What Is the Cyber Resilience Act, and Why Does It Matter?
The CRA is directly applicable EU law that sets baseline cybersecurity obligations for products with digital elements placed on the EU market. It rebalances responsibility from users to producers and supply-chain actors.
Confidence: Settled law for dates/scope boundaries ยท Last reviewed: 2026-04-29
TL;DR
If you make, import, distribute, or procure digital products for the EU market, the CRA is now part of your operating context. Article 14 reporting obligations start before full enforcement, so readiness work cannot wait until late 2027.
What the law regulates
The CRA applies to products with digital elements (PDEs): software, hardware, and connected products placed on the EU market in commercial activity. Sector-specific exclusions exist where separate frameworks already govern cybersecurity obligations.
Key dates teams should plan against
- 11 June 2026: Conformity assessment body framework operational.
- 11 September 2026: Vulnerability reporting obligations begin (including products already on market).
- 11 December 2027: Full CRA application and CE conformity requirements.
Operational implication
A legal deadline only becomes feasible if engineering telemetry, component visibility, and escalation workflows are already in place. Teams without product inventory and SBOM-backed vulnerability visibility will struggle to meet reporting windows.
Who should act first
Manufacturers should lead the initial classification and reporting-readiness effort, while importers, distributors, and procurement teams should verify conformity evidence and support-window commitments before market placement decisions.
Next actions
1) Run product scope classification.
2) Stand up Article 14 reporting workflow and internal trigger criteria.
3) Build evidence trail for conformity planning.
Primary sources: Regulation (EU) 2024/2847, European Commission CRA page. This guide is informational and not legal advice.