The CRA is the first EU law that sets one common set of cybersecurity rules for products with digital elements across all member states. It was published as Regulation (EU) 2024/2847 and entered into force on 10 December 2024.

Because it is a regulation and not a directive, it applies directly in every EU country and does not need national laws to take effect. (source: OpenSSF, the Open Source Security Foundation and the German BSI)

A product with digital elements means almost any hardware or software that can connect, directly or indirectly, to a device or a network. This covers things like smart home devices, IoT sensors, operating systems, firmware, mobile apps and connected industrial systems.

A few sectors are left out because they already have their own rules, such as medical devices, cars, in-vitro diagnostics, civil aviation and marine equipment. (source: CCB page on CRA)

The law follows a simple idea called security by design. Products must be designed with cybersecurity in mind from the start, for example by encrypting stored or sent data and by keeping the attack surface as small as possible. Manufacturers must also run a risk assessment and handle vulnerabilities through the full life of the product.

The CRA splits products into risk groups, and the group decides how strict the checks are. Default products make up about 90% of the market and the manufacturer can self-assess. Class I (Important) products need either a third-party audit or strict self-assessment with harmonised standards. Class II (Critical) products always need third-party certification by an accredited body. The Important and Critical categories are listed in Annexes III and IV of the regulation. (Source: CRA Experts)

Two duties are central to the law: the SBOM (the Software Bill of Materials) and the SRP (Single Reporting Platform)

First: the SBOM

Manufacturers must create a machine-readable SBOM covering at least the top-level parts of every product, keep it up to date, and give it to market surveillance authorities on request. However, the SBOM does not need to be made public.

Second: the , the duty to keep products secure during a support period. Security updates must be provided and vulnerabilities handled throughout the whole product life, with a support period that is generally five years unless the product is expected to be used for a shorter time. (source: Mend's CRA Compliance Guide)

The most urgent part for many teams is reporting. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents that affect the security of their product. The timeline is strict: a 24-hour early warning, a 72-hour full notification, a 14-day final report after a fix is available for exploited vulnerabilities, and a one-month final report for severe incidents. Reports go through the CRA Single Reporting Platform (SRP) run by ENISA, which will be operational by 11 September 2026. Manufacturers report only once, and the notification reaches their national CSIRT and ENISA at the same time. In Belgium, the national CSIRT route is the CCB / CERT.be. European Commission + 2

It is important to know that reporting applies even to older products. From 11 September 2026, the reporting duty covers any in-scope product already on the EU market, no matter when it was first released. Legacy products are not exempt from reporting. ScanDog

The penalties are serious, which is why the law gets so much attention. Breaches of the essential cybersecurity requirements can lead to fines of up to 15 million euro or 2.5% of global yearly turnover, whichever is higher. Mend