NEW: CRA vulnerability reporting begins 11 September 2026 — is your product ready? Check now →
EU Regulation 2024/2847 — Now in Force

Your Complete
Cyber Resilience
Act Resource

The EU CRA affects every business selling software or hardware in Europe. From mobile apps to IoT devices — understand your obligations, key deadlines, and how to stay compliant.

★ Free Compliance Check What is the CRA? →
🇪🇺 EU Regulation 2024/2847
📋 ENISA Guidelines
🔒 Free to use
// CRA KEY DEADLINES
CRA Enters into Force
Regulation officially active
DEC 2024 ✓
Vulnerability Reporting
24h ENISA reporting begins
SEP 2026
Full CRA Compliance
All products must conform
DEC 2027
Self-Assessment (Default)
90% of all digital products
DEC 2027
⏱ Time to Sept 2026 Deadline
--
days
:
--
hrs
:
--
min
:
--
sec
Referenced by
ENISA
EU Agency for Cybersecurity
European Commission
Digital Strategy
EUR-Lex
Official EU Law Database
CRA SRP
Single Reporting Platform

Understanding the Regulation

What is the Cyber Resilience Act?

The EU CRA (Regulation 2024/2847) is a landmark law setting mandatory cybersecurity requirements for all products with digital elements sold in the EU — from mobile apps to industrial IoT devices.

🎯

Scope: Products with Digital Elements

Any hardware or software product connected directly or indirectly to a network, sold in the EU. This includes mobile apps, IoT devices, operating systems, firmware, and open-source software with commercial use.

Mobile AppsIoT DevicesSaaSOSS (commercial)Firmware
🏛️

Three Product Categories

Default (90% of products) — self-assessment by manufacturer. Class I Important — third-party audit or strict self-assessment. Class II Critical — mandatory third-party certification by accredited body.

Default → Self-assessClass I → AuditClass II → Certified
📋

Essential Requirements (21 Total)

Products must be designed with security by default, include no known exploitable vulnerabilities, receive security updates throughout their lifecycle, and carry a Declaration of Conformity plus CE marking.

Secure by designCE markingSBOM required5yr support min
🔔

Reporting Obligations (from Sept 2026)

Actively exploited vulnerabilities must be reported to ENISA within 24 hours. A full notification within 72 hours. A final report within 14 days. All through the ENISA Single Reporting Platform (SRP).

24h early warning72h notification14d final reportvia ENISA SRP

Your Obligations

Who Does the CRA Affect?

If you sell, distribute, or import any digital product into the EU market — the CRA applies to you. Here are the key segments and their obligations.

01
📱

Mobile App Developers

Android and iOS app developers fall under the default category. Self-assessment is required, along with a Declaration of Conformity, SBOM, and vulnerability management process before Dec 2027.

★ Most common case
02
🏢

SMEs & Startups

Companies with under 50 employees get some relief on the 24h early warning timing, but must still report. ENISA is specifically mandated to provide dedicated helpdesk support for microenterprises.

Limited exemptions
03
📦

Open Source Maintainers

Pure hobbyist OSS is exempt. OSS with commercial support or funding falls under the "open source steward" role. OSS bundled into a commercial product — full manufacturer rules apply.

Complex rules apply
04
🌐

Non-EU Businesses

Any company outside the EU selling digital products to EU customers must comply. You must appoint an EU-based authorised representative and submit via the CSIRT of their country.

Full compliance required
05
🔌

IoT & Hardware Makers

Smart home devices, industrial systems, and connected hardware are in scope. Many fall into Class I or Class II, requiring third-party conformity assessment — not just self-declaration.

Higher risk category
06
🚢

Importers & Distributors

If a manufacturer outside the EU doesn't comply, the importer or distributor becomes legally responsible. Supply chain due diligence is now a legal obligation, not a best practice.

New liability exposure

Key Milestones

CRA Compliance Timeline

The CRA is being phased in over a 36-month window. Here are the dates that matter for any business shipping a digital product into the EU.

  1. 10 Dec 2024 Done

    CRA Enters Into Force

    EU Regulation 2024/2847 officially published in the Official Journal. The 36-month main transition window starts.

  2. 11 Sep 2026 In ~5 months

    Vulnerability Reporting Begins

    From this date, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA. The 24h / 72h / 14d timeline applies.

  3. 11 Dec 2027 ~20 months

    Full CRA Compliance Deadline

    All products with digital elements placed on the EU market must conform with the CRA, carry CE marking, and have a Declaration of Conformity.

  4. 2027 onwards Enforcement era

    Market Surveillance

    National authorities begin enforcement. Non-conforming products can be banned from the EU market. Fines up to €15M or 2.5% of global turnover.

Free Compliance Assessment

Is Your Product CRA Ready?

Get a free personalised CRA compliance briefing for your specific product type — delivered to your inbox. No spam, no sales calls.

  • Understand your exact product category (default, Class I, or Class II)
  • Get a checklist of your specific obligations and deadlines
  • Receive guidance on SBOM, vulnerability management, and reporting
  • Early access to our CRA Compliance Manager tool (launching 2026)
  • Weekly CRA news digest — ENISA updates, regulatory guidance

Get Your Free CRA Brief

Takes 60 seconds · Completely free

🔒 No spam. Unsubscribe anytime. Processed in accordance with GDPR.

Free Resources

Guides, Checklists, and Tools

Everything we publish is free and SEO-optimised so you can find what you need fast. Bookmark this page — it's updated as ENISA publishes new guidance.

Guide · 12 min read

CRA for Mobile App Developers

Everything Android and iOS developers need to know — from the SBOM requirement to the Declaration of Conformity.

Read → Explainer · 8 min read

Open Source & the CRA

When does the CRA apply to OSS? What does the "open source steward" role mean? Hobbyists vs commercial maintainers.

Read → How-to · 6 min read

ENISA Single Reporting Platform (SRP)

How to register, what data to submit, and how the 24h / 72h / 14-day reporting timeline actually works.

Read → Reference

SBOM Requirements Explained

CycloneDX vs SPDX, what the CRA actually requires, and tools for generating SBOMs automatically.

Read → FAQ · 50 questions

Frequently Asked Questions

Answers from ENISA guidance and the regulation itself — covering scope, fines, exemptions, and timelines.

Read → Tracker

Deadline Tracker

A live countdown to every CRA deadline plus a checklist of what to do before each one.

Read →

Our Paid Tools

Everything you need to ship CRA-compliant software.

We build the tools we wished existed when we first read Regulation 2024/2847. They're optional — every guide on this site is free and complete.

Launching 2026

CRA Compliance Manager

A self-service workspace to classify your product, generate your SBOM, draft your Declaration of Conformity, and track your essential-requirement gap analysis.

  • Auto-classification (Default / Class I / Class II)
  • CycloneDX & SPDX SBOM generation
  • Declaration of Conformity templates
  • Audit-ready evidence vault
Join the waitlist →
Beta · 2026

CRA Incident Reporter

Pre-formatted forms for the ENISA Single Reporting Platform with built-in timers for the 24h / 72h / 14d deadlines, plus templated language for early warnings and final reports.

  • ENISA SRP-aligned schemas
  • 24h / 72h / 14d deadline timers
  • Multi-CSIRT routing
  • Audit log + immutable archive
Get early access →