← Home
CRA Compliance Guide

EU Cyber Resilience Act (CRA) Compliance Guide for Teams

The EU Cyber Resilience Act establishes mandatory cybersecurity requirements for digital products sold in the European Union. This guide explains what the CRA is, who needs to comply, and how to meet its core requirements using structured assessments, SBOMs, and remediation planning.

Continue with SBOM Best Practices to strengthen transparency, then apply risk workflows in the Vulnerability Management Guide. For comparative obligations, see CRA vs NIS2 & GDPR.

What is the EU Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) is a comprehensive regulation designed to improve the cybersecurity of products with digital elements—software, hardware, and connected devices—placed on the EU market. It requires manufacturers to implement security by design, maintain transparency about product components, and manage vulnerabilities throughout the product lifecycle.

The regulation applies across the entire supply chain and introduces obligations for manufacturers, importers, and distributors. Non-compliance can result in significant penalties, making CRA readiness a critical priority for organizations selling digital products in Europe.

Key timeline
While final implementation dates may vary, organizations should begin CRA readiness activities now. The regulation requires continuous compliance throughout a product's lifecycle, not just at the point of sale.

Who needs to comply with the CRA?

The CRA applies to a wide range of organizations and products:

  • Manufacturers of products with digital elements, including software applications, firmware, IoT devices, industrial control systems, and connected consumer products.
  • Importers and distributors who place covered products on the EU market must ensure manufacturers meet CRA obligations.
  • Open-source stewards who provide substantial support for products used commercially may have compliance obligations.

Products are classified by risk level—default, important (Class I), and critical (Class II)—with higher-risk products subject to stricter requirements, including third-party conformity assessment.

Are you covered?
If your organization develops, sells, or distributes software, firmware, or connected hardware in the EU, you likely fall under CRA scope. Start by identifying which products contain digital elements and their applicable risk classification.

Key CRA requirements for software and connected products

The CRA establishes requirements across three main pillars:

1. Secure by Design

Products must be designed, developed, and maintained with cybersecurity as a core consideration. This includes:

  • Implementing security controls during development
  • Following secure coding practices
  • Conducting security testing before release
  • Maintaining an inventory of product components (Software Bill of Materials)

2. Vulnerability Management

Manufacturers must establish processes to identify, disclose, and remediate vulnerabilities:

  • Actively monitor for security issues in product components
  • Address vulnerabilities without undue delay
  • Provide timely security updates to users
  • Report exploited vulnerabilities to authorities (ENISA) within 24 hours
  • Publish actively exploited vulnerabilities within 72 hours

3. Transparency and Documentation

Organizations must maintain clear records and communicate security information:

  • Provide an SBOM identifying product components and dependencies
  • Issue an EU Declaration of Conformity for applicable products
  • Maintain technical documentation demonstrating compliance
  • Communicate security properties and known limitations to users
The compliance challenge
Meeting these requirements demands cross-functional coordination: engineering teams must generate SBOMs, security teams triage vulnerabilities, and compliance teams maintain documentation. A unified platform streamlines these workflows and creates an auditable trail.

How CRA assessments, SBOMs, and remediation fit together

Effective CRA compliance requires connecting three core capabilities:

CRA Assessments

Structured questionnaires map your security controls to CRA requirements. Assessments identify gaps, capture evidence, and generate a readiness score. They provide the "checklist" view of compliance.

Software Bill of Materials (SBOM)

An SBOM is a complete inventory of software components in your product. CRA requires SBOMs to enable vulnerability tracking and supply chain transparency. Linking SBOMs to assessments automatically surfaces component-level risks.

Remediation Planning

Identifying vulnerabilities is only the start. Remediation plans assign ownership, set deadlines, and track fixes. CRA mandates timely remediation—so prioritization and accountability are essential.

When integrated, these capabilities create a continuous compliance loop: assessments identify control gaps, SBOMs reveal component vulnerabilities, and remediation plans drive fixes—all with evidence automatically captured for audits.

How this platform supports CRA readiness

Our platform is purpose-built for CRA compliance, unifying the workflows described above into a single solution:

  • Guided CRA assessments: Pre-built questionnaires map to CRA articles, helping you identify gaps and collect evidence inline.
  • SBOM intelligence: Import CycloneDX or SPDX SBOMs to automatically inventory components and link known vulnerabilities (CVEs) with severity scores.
  • Remediation tracking: Create plans from vulnerabilities, assign owners, set due dates, and receive deadline reminders—ensuring timely fixes as required by CRA.
  • Evidence automation: Attach documents, screenshots, and logs directly to assessment answers. All evidence is hashed and timestamped for audit integrity.
  • Document of Conformity: Generate an EU Declaration of Conformity or technical documentation summary directly from validated assessment data—ready for regulators.
Ready to start?

Sign up for a free account and run your first CRA assessment in minutes. Import an SBOM, see your vulnerability exposure, and create a remediation plan—all in one platform.

Get Started Free

Why trust us

This guide is authored by practitioners building CRA-focused workflows. We combine assessment design, SBOM parsing, and remediation tracking into an integrated product used by engineering and compliance teams.

Next steps

CRA compliance is a journey, not a one-time project. Here's how to move forward:

  1. Inventory your products: Identify which products contain digital elements and their risk classification under CRA.
  2. Generate SBOMs: Integrate SBOM generation into your build pipeline for all applicable products.
  3. Run a baseline assessment: Complete a CRA assessment to understand your current readiness and identify gaps.
  4. Establish vulnerability monitoring: Set up processes to continuously monitor components for new CVEs and security advisories.
  5. Define remediation workflows: Create clear ownership, SLAs, and escalation paths for security fixes.
  6. Maintain documentation: Keep technical documentation current as products evolve and new vulnerabilities emerge.

For detailed walkthroughs of platform features, see our Onboarding Guide. For questions or enterprise support, visit our contact page.

We use privacy-friendly analytics (Segment, PostHog, Google Analytics) to improve the product. No sensitive data is collected.