EMETHRA

Cyber Resilience Act

EU Cyber Resilience Regulation

The European regulation requiring security by design for all products with digital elements. Technical documentation, mandatory SBOM and CE marking.

Request Product SnapshotSee compliance process

What you'll find in this guide

Deadline
Dec 11, 2027
Full application
Applies to
Manufacturers, importers, distributors
Products with digital elements
Maximum penalty
15M EUR
or 2.5% global turnover
Required docs
Annex VII + SBOM
10 year retention

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is the European regulation that establishes mandatory cybersecurity requirements for all products with digital elements marketed in the European Union.

It applies to manufacturers, importers and distributors of hardware and software. The guiding principle is 'cybersecurity by design': security must be incorporated from the product design stage, not as an afterthought.

The CRA introduces technical documentation obligations (Annex VII), vulnerability management throughout the product lifecycle, notification of actively exploited vulnerabilities within 24 hours to authorities, and mandatory CE marking for marketing in the EU.

CRA Key Dates

The Cyber Resilience Act implementation timeline

Dec 2024

Official publication

The CRA is published in the Official Journal of the EU and enters into force

11 Jun 2026

Notified bodies

CRA certification bodies will be designated and operational

11 Sep 2026

Reporting obligations active

Mandatory 24h reporting of actively exploited vulnerabilities

11 Dec 2027

Full application

All products must meet CRA essential requirements

Key CRA Articles

Each article explained with real practical cases

Qué dice la ley

"Manufacturers shall ensure that products with digital elements are designed, developed and produced in accordance with the essential cybersecurity requirements set out in Annex I."

Caso práctico

A SaaS company releases a new version of their product. Before release they must: update the SBOM with new components, verify there are no critical CVEs in added dependencies, and document changes in Annex VII.

EMETHRA te ayuda

EMETHRA automatically generates the SBOM on every commit, detects new CVEs in real-time and keeps Annex VII documentation updated without manual intervention.

View official text on EUR-Lex

CRA Compliance Process

The 5 steps to prepare your product

1

Software inventory

Identify all components of your product

2

Vulnerability analysis

Scan CVEs in all dependencies

3

Generate SBOM

Complete SPDX or CycloneDX

4

Document Annex VII

Complete technical documentation

5

Keep updated

Monitor CVEs and update

Reports generated by EMETHRA

Documentation ready for CRA compliance

Non-compliance sanctions

The consequences of not complying with the CRA

Sanciones aplicables

Non-compliance with requirements
15M EUR or 2% turnover
Failure to notify
5M EUR or 1% turnover

Additionally, authorities can order the product to be withdrawn from the European market.

Sectors affected by CRA

Who does the Cyber Resilience Act apply to?

Industrial
Software
SaaS
IoT
Hardware
Importers
Distributors
Manufacturers

Frequently asked questions about CRA

Answering the most common questions

The CRA applies to all products with digital elements marketed in the EU: standalone software, firmware, IoT devices, hardware with connected components, mobile applications and SaaS products with on-premise components. Only products already regulated by specific regulations such as medical devices or vehicles are excluded.

Need to comply with the CRA?

EMETHRA automates CRA Annex VII documentation generation, SBOM and alerts you to vulnerabilities for the 24-hour reporting requirement.

Request Product Snapshot

Related articles in the Observatory

CRA for industrial sectorCompliance due diligence