® 
CRA (Cyber Resilience Act)
Definition
The CRA is EU legislation that requires products with digital elements to meet cybersecurity requirements throughout their entire lifecycle. It is the first EU legislation to make "secure by design" enforceable.
The Cyber Resilience Act (CRA) is a European regulation establishing mandatory cybersecurity requirements for all products with digital elements sold on the EU market. The CRA was adopted in 2024 and enters into force in phases until 2027, impacting hundreds of thousands of hardware and software products.
How does the CRA work?
The CRA introduces security by design as a legal obligation for manufacturers. Products must meet essential requirements before being placed on the European market: no known exploitable vulnerabilities at release, secure default configurations, protection of stored and transmitted data, minimal functionality and attack surface, and the ability to install security updates. Manufacturers are required to provide security updates throughout the expected product lifetime.
Product categories
The CRA distinguishes three risk classes. Default products (class 0) may perform self-assessment. Important products (class I) such as password managers, VPN software and firewalls require harmonised standards or third-party assessments. Critical products (class II) such as smartcards, hardware security modules and industrial automation systems require mandatory third-party certification by a notified body.
Impact on organisations
The CRA affects manufacturers, importers and distributors of digital products. Manufacturers must implement a vulnerability handling process, actively report discovered vulnerabilities to ENISA within 24 hours, and maintain a Software Bill of Materials (SBOM). Open-source software not offered commercially is largely exempt, but open-source stewards have specific obligations. Fines can reach 15 million euros or 2.5% of global annual turnover.
Protection and compliance
Manufacturers must implement security by design and secure development practices. This includes threat modeling, secure coding, code reviews, dependency scanning and automated security testing in the CI/CD pipeline. A vulnerability disclosure policy is mandatory. Regular pentests validate product security. DevSecOps methodology integrates security into every phase of the development cycle.
How DEFION helps
DEFION supports manufacturers with CRA compliance through Code Security Reviews, Web Application Pentests and Secure Development Training. The CRA Readiness Assessment evaluates current security practices against CRA requirements and delivers a concrete improvement plan.