Cyber Resilience ActFree Resource

Cyber Resilience Act Product Security, Reporting and CE Marking

Use this CRA hub to decide scope, classify products, map Annex I requirements, design technical documentation, and stand up reporting and support period operations before the regulation fully applies.

This resource is grounded in Regulation (EU) 2024/2847, the European Commission policy page, the January 2026 CRA FAQ, and the Commission's March 2026 draft guidance on scope, remote data processing, open source software, and support periods. It is practical guidance, not legal advice.

Get implementation support
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 11, 2026
What this CRA hub helps you decide
Scope and exclusions
Confirm whether you have a product with digital elements, whether remote data processing is in scope, and whether any Article 2 exclusion applies.
Control and evidence model
Translate Annex I, Annex II, Article 13, Article 14, Article 31, and Article 32 into owners, tests, records, and release gates.
Timing and enforcement risk
Sequence the 11 June 2026, 11 September 2026, and 11 December 2027 milestones so reporting, support, CE marking, and authority response are ready.
By Sorena AIUpdated 2026-03Grounded in official sources
Quick scan
Artifact
Core dates
Entered into force on 10 December 2024. Draft Commission guidance was published for feedback on 3 March 2026. Reporting starts on 11 September 2026. Main application starts on 11 December 2027.
Support period
Manufacturers must set and disclose a support period of at least five years unless expected use is shorter, then keep handling vulnerabilities throughout that period.
Conformity routes
Default products can use internal control in many cases. Important and critical products may need Module B plus C or Module H, depending on category and standards coverage.
Use the topic guides to turn the CRA from a legal requirement set into a portfolio level product security operating model.
1
Hub
16
Guides
2026
Updated
EU
Focus
Scope first
Map evidence
Prepare reporting
Timeline

Key milestones for Cyber Resilience Act

Use milestones to sequence governance, engineering controls, vulnerability handling, reporting readiness, and CE marking evidence work.

Loading timeline...
Decision Flow

How to operationalize Cyber Resilience Act

Use the decision flow to convert scope, conformity route, and requirement questions into clear implementation actions.

Loading decision map...

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Read Guide
2
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Read Guide
3
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Read Guide
4
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
Read Guide
5
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
Read Guide
6
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
Read Guide
7
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
Read Guide
8
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Read Guide
9
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Read Guide
10
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Read Guide
11
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Read Guide
12
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Read Guide
13
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
Read Guide
14
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Read Guide
15
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Read Guide
16
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.
Read Guide
Next step

Turn Cyber Resilience Act Product Security, Reporting and CE Marking into an operational assessment workflow

Cyber Resilience Act Product Security, Reporting and CE Marking should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into Research Copilot when the artifact needs deeper research, evidence governance, or supporting analysis.

What this unlocks
  • Start from Cyber Resilience Act Product Security, Reporting and CE Marking and route the work by entity, product, team, or control owner.
  • Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
  • Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
  • Move from artifact reading to accountable execution without rebuilding the guidance in separate files.
Recommended route
Open Assessment Autopilot
Turn the guidance into owned tasks, evidence requests, and review checkpoints for Cyber Resilience Act Product Security, Reporting and CE Marking.
Supporting route
Open Research Copilot
Answer scope, timing, and interpretation questions with cited outputs from the same artifact.
Talk to Sorena
Talk through Cyber Resilience Act Product Security, Reporting and CE Marking
Review your current process, evidence model, and next steps for Cyber Resilience Act Product Security, Reporting and CE Marking.
Discuss your setup
Cyber Resilience Act artifact preview
Share it internally
Download the artifact exports to align legal, product, engineering, and commercial teams.