How Do Manufacturers Comply with the EU Cyber Resilience Act (CRA)?

The EU Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for products with digital elements sold on the European market. Manufacturers must demonstrate compliance through documented cybersecurity processes, risk assessments, technical documentation, and conformity assessments before products can be legally marketed in Europe. Reporting obligations begin on 11 September 2026, and full compliance becomes mandatory on 11 December 2027.

For manufacturers evaluating compliance costs, risks, timelines, and resource requirements, early preparation is critical. At Artem, our CRA Compliance Studio helps companies review requirements, automate documentation preparation, perform cybersecurity risk assessments, and maintain audit-ready compliance records throughout the product lifecycle.

What Is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act is an EU regulation designed to strengthen cybersecurity across products containing software, hardware, or connected digital components. It establishes mandatory cybersecurity requirements throughout a product's lifecycle, from design and development through deployment, maintenance, and vulnerability management.

The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and EU Security Union Strategy. It complements other legislation in this area, specifically the NIS2 Directive.

The CRA requires manufacturers to:

Implement security-by-design principles
Assess and mitigate cybersecurity risks
Provide security updates throughout a support period
Address vulnerabilities effectively
Demonstrate compliance through documented evidence
Report actively exploited vulnerabilities and incidents

The regulation applies to products placed on the EU market and affects manufacturers, importers and distributors.

Which Products Are Covered by the CRA?

The CRA applies to all products with digital elements, defined as:

a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately

This broad definition captures a wide range of products, including:

Consumer Products

Smartwatches
Smart home devices
Connected appliances
Baby monitors
Consumer software applications

Industrial Products

Industrial control systems
Manufacturing equipment
IoT devices
Embedded software systems
Network-connected machinery

Standalone Software

Enterprise software
Cloud-connected applications
Software components sold separately
Remote processing solutions

If a product connects to networks, systems, services, or other devices, it is likely within the scope of the CRA.

CRA Compliance Timeline: Key Dates Manufacturers Must Know

Manufacturers should begin compliance preparation well before enforcement deadlines.

Milestone	Date
CRA entered into force	10 December 2024
Reporting obligations begin	11 September 2026
Main CRA obligations apply	11 December 2027

Why Early Preparation Matters

Many CRA requirements require evidence generated during product development, not after launch. Companies that delay preparation may face significant compliance gaps, documentation deficiencies and market access risks.

Building cybersecurity processes, performing risk assessments, and preparing technical documentation often requires coordination across engineering, compliance, legal and product teams.

What Documents Are Required for CRA Compliance?

Manufacturers must maintain a comprehensive compliance file demonstrating conformity with the CRA.

The following documents form the foundation of CRA compliance.

1. Information & Instructions to the User

Manufacturers must provide users with clear information regarding:

Product functionality
Security features
Secure configuration requirements
Update procedures
Support period information
Vulnerability reporting mechanisms

This documentation helps users operate products securely throughout their lifecycle.

2. EU Declaration of Conformity

The EU Declaration of Conformity formally confirms that the manufacturer has assessed the product and determined compliance with applicable CRA requirements.

The declaration must be maintained and made available to authorities upon request.

3. Technical Documentation

The CRA requires manufacturers to prepare technical documentation as described in Annex VII.

This documentation demonstrates how the product satisfies the essential cybersecurity requirements contained in Annex I.

The technical file should include:

General Product Description

A detailed description of:

Product purpose
Intended use
Architecture
Components
Software and hardware elements

Design, Development and Vulnerability Handling Processes

Manufacturers must document:

Secure development procedures
Security testing methodologies
Vulnerability management processes
Patch management workflows
Product maintenance procedures

Cybersecurity Risk Assessment

The risk assessment must identify:

Threats
Vulnerabilities
Potential impacts
Mitigation measures
Residual risks

This assessment must remain current throughout the support period.

Support Period Justification

Manufacturers must document information used to determine the support period under Article 13.

This includes evidence demonstrating how vulnerabilities will be managed and remediated during the supported lifecycle of the product.

Applicable Standards and Specifications

The technical file must include:

Harmonised standards applied
Common specifications used
Relevant certification schemes
Alternative technical solutions where standards are not applied

Where harmonised standards are not used, manufacturers must explain how cybersecurity requirements are otherwise satisfied.

Test Reports

Documentation should include:

Security testing reports
Validation evidence
Verification results
Penetration testing outcomes
Conformity assessment evidence

EU Declaration of Conformity Copy

A copy of the declaration must be included within the technical file.

Software Bill of Materials (SBOM)

Where applicable, manufacturers should include:

Component inventories
Open-source dependencies
Third-party software libraries
Software supply chain information

How to Perform a CRA Cybersecurity Risk Assessment

A cybersecurity risk assessment is one of the most important CRA obligations.

Manufacturers must document cybersecurity risks and use assessment results throughout product design, development, production, and maintenance.

Step 1: Identify Assets

Determine which assets require protection:

Software components
Hardware components
User data
Network interfaces
Remote processing services

Step 2: Identify Threats and Vulnerabilities

Evaluate potential attack vectors, including:

Unauthorized access
Software vulnerabilities
Supply chain risks
Misconfigurations
Known security weaknesses

Step 3: Assess Impact and Likelihood

Determine:

Business impact
User impact
Safety implications
Probability of exploitation

Step 4: Define Mitigation Measures

Implement controls that reduce identified risks.

Examples include:

Authentication controls
Encryption
Secure development practices
Access management
Vulnerability monitoring

Step 5: Maintain and Update the Assessment

The CRA requires risk assessments to remain current throughout the support period.

Manufacturers should review assessments whenever:

New vulnerabilities emerge
Product features change
Threat landscapes evolve

What Conformity Assessment Procedures Are Available?

Manufacturers must complete an appropriate conformity assessment before placing products on the EU market.

The CRA provides several pathways.

Assessment Route	Description
Internal Control (Module A)	Manufacturer self-assessment of conformity
EU-Type Examination (Module B)	Independent examination of product conformity
Full Quality Assurance (Module H)	Comprehensive quality management assessment
European Cybersecurity Certification Scheme	Certification route where available and applicable

The appropriate pathway depends on product characteristics, risk profile, and applicable requirements.