaws
- Report to authorities within 24h in case of significant incident or actively exploited vulnerability
- Free security updates for the expected product lifetime
- Documentation of corrective measures and handled incidents
Technical documentation
Maintain complete documentation
- Product description and design
- Cybersecurity risk assessment and test results
- Retention for at least 10 years after market placement
Declaration of conformity
CE marking and traceability
- Mandatory EU declaration of conformity
- CE marking on product or its documentation
- Supply chain traceability (suppliers, components, versions)
Who is affected by the CRA?
The regulation applies broadly
Covered products
- All software marketed in Europe, integrated into a product or provided as a service
- Web and mobile applications
- Embedded software and IoT
- Operating systems and middleware
- Software components sold separately
- Paid updates and extensions
Exemptions
- Non-commercial open source software, developed and distributed without economic activity
- Prototypes and beta versions used only internally and not placed on the market
- Software developed for internal use only, without distribution to external customers
Risks of non-compliance
Sanctions that can jeopardize your business
Financial sanctions
Up to €15M or 2.5% of revenue
for serious breaches of essential requirements
Market ban
- Immediate withdrawal from the European market in case of serious non-compliance
- Loss of CE marking until compliance is restored
- Sales ban in the EU for affected products
Reputational risks
- Publication of sanctions by national authorities or the Commission
- Loss of trust from customers and partners
- Negative impact on valuation and fundraising ability
Operational risks
- Massive recall of non-compliant products already on the market
- Business interruption due to sales blocks or urgent remediation
- Urgent compliance costs (audit, fixes, accelerated certification)