NEW: CRA vulnerability reporting begins 11 September 2026 — is your product ready? Check now →

40 questions answered

CRA Frequently Asked Questions

Curated from the regulation text, ENISA guidance, and recurring questions from the developers and compliance teams we work with. Search Ctrl+F — every answer is on this page.

General CRA questions

What is the EU Cyber Resilience Act?
The CRA (Regulation (EU) 2024/2847) is the EU's horizontal cybersecurity law for any product with digital elements placed on the EU market. It sets mandatory cybersecurity requirements, conformity assessment, CE marking, and reporting obligations.
When did the CRA enter into force?
The regulation entered into force on 10 December 2024, twenty days after publication in the Official Journal. The main obligations apply from 11 December 2027.
When do the reporting obligations start?
The vulnerability and incident reporting obligations apply from 11 September 2026. From that date, manufacturers must report actively exploited vulnerabilities and severe incidents to the relevant CSIRT and ENISA.
When does full compliance kick in?
All products with digital elements placed on the EU market on or after 11 December 2027 must meet every CRA requirement, carry CE marking, and have a Declaration of Conformity.
Does the CRA replace existing cybersecurity laws?
No. It complements NIS2 (which targets essential and important entities operating in the EU) and sector-specific rules. Where another EU law sets equivalent or stricter cybersecurity rules — such as the Medical Device Regulation — that law takes precedence.
Who enforces the CRA?
National market-surveillance authorities in each Member State enforce the CRA, supported by the European Commission and ENISA. Non-conforming products can be ordered off the market.
What are the maximum fines?
Up to €15 million or 2.5% of global annual turnover for breaches of the essential requirements, €10M / 2% for manufacturer-obligation breaches, and €5M / 1% for false or misleading information.
Does the CRA apply to free apps and free software?
Yes — being free does not exempt you. What matters is whether the product is placed on the EU market in the course of a commercial activity. A free Android app from a company is in scope; a hobbyist GitHub repo is not.

Mobile app developer questions

Are mobile apps in scope of the CRA?
Yes. Apps published in EU app stores or distributed to EU users are products with digital elements placed on the EU market.
Which category do most mobile apps fall into?
Most apps fall in the default category and self-assess. Apps that perform identity, authentication, or password management may be classified as Class I — Important.
How do I "CE mark" a mobile app?
Reference the CE marking and the Declaration of Conformity in the app-store listing, in your privacy/security documentation, or in an in-app about screen. There is no physical sticker.
Do I need an SBOM for my mobile app?
Yes. Generate it automatically in CI for both the application code and bundled SDKs. CycloneDX is the most common format for mobile.
Does the CRA apply to apps distributed only outside the EU?
No. The CRA applies to products placed on the EU market. If your store listings explicitly exclude EU countries, the CRA does not apply.
What if my app uses third-party SDKs that aren't CRA-compliant?
You remain responsible for the security of the bundled product. Your due diligence on suppliers should cover CRA-relevant security properties, and you must be able to ship a security update if a bundled SDK contains an exploited vulnerability.

Open source questions

Is open-source software exempt from the CRA?
Pure non-commercial OSS is exempt. The exemption falls away when the project has commercial intent — paid support, sponsored roadmap, or commercial dual licensing.
What is an "open source steward"?
A new role created by the CRA. A steward is a legal person, other than a manufacturer, that systematically supports the development of open-source software intended for commercial activities. Stewards have lighter obligations than manufacturers — primarily around vulnerability disclosure.
Do hobbyist contributors have any CRA duties?
No. Individual contributors to non-commercial OSS are explicitly out of scope.
What if my OSS project is bundled into a paid product?
Once a manufacturer bundles your OSS into a commercial product, that manufacturer is responsible for CRA compliance of the bundled software.
Do I need an SBOM for my OSS project?
Stewards are encouraged to publish an SBOM for the components they ship. It is not mandatory in the same way as for manufacturers, but it is best practice.
Where can I read the OSS-specific CRA text?
Recital 18 to Recital 21 and Article 24 of Regulation 2024/2847 cover open source and the steward role.

SME and startup questions

Are there CRA exemptions for small businesses?
There are no blanket exemptions, but the CRA gives SMEs and microenterprises some procedural relief — extended early-warning timelines where reasonable, and a dedicated ENISA helpdesk.
Does my pre-revenue startup have to comply?
If you place a product on the EU market with commercial intent — including free products marketed by a company — you are in scope.
What is the cheapest way to get to compliance?
For default-category products: a documented gap analysis, an automated SBOM, a published vulnerability disclosure policy, an update mechanism, a Declaration of Conformity, and CE marking. No external audits required.
Are there grants for CRA compliance?
ENISA and several Member States provide guidance and helpdesk support but no direct subsidies. Some national digital-innovation hubs offer subsidised consultancy.
Can I outsource compliance?
You can hire consultants to help, but the legal responsibility stays with the manufacturer. The DoC must be signed by the manufacturer, not a consultant.

ENISA SRP and reporting questions

What is the ENISA Single Reporting Platform?
A central EU platform operated by ENISA that receives manufacturer notifications under the CRA and routes them to the correct national CSIRT.
What triggers the 24-hour clock?
Becoming aware of an actively exploited vulnerability or a severe incident impacting the security of the product. The clock starts when a sufficiently informed person inside the company becomes aware.
Does every vulnerability need to be reported?
No. Only actively exploited vulnerabilities and severe incidents trigger the reporting timeline. Routine internally-found vulnerabilities are tracked in your CVD process.
What information goes in the 24-hour early warning?
A short notification: that you are aware of an actively exploited vulnerability or incident, the product affected, and any preliminary information about the suspected nature.
What goes in the 72-hour notification?
A more detailed update: nature and impact, mitigations applied, mitigations recommended to users, and any cross-border or cross-sector impact.
What goes in the 14-day final report?
Final analysis: root cause, impact, full corrective measures, and lessons learned. The structure follows the SRP's template.
Can I be fined for failing to report?
Yes. Failure to report is a manufacturer-obligation breach, capped at €10M / 2% of global turnover.
How do non-EU manufacturers submit reports?
Through the CSIRT designated by the Member State of the authorised representative. The SRP routes the report automatically.

Timeline and deadline questions

Why are the dates 11 September 2026 and 11 December 2027?
They derive from the entry-into-force date (10 December 2024) plus 21 months for reporting and 36 months for full compliance.
Can the deadlines slip?
In principle, no — they are set in the regulation. The Commission can publish delegated acts on technical details, but the deadlines themselves are fixed.
What if my product is already on the market on 11 December 2027?
Products placed on the market <em>before</em> 11 December 2027 can continue to be sold under the prior regime until they undergo a substantial modification. After a substantial modification, they must comply.
What counts as a "substantial modification"?
A change that affects compliance with the essential requirements or modifies the intended use. A bug-fix update is not a substantial modification; a new authentication system likely is.
Will harmonised standards be ready by Dec 2027?
CEN-CENELEC are working on harmonised standards under the CRA. Expect a phased availability, with the first tranche before the full-compliance deadline. Standards will become the easiest path to claim conformity.
What should I do today (April 2026)?
Inventory in-scope products, classify each, generate an SBOM, publish a vulnerability disclosure policy, register with the SRP, and start gap-analysing against the 21 essential requirements. The reporting clock starts in five months.
Where can I find the official text?
EUR-Lex publishes the consolidated text at eur-lex.europa.eu under Regulation (EU) 2024/2847.

Free Compliance Assessment

Is Your Product CRA Ready?

Get a free personalised CRA compliance briefing for your specific product type — delivered to your inbox. No spam, no sales calls.

  • Understand your exact product category (default, Class I, or Class II)
  • Get a checklist of your specific obligations and deadlines
  • Receive guidance on SBOM, vulnerability management, and reporting
  • Early access to our CRA Compliance Manager tool (launching 2026)
  • Weekly CRA news digest — ENISA updates, regulatory guidance

Get Your Free CRA Brief

Takes 60 seconds · Completely free

🔒 No spam. Unsubscribe anytime. Processed in accordance with GDPR.