Decision guide · Compliance
Preparing for the Cyber Resilience Act: CRA compliance for manufacturers of products with digital elements
The Cyber Resilience Act forces every manufacturer of products with digital elements into a structured decision: which products fall into which class, which conformity assessment route applies, who builds the vulnerability reporting path, how SBOM and lifecycle support are organised. Anyone who does not plan this in a structured way in 2026 loses access to the EU market from December 2027.
TL;DR
CRA is not an IT security project, it is a product compliance decision. Scope, class and conformity route must come before engineering decisions.
Who owns this decision
Product management as owner, CTO and CISO in the steering group. Legal, Quality, Procurement and Sales as active stakeholders.
Key criteria to weight
Scope mapping
Which products with digital elements fall under CRA? Pure SaaS services are excluded, hardware plus software almost always in scope.
Product classification
Default, important (Class I/II Annex III), critical (Annex IV). The class determines the conformity procedure.
Conformity assessment route
Internal control Module A vs EU type examination Module B+C vs full quality assurance Module H. Annex IV always requires third-party assessment.
Vulnerability reporting path
24h/72h/14-day cascade to ENISA and national CSIRT. Mandatory from 11 September 2026, before the main duties.
SBOM and lifecycle support
Machine-readable SBOM is mandatory. Free security updates over expected product lifetime, default 5 years.
Supplier clauses
OEM and component contracts need CRA clauses. Who is liable for third-party vulnerabilities?
Step-by-step decision flow
- 1
Walk the product portfolio
Capture every product with digital elements: hardware, firmware, software, IoT, embedded. SaaS-only services usually excluded.
- 2
Determine class
Default, important (Class I/II) or critical (Annex IV). Class II examples: hypervisors, firewalls, identity managers. Annex IV: smartcards, hardware security modules with security functions.
- 3
Plan conformity assessment
Module A (internal control) suffices for most Class I products. Annex IV needs a notified body, plan for capacity bottleneck.
- 4
Build the vulnerability reporting path
Before September 2026: PSIRT function, single point of contact at ENISA, triage process, disclosure policy aligned with ISO/IEC 29147.
- 5
SBOM generation in build pipeline
CycloneDX or SPDX, automated in build. Mandatory contents: components, versions, licences, suppliers.
- 6
Decision memo plus declaration of conformity
One decision memo per product family with class rationale, conformity route, technical documentation. CE marking after closure.
Compliance note
CRA Regulation (EU) 2024/2847 in force since 10 December 2024. Reporting duties apply from 11 September 2026. Main duties apply from 11 December 2027. Fines up to 15 M EUR or 2.5 percent of worldwide group turnover. Overlap with NIS2 (for manufacturers that are also essential or important entities), Machinery Regulation (EU) 2023/1230 and Radio Equipment Directive 2014/53/EU.
Common pitfalls
- !CRA is treated as a pure SBOM exercise. Product classification and lifecycle support are the harder points.
- !Open-source components without security patches in the supply chain. The manufacturer remains liable.
- !PSIRT function missing entirely. The 24h reporting from September 2026 cannot be improvised.
- !Annex IV classification is ignored because 'critical' sounds narrow. Smartcards and HSM modules are in scope.
- !Legacy products are forgotten. CRA applies to every product placed on the market after applicability.
FAQ
When does the Cyber Resilience Act apply?
The regulation is in force since 10 December 2024. Reporting duties for actively exploited vulnerabilities apply from 11 September 2026. The main duties (conformity assessment, CE marking) apply from 11 December 2027. Products placed on the EU market from that date must be compliant.
What falls under the CRA scope?
Products with digital elements, i.e. anything that processes data and is networked: IoT, smart home, industrial controllers, hardware with firmware, software products, apps, dev tools, browsers, operating systems. Pure SaaS services are excluded (covered by NIS2 if applicable). Open source is only covered when distributed commercially, communities are exempt.
Do I need a notified body for conformity assessment?
For most products, no. Default and Class I products can be certified with internal control (Module A). Class II products (e.g. firewalls, hypervisors, identity managers) need either Module B+C or Module H with a notified body. Annex IV products (critical, e.g. HSM, smartcards) always require third-party assessment.
What happens in case of a CRA breach?
The market surveillance authority (in Germany BSI plus BNetzA for radio equipment) can order withdrawal or recall. Fines up to 15 M EUR or 2.5 percent of worldwide group turnover for breaches of manufacturer duties. For false or misleading information to authorities up to 5 M EUR or 1 percent.
How does CRA relate to NIS2?
CRA is product regulation (manufacturer duty), NIS2 is operator regulation (user duty). A company can be both: a NIS2 entity as an operator of essential services and a CRA manufacturer if it sells its own products. The duties complement each other, they do not replace each other.
Related decision guides
Compliance
How to reach NIS2 readiness as a mid-market or enterprise operator
Compliance
ISO 27001:2022 recertification: a structured migration and renewal guide
Penetration Testing
Choosing a pentest vendor: TLPT, red team, classical pentest
Security
How to choose an EDR or XDR platform in 2026
Security
How to choose an IAM, IGA and PAM stack
Related comparisons
DecisionOS vs Excel and slide decks
Spreadsheets work until the second stakeholder shows up.
DecisionOS vs RFP tools
RFP tools automate Q&A. DecisionOS runs the decision.
DecisionOS vs procurement suites
Procurement suites execute the purchase. DecisionOS makes the decision.
DecisionOS vs Notion
Notion stores knowledge. DecisionOS produces decisions.
DecisionOS vs Confluence
Confluence is a wiki. DecisionOS is a decision record.
Relevant industries
Telekommunikation
Telko entscheidet unter NIS2 + TKG §165 + BSI-Sicherheitskatalog gleichzeitig. Ein Memo, das alle Prüfer akzeptieren.
Energieversorger
Energieversorger: KRITIS + IT-SiG 2.0 + NIS2 + branchenspezifische Sicherheit. Memo muss vor BSI und BNetzA bestehen.
Transport und Logistik
Logistik entscheidet unter NIS2 + KRITIS Transport + branchenspezifischen Standards. Ein Memo, das Betriebssicherheit und Compliance gleichzeitig abbildet.
Manufacturing & Industrial
Manufacturing is a NIS2 important entity. OT security and supply-chain diligence are mandatory. The decision memo is the audit standard.
Pharma & Life Sciences
Pharma IT is regulated IT. Validation (CSV/CSA) and audit trail are not optional. The decision memo is the mandatory front-end documentation.