EU Cyber Resilience Act (CRA) compliance
The CRA makes cybersecurity a legal requirement for any product with digital elements sold in the EU. Scadable gets you compliant and keeps you there.
What is the EU Cyber Resilience Act?
The Cyber Resilience Act (Regulation (EU) 2024/2847) has been in force since December 2024. It applies horizontally to "products with digital elements" — hardware and software placed on the EU market — and turns cybersecurity from optional into a legal requirement across the entire product lifecycle.
In practice that means products must be secure by design, ship with no known exploitable vulnerabilities, and keep getting security maintenance for as long as they are supported.
Who does the CRA apply to?
Manufacturers, importers, and distributors of connected products sold in the EU, from consumer IoT to industrial and embedded devices. If your product has a digital element and reaches the EU market, it is almost certainly in scope.
Products already governed by sector-specific rules, such as medical devices, automotive, and aviation, are handled under those regimes instead.
The key dates
The CRA has been in force since December 2024. The reporting obligations, covering actively exploited vulnerabilities and severe incidents, apply from 11 September 2026. The full set of essential requirements applies from 11 December 2027.
The reporting clock is the one most teams are unprepared for, and it arrives first.
What you have to do
Ship secure by design with no known exploitable vulnerabilities. Maintain a Software Bill of Materials (SBOM). Run a coordinated vulnerability disclosure process. Provide security updates through the support period. Report actively exploited vulnerabilities within 24 hours. And pass a conformity assessment: self-assessment for the default class, or a notified body for important and critical classes.
The hard part: the 24-hour rule and fielded devices
The trigger is not every CVE, it is vulnerabilities being actively exploited. Once one is being exploited in your product you have 24 hours to file an early warning.
That means you must already know whether the devices you have shipped, including old end-of-life ones with no upstream fix, are exposed, and be able to fix them fast. That operational reality, not the paperwork, is the real burden.
Penalties
Non-compliance with the essential requirements can draw fines of up to €15 million or 2.5% of worldwide annual turnover, whichever is higher.
How Scadable gets you CRA-ready
Scadable maps every device, deployment, and component you have shipped to the CVEs that affect them, flags what is actively exploited, writes and backports the fix to fielded devices, opens the pull request, and files the report, inside the window.
It is continuous, not a one-time audit, so you stay compliant as new vulnerabilities appear.
Frequently asked questions
- When does the CRA take effect?
- It has been in force since December 2024. The reporting obligations apply from 11 September 2026 and the full essential requirements from 11 December 2027.
- Does the CRA apply to my product?
- If it has digital elements and is sold in the EU, almost certainly yes. Products covered by sector-specific regulation, such as medical devices, automotive, and aviation, are the main exceptions.
- What is the 24-hour reporting rule?
- Manufacturers must send an early warning of an actively exploited vulnerability or a severe incident within 24 hours of becoming aware, to the relevant national CSIRT and ENISA, followed by a fuller notification and a final report.
- What are the CRA penalties?
- Up to €15 million or 2.5% of worldwide annual turnover for breaches of the essential requirements.
- Do I need a notified body?
- Default-class products can self-assess. "Important" and "critical" product classes require third-party assessment by a notified body.