EU Cyber Resilience Act
The plain-language CRA guide
What the EU Cyber Resilience Act requires, in plain language — and how to produce the evidence and documents to comply. Start with whichever question is on your mind.
Is my product in scope for the EU Cyber Resilience Act?
If you place a “product with digital elements” (hardware or software whose intended use includes a data connection) on the EU market, the Cyber Resilience Act almost certainly applies to you.
CRA self-assessment: can you do it yourself?
For default-category products, the Cyber Resilience Act allows conformity assessment by internal control (Module A, Annex VIII) — you assess your own product against the essential requirements and declare conformity, without a notified body.
CRA deadlines: 11 September 2026 and 11 December 2027
The Cyber Resilience Act is in force with two key dates: the reporting obligations apply from 11 September 2026, and the full set of obligations — including SBOM, technical documentation, conformity assessment and CE marking — applies by 11 December 2027.
What is the EU Declaration of Conformity (CRA)?
The EU Declaration of Conformity (CRA Annex V) is the signed statement, issued under the manufacturer’s sole responsibility, that a product meets the Cyber Resilience Act’s essential requirements. It is a precondition for affixing the CE marking.
Does the CRA require an SBOM?
Yes. The Cyber Resilience Act’s vulnerability-handling requirements (Annex I, Part II) expect manufacturers to maintain a software bill of materials — a machine-readable inventory of the product’s components — covering at least the top-level dependencies.
What goes in CRA technical documentation (Annex VII)?
CRA Annex VII technical documentation is the dossier that demonstrates how a product meets the essential requirements. It must be drawn up before placing the product on the market and kept up to date.
How does CE marking work under the CRA?
Under the Cyber Resilience Act, the CE marking signals that a product with digital elements meets the EU’s cybersecurity essential requirements. You may affix it only after completing conformity assessment and signing the EU Declaration of Conformity.
What is the CRA default category?
The default category is the Cyber Resilience Act’s baseline tier — the roughly 90% of products that are neither “important” (Annex III) nor “critical” (Annex IV). Default-category products can demonstrate conformity by self-assessment.