Cyber Resilience Act (CRA), Regulation (EU) 2024/2847

Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) entered into force on 10 December 2024. Certain obligations concerning reporting of exploited vulnerabilities and severe incidents apply from 11 September 2026, while the main aspects apply from 11 December 2027. The new CRA aims to strengthen the EU’s approach to cybersecurity for products with digital elements.

Scope

Essentially, if the intended purpose of the product (in the context of the CRA) includes data connection, then it falls within the scope. ‘Data connection’ includes a direct or indirect logical (via software) or physical data connection to a device or network. If a product can exchange data autonomously or when initiated, then it falls within the scope.

Conformity

The CRA contains essential cybersecurity requirements (ECRs) that must be met. A key part of the conformity assessment process is a cybersecurity risk assessment. This is different from, say, a machine safety risk assessment and requires input from people outside the usual engineering team. Cybersecurity breaches can have significant impacts on users and organisations, not just the product, so these should be considered.

When conducting the cybersecurity risk assessment, it is important to understand the product’s intended purpose, as well as reasonably foreseeable use and misuse. The concept of ‘intended purpose’ lies at the heart of the CRA, so this should be defined through a rigorous process.

After completing the risk assessment, measures can be implemented to address identified vulnerabilities.

Standards

Harmonised standards should assist with risk assessment, vulnerability mitigation measures and meeting the ECRs. Where harmonised standards are not available or are felt to be inadequate, the EC can adopt common specifications. At the time of writing (June 2026), there are no harmonised standards or common specifications. Without these, other means must be used to demonstrate compliance with the essential requirements, such as working to the ISA/IEC 62443 standards relating to electronically secure industrial automation and control systems.

For complex products such as machines incorporating other products with digital elements, manufacturers should ensure that these are CE marked to the CRA and supplied with the necessary documentation.

Documentation

Compliance requires a technical file, instructions for use, declaration of conformity (DoC) and other documentation. An important item is the software bill of materials (SBOM), which assists in tracking new vulnerabilities and cybersecurity risks.

Important or critical?

The CRA differentiates between ‘Important’ and ‘Critical’ products with digital elements. Depending on the class of product, manufacturers may be able to assess conformity in-house without using a notified body.

Manufacturers need internal systems for testing and validating their cybersecurity measures, and for managing vulnerabilities and security updates.

Lifetime support

The CRA requires security updates to be provided free of charge (unless otherwise agreed) for the product’s lifetime.

Throughout the product’s lifetime, the manufacture is obliged to report severe cybersecurity incidents and actively exploited vulnerabilities to the relevant national authorities, as well as the European Union Agency for Cybersecurity (ENISA). Users must be kept informed about potential risks and given guidance on mitigating them.

Official guidance

Draft EC guidance on the application of the CRA provides a starting point for manufacturers, particularly microenterprises and SMEs. See Annex - Ares(2026)2319816.

Economic operators

The CRA requires an economic operator to be established in the EU. Non-EU manufacturers are unlikely to appoint an importer or distributor to act as an economic operator because of the need to share sensitive technical information. The only practical option, therefore, is to appoint an authorised representative.

How to Comply

We suggest that competent people are used for this type of assessment. The majority of 'Machinery' consultants and oranisations are not especially versed in Cyber Security.

We recommend contacting Rhelative LLP. https://rhelative.com.