Cyber Resilience ActFree Resource
Cyber Resilience Act Scope, duties and CE marking
Use this CRA hub to decide whether a software, hardware, component, or remote data processing solution is a product with digital elements, then connect that product record to the duties that apply before it is placed on the EU market.
Regulation (EU) 2024/2847 covers cybersecurity requirements for products with digital elements and the vulnerability-handling processes behind them. The practical work is product-led: define intended and reasonably foreseeable use, document the cybersecurity risk assessment, set the support period, prepare user information, report qualifying vulnerabilities and incidents, complete the conformity route, and keep the technical file ready for market surveillance.
Review CRA readinessPublication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Mar 4, 2026
Updated
May 25, 2026
What the hub helps you check
Product scope
Check whether the item is a software or hardware product, a separately placed component, or a remote data processing solution needed for the product to function.
Economic-operator duties
Separate manufacturer duties from importer and distributor checks, including CE marking, EU declaration of conformity, user instructions, support-period disclosure, and corrective-action triggers.
Security and evidence path
Tie Annex I security properties, vulnerability handling, SBOM, coordinated disclosure, security-update delivery, Article 14 reporting, technical documentation, and conformity assessment to the same product model.
By Sorena AIUpdated 2026Grounded in official sources
Quick scan
CRAStart with the product boundary
The CRA is about products with digital elements, including software, hardware, separately marketed components, and remote processing that the product needs for its functions.
Build the product security file
Keep the risk assessment, Annex I requirement mapping, vulnerability-handling process, SBOM record, support-period rationale, user instructions, tests, and conformity evidence together.
Route CE and reporting work early
Article 14 reporting applies before the main application date; conformity assessment and CE marking depend on whether the product is not important or critical, important class I, important class II, or critical.
Use the timeline and topic guides to move from product classification to release gates, security-update operations, reporting readiness, and market-surveillance evidence.
Annex I
Security
Art. 14
Reporting
Art. 32
Conformity
CE
Marking
Classify product
Map duties
Prepare evidence
CRA Timeline
Key dates for Cyber Resilience Act implementation
Track the staged application of Chapter IV notified-body rules from 11 June 2026, Article 14 reporting from 11 September 2026, the main CRA obligations from 11 December 2027, and the related transition rules for products already placed on the market.
Loading timeline...
Topic guides
Deep dive pages for implementation planning, controls, reporting, and evidence.
1
CRA Applicability Test for Products With Digital Elements
Check whether the EU Cyber Resilience Act applies to a hardware, software, firmware, open-source, or connected product before conformity planning.
Read Guide
2
CRA Article 14 Reporting Obligations for Vulnerabilities and Incidents
Article 14 guide to CRA reports for actively exploited vulnerabilities and severe product-security incidents, including deadlines, CSIRT routing, users, and evidence.
Read Guide
3
CRA Conformity Assessment and CE Marking
How to choose a Cyber Resilience Act conformity route, prepare technical documentation, issue the EU declaration of conformity, and affix CE marking.
Read Guide
4
CRA deadlines and compliance calendar | EU Cyber Resilience Act
Track the Cyber Resilience Act entry into force, staged application dates, Article 14 reporting deadlines, transitional rules, and review dates.
Read Guide
5
CRA Essential Cybersecurity Requirements in Annex I
A grounded guide to the Cyber Resilience Act Annex I requirements for product security, vulnerability handling, secure-by-design controls, documentation, and evidence.
Read Guide
6
CRA Penalties and Fines: Article 64 Caps and Enforcement Context
Article 64 of the EU Cyber Resilience Act sets administrative fine ceilings for Annex I, manufacturer, reporting, economic-operator, notified-body, and information-request breaches.
Read Guide
7
CRA Products with Digital Elements Scope | EU Cyber Resilience Act
Apply the EU Cyber Resilience Act scope test for software, hardware, remote data processing, components, open-source software, exclusions, and economic-operator roles.
Read Guide
8
CRA Requirements | Annex I, Manufacturer Duties and CE Evidence
Map Cyber Resilience Act requirements from Annex I to manufacturer duties, vulnerability handling, user information, technical documentation, declaration of conformity, and CE marking evidence.
Read Guide
9
CRA SBOM and Vulnerability Management Template
Build a CRA-ready SBOM and vulnerability handling record with component inventory, triage, remediation, disclosure, reporting, update, and technical documentation fields.
Read Guide
10
CRA vs RED Cybersecurity Delegated Act
Compare the EU Cyber Resilience Act with the RED cybersecurity delegated act for connected and radio equipment, including scope, timing, evidence, and transition treatment.
Read Guide
11
CRA vs UK PSTI Act | Cyber Resilience Act Comparison
Compare grounded EU Cyber Resilience Act duties with UK PSTI planning points, with UK legal details clearly marked for separate source review.
Read Guide
12
CRA Vulnerability Handling and Disclosure | Article 14 Reporting and Security Updates
How EU Cyber Resilience Act manufacturers should run vulnerability intake, remediation, coordinated disclosure, Article 14 reporting, secure updates, and evidence records.
Read Guide
13
EU CRA Compliance Program for Manufacturers and Economic Operators
Build a Cyber Resilience Act compliance program around product scope, Annex I security requirements, conformity assessment, technical documentation, vulnerability reporting, and market surveillance.
Read Guide
14
EU Cyber Resilience Act Checklist for Product Security and CE Marking
A CRA checklist for products with digital elements: scope, Annex I security controls, vulnerability handling, Article 14 reporting, technical documentation, conformity assessment, CE marking, and support-period evidence.
Read Guide
15
EU Cyber Resilience Act FAQ
Direct CRA FAQ answers on scope, economic-operator roles, essential requirements, vulnerability reporting, conformity assessment, CE marking, support periods, and market surveillance.
Read Guide
16
EU Cyber Resilience Act Technical Documentation and Audit File
Build an audit-ready CRA technical file around Article 31 and Annex VII: product scope, risk assessment, vulnerability handling, conformity evidence, testing, and retention.
Read Guide
Next step
Turn CRA product scope into owned security and conformity work
Use this hub as the shared entry point for CRA product classification, vulnerability-handling design, reporting readiness, technical documentation, conformity assessment, CE marking, and importer or distributor checks.
What this unlocks
- Start with one product model, software release, component, or remote processing dependency and record the intended purpose, foreseeable use, EU market path, and economic-operator role.
- Use Assessment Autopilot to request the cybersecurity risk assessment, Annex I mapping, SBOM record, support-period rationale, coordinated disclosure policy, update-delivery evidence, tests, and EU declaration of conformity.
- Use Research Copilot for cited questions about product scope, remote data processing, open-source components, important or critical product classification, Article 14 reporting, and conformity assessment modules.
- Keep legal interpretation, engineering evidence, supplier records, release approvals, user information, vulnerability reports, and reassessment triggers connected to the same product file.
Recommended route
Open Assessment Autopilot
Turn CRA scope, security requirements, vulnerability handling, reporting, conformity and CE evidence into owned tasks and review checkpoints.
Supporting route
Open Research Copilot
Answer CRA scope, role, timing, reporting and interpretation questions with cited outputs from official sources.
Talk to Sorena
Talk through implementation
Review your current product file, vulnerability-handling process, reporting readiness and conformity evidence model.
Discuss your setup
Share it internally
Download the timeline export to align legal, product, engineering, and commercial teams on milestones and deadlines.