The Cyber Resilience Act (CRA) is the EU’s new cybersecurity law for digital products. In force since 10 December 2024, it sets mandatory cybersecurity requirements for software and hardware products with digital elements sold in the European Union. The goal is to ensure these products are secure by design and resilient throughout their lifecycle.

Unlike traditional cybersecurity, which focuses on protection, cyber resilience is about preparation, resistance, and rapid recovery. This makes the CRA different — and more forward-looking — than many previous EU laws.

What Is Cyber Resilience?

Cyber resilience refers to the ability of a system to prepare for, withstand, and recover from cyber threats while continuing to operate.

Per the NIST SP 800-172 definition:

“Cyber resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

Cyber Resilience vs. Cybersecurity

While cybersecurity focuses on protecting systems from attacks, cyber resilience emphasizes the ability to maintain functionality even when under attack or facing disruptions.

What Products Are Covered by the CRA?

The CRA applies to nearly all products with digital elements (PDEs), which are defined as hardware or software that connects to a device or network — directly or indirectly.

Examples include:

• Smart home devices (e.g. thermostats, lighting systems)
• Fitness trackers and wearables
• IoT sensors for agriculture or manufacturing
• Embedded firmware in medical or industrial devices
• Network-connected machinery and appliances

According to CRA Article 3(1), PDEs also include components sold separately and remote processing solutions tied to product function.

What Products Are Excluded?

Some products are explicitly excluded from the CRA:

• National security & defense systems
• Products already governed by sector-specific safety laws (e.g. medical devices, general product safety regulation)
• Standalone websites and cloud services (unless essential to product functionality)

For example, a smart lock with remote updates via a cloud service would fall under the CRA — a marketing website alone would not.

How Products Are Classified Under the CRA?

The CRA classifies PDEs into four risk-based categories, each with increasing cybersecurity and conformity assessment requirements.

How Products Are Classified Under the CRA?

The CRA establishes obligations to enhance cybersecurity throughout a product’s lifecycle:

• Essential Cybersecurity Requirements (CRA Annex I): Manufacturers must design, develop, and produce products with digital elements that meet the cybersecurity standards outlined in Annex I, ensuring security is integrated throughout the product lifecycle. The Annex I requirements include (i) product cybersecurity requirements and (ii) vulnerability handling process requirements.
• Risk Assessments (CRA Article 13): Manufacturers must assess potential cybersecurity risks, considering the product’s intended use, possible threats, and operating environment to minimize vulnerabilities.
• Due Diligence (CRA Article 13): When using third-party components, manufacturers must ensure they do not compromise product security by verifying their integrity and identifying potential risks.
• Security Updates (CRA Article 13): Manufacturers must provide security updates and support throughout the defined support period, ensuring vulnerabilities are addressed for at least 10 years or the remainder of the support period.
• Documentation (CRA Article 13): Manufacturers must maintain records of cybersecurity risks, vulnerabilities, and security measures, including relevant third-party information, for ongoing risk management.
• Vulnerability and Incident Handling (CRA Article 14): Manufacturers must have processes to detect, manage, and report security vulnerabilities and incidents, including notifying authorities about actively exploited vulnerabilities and severe incidents.
• Conformity Assessments (CRA Article 32): Manufacturers must evaluate their products to ensure they meet cybersecurity standards, with assessments varying based on the product’s risk level, from internal checks to third-party evaluations.

CRA Timeline: When Does It Come Into Force?

The Cyber Resilience Act was adopted in December 2024 and became legally effective on 10 December 2024. However, a three-year transition period gives companies time to comply.

• Full application begins: 11 December 2027
• Some rules, such as those on incident reporting, apply earlier

Now is the time for manufacturers to start planning updates, redesigns, and supplier audits.

Cyber Resilience Act Fines and Penalties

Non-compliance can result in major penalties:

• Up to €15 million or 2.5% of global annual turnover for violating essential cybersecurity requirements
• Up to €10 million or 2% for failing to meet other regulatory obligations
• Up to €5 million or 1% for misleading authorities

Market surveillance authorities in each Member State will enforce these rules, with additional measures like product bans or forced recalls. SMEs may receive proportionate enforcement based on scale and risk exposure.

Where to Find the CRA Text and PDF (EUR-Lex)

The official Cyber Resilience Act PDF is available on EUR-Lex, the EU’s legal database. You can download the official EUR Lex PDF here:

🔗 View the official CRA PDF on EUR-Lex

However, it can be complex to navigate. Streamlex offers an annotated version of the CRA that includes:

• Linked articles and recitals
• In-text definitions
• Risk category navigation
• Practical context for each provision

✅ Explore the interactive version of the Cyber Resilience Act on Streamlex

FAQ: Cyber Resilience Act (2025)

What is the Cyber Resilience Act in simple terms?

The CRA is an EU law that makes cybersecurity mandatory for digital products — requiring them to be secure by design, regularly updated, and resilient to cyber threats.

What does “cyber resilience” mean?

Cyber resilience is the ability of a system to continue operating and recover even during or after a cyberattack. It’s about continuity and recovery — not just protection.

Is there a difference between cyber resilience and cybersecurity?

Yes. Cybersecurity is about prevention. Cyber resilience includes prevention and recovery. The CRA emphasizes the latter.

When will the Cyber Resilience Act apply?

The CRA is already in force (since December 2024), but most rules start applying from 11 December 2027.

Where can I download the Cyber Resilience Act PDF?

You can download it from EUR-Lex or read it interactively on Streamlex with enhanced navigation and definition tools. Access full text of CRA here.

What products are covered by the CRA?

Any connected hardware or software sold in the EU — including smart devices, IoT sensors, industrial firmware, and more.

What are the fines under the Cyber Resilience Act?

Up to €15 million or 2.5% of global turnover, depending on the violation. Penalties vary by severity and company size.

Are there compliance guidance for the Cyber Resilience Act?

The European Union Agency for Cybersecurity (ENISA)  already released guidance on the following topics (more will come in the future):

• Cyber Resilience Act implementation via EUCC and its applicable technical elements
• Cyber Resilience Act Requirements Standards Mapping