Get answers to the most common questions about CRA Compliance

The Cyber Resilience Act represents the European Union’s comprehensive approach to addressing growing cybersecurity concerns in the digital product landscape. Proposed by the European Commission in 2022, this landmark legislation aims to establish a unified framework for ensuring the security of connected products and associated services throughout the EU market.

At its core, the CRA addresses critical security gaps in hardware and software products, including both standalone and embedded components. The legislation emerged in response to the rising tide of cyberattacks targeting connected devices and the recognition that voluntary security measures were proving insufficient to protect critical infrastructure.

The Act’s jurisdiction extends to virtually all digital products with direct or indirect connections to networks or computing environments. This includes embedded software, standalone applications, and IoT devices across both consumer and industrial sectors. Products designated as “critical” face more stringent requirements than those categorized as standard.

Implementation of the CRA follows a phased approach, with essential obligations taking effect approximately 24 months after adoption. For manufacturers, this means a limited window to comprehensively review product security architectures and documentation practices to achieve compliance before enforcement begins.

Manufacturers want clarity on whether their products are considered products with digital elements (hardware or software) and thus subject to CRA obligations, including questions about embedded software, firmware, components, or updates.

What exactly counts as a product with digital elements?

• A product with digital elements (PDE) is any hardware or software product that contains software and is intended to connect, directly or indirectly, to a device or a network. This includes industrial machines, embedded systems, controllers, gateways, and related software placed on the EU market.

Does firmware or a software-only product trigger CRA compliance?

• Firmware is explicitly considered software and is fully in scope. Software-only products (commercial software, embedded software, management or control software) are also in scope when placed on the EU market. Only non-commercial open-source software is partially excluded.

Are products sold before the 2027 deadline subject to full compliance?

• Products placed on the EU market before 11 December 2027 do not require full CRA compliance. However, substantial software or firmware updates after that date may trigger CRA obligations, as the product can be considered newly placed on the market. Vulnerability and incident reporting obligations apply earlier (from 2026).

The EU’s Cyber Resilience Act establishes more prescriptive requirements than the NIST Cybersecurity Framework, which offers voluntary guidelines rather than mandatory standards. While NIST provides flexible implementation approaches, the CRA specifies explicit compliance mechanisms with legal enforcement backing. However, organizations following NIST principles will find many overlapping concepts that can accelerate their CRA readiness.

Compared to the UK’s Product Security and Telecommunications Infrastructure Act, the CRA offers broader scope and more detailed technical specifications. The UK legislation focuses primarily on consumer IoT devices, while the CRA extends to industrial systems and enterprise software products. Both frameworks share core principles of security-by-design, but diverge in certification processes and enforcement structures.

Industry-specific standards like IEC 62443 for industrial control systems offer complementary approaches to the CRA. While these standards provide detailed technical guidance for operational technology environments, the CRA establishes the legal framework requiring their implementation. Manufacturers who have already implemented these industry standards will have addressed many CRA requirements, though additional documentation and certification steps may be necessary.

The international regulatory landscape continues evolving, with potential future alignment between frameworks. Organizations operating globally should consider how CRA compliance can be leveraged to meet emerging requirements in other regions, establishing comprehensive security programs rather than jurisdiction-specific approaches.

The enforcement mechanisms for CRA violations establish substantial financial consequences for non-compliant organizations. Administrative fines can reach up to €15 million or 2.5% of global annual turnover, whichever is higher. This tiered penalty structure varies based on violation severity, with larger fines imposed for intentional or repeated non-compliance.

Beyond financial penalties, market access restrictions represent perhaps the most significant business risk. Non-compliant products face removal from EU marketplaces, creating immediate revenue impacts and requiring costly remediation efforts before sales can resume. The market surveillance authorities have expanded powers to order product recalls in cases where security deficiencies create substantial risks.

Reputational damage extends beyond regulatory penalties, potentially affecting customer relationships and market positioning. The public nature of formal compliance actions means security failures become visible to customers, partners, and competitors. For industrial IoT manufacturers, this visibility could impact critical business relationships across the supply chain.

The regulatory focus on documentation creates additional liability concerns. During investigations, authorities review not only the technical security measures implemented but also the quality and completeness of compliance documentation. Insufficient record-keeping can result in penalties even when products meet technical security requirements.

Under the EU Cyber Resilience Act, cyber security is a long-term responsibility for machine manufacturers, not a one-time task.

Manufacturers must provide security updates and vulnerability handling for the expected lifetime of the machine, or at least five years. After the machine is placed on the EU market, manufacturers must monitor vulnerabilities, fix security issues without delay, and deliver updates securely.

Technical documentation, including risk assessments, SBOMs, and vulnerability handling procedures, must be kept up to date and retained for years after sale. Authorities may request this documentation at any time.

In short, machine manufacturers must design, maintain, update, and document cybersecurity throughout the entire machine lifecycle.

Read more about our End-to-End system CRA Navigator AI.

Industrial IoT devices face particularly stringent requirements under the CRA framework, given their role in critical infrastructure and manufacturing operations. The security-by-design principle stands at the forefront of these requirements, mandating that manufacturers build security measures into industrial devices from the earliest development stages rather than adding them later.

For industrial systems, vulnerability management becomes significantly more complex than for consumer products. The CRA requires robust processes for identifying, documenting, and remediating security flaws throughout a product’s lifecycle. This includes establishing secure communication channels to report vulnerabilities and implementing structured response protocols when issues are discovered.

Software update mechanisms receive special attention within the industrial context. Manufacturers must design secure and reliable update processes that consider the operational constraints of industrial environments, where downtime can have severe financial implications. This may include implementing redundancy mechanisms and scheduled maintenance windows for critical security patches.

Unlike consumer IoT devices, industrial systems typically have longer lifecycle expectations—often 10+ years compared to 2-3 years for consumer products. This longevity requirement creates additional challenges for maintaining security compliance over extended periods, requiring manufacturers to establish long-term support structures for legacy industrial equipment.

For machine builders using low-code platforms like those offered by Noux Node, the CRA creates both challenges and opportunities. Our industrial IoT toolkit simplifies compliance by incorporating security features directly into the development environment, allowing manufacturers to implement required protection mechanisms without extensive coding knowledge.

The European Union’s Cyber Resilience Act (CRA) represents a landmark regulatory framework designed to safeguard digital products against cybersecurity threats. This legislation establishes comprehensive security requirements for connected devices, software, and related services across the EU market. For industrial IoT environments, the CRA introduces mandatory security-by-design principles, vulnerability management protocols, and rigorous certification processes that manufacturers must implement throughout product lifecycles. Machine builders and industrial automation companies need to prepare for these new compliance obligations to maintain EU market access.

In short, OEMs should link SBOMs to machines via software versions and configurations, maintain that link throughout the lifecycle, and update it whenever the machine’s software changes.

From an OEM perspective, the most sensible way to link an SBOM to a specific machine is to treat the SBOM as part of the machine’s configuration data, not as a standalone document.

Each machine should have a unique asset identity (for example a serial number, asset ID, or digital twin). The SBOM is then linked to that asset by software and firmware version, not by individual physical unit only. In practice, this means one SBOM can cover many machines that share the same software stack and version.

When the OEM builds or commissions a machine, it records the machine’s asset ID, the installed firmware and software versions, and the corresponding SBOM version. When the OEM updates the software or firmware, it also updates the SBOM reference for that asset.

The physical machine does not change, but its cyber configuration does, and the SBOM linkage reflects that change.

For scalability, OEMs typically manage SBOMs centrally and link them to assets through: a configuration management system, an asset or fleet management platform, or a product lifecycle management (PLM) system.

This approach enables the OEM to quickly identify affected machines when a vulnerability appears in a specific software component and to deploy targeted updates, exactly as required by the CRA.

Ask our experts for more specific information on how you should link SBOM to your assets.

Manufacturers face a structured set of technical and documentation requirements to achieve CRA compliance. The foundation begins with comprehensive risk assessment protocols that identify potential vulnerabilities across the entire product architecture. This includes evaluating hardware components, software elements, network communications, and user interfaces for security weaknesses.

Documentation requirements are extensive and must be maintained throughout the product lifecycle. Manufacturers need to prepare and regularly update technical files containing detailed product specifications, risk assessments, security testing results, and vulnerability management procedures. This documentation serves as evidence of compliance during certification processes and potential regulatory inspections.

The certification pathway varies depending on the product’s risk classification. Products deemed “critical” require third-party conformity assessment, while standard products may qualify for self-assessment procedures. In either case, the CE marking process includes specific cybersecurity attestations that weren’t previously required for market access.

Ongoing monitoring represents a significant shift in manufacturer responsibilities. The CRA establishes mandatory incident reporting mechanisms, requiring companies to notify authorities of serious security incidents affecting their products. This obligation continues throughout the supported product lifecycle, creating new operational requirements for security teams.

For industrial automation systems, compliance documentation must address the specific operational technology (OT) environments where products will function. This includes consideration of industrial protocols, legacy system integration, and potential safety implications of security measures.

Manufacturers must maintain and update: Cyber security risk assessments, SBOMs, Vulnerability handling procedures, Technical documentation proving CRA compliance.

This documentation must be available to EU authorities for many years after the machine is sold.

With our system CRA Navigator powered by AI, Machine Manufacturers will handle all this kind of documentation.

In short, by December 2027, machines sold in the EU must be cyber-secure by default, actively maintained against vulnerabilities, and backed by clear, documented evidence of compliance.

To sell a machine with digital elements in the EU, the manufacturer must ensure the products. The CRA introduces mandatory cybersecurity requirements for manufacturers, covering the planning, design, development and maintenance of such products. These obligations must be met at every stage of the value chain. The CRA also requires manufacturers to handle vulnerabilities during the lifecycle of their products. Certain products that are particularly relevant for cybersecurity must undergo a third-party assessment by a notified before places machines on the EU market.

1. The machine must be secure by design and secure by default. Cybersecurity is integrated into the product from the design phase rather than added later. The manufacturer delivers machines with only necessary functions enabled, no weak passwords, and no unnecessary open ports or services.
   
   
2. The manufacturer must implement essential security controls. The manufacturer protects the machine against known vulnerabilities, provides secure software and firmware updates, and minimises the machine’s attack surface. There must be a defined process to identify, handle, and fix vulnerabilities throughout the product’s lifecycle.
   
   
3. The manufacturer must maintain mandatory cybersecurity documentation. This includes a documented cyber risk assessment, a Software Bill of Materials (SBOM) listing all software components, a vulnerability handling process, and technical documentation that demonstrates compliance with the CRA. This documentation must be available to EU authorities upon request.
   
   

Our End-to-end system called CRA Navigator powered by AI will handle all the CRA mandatory requirements and will also help Machinery Manufacturers (OEMs) with many other Service and Maintenance fields.

Read more about CRA Navigator AI.