EU Cyber Resilience Act Compliance Program

The CRA applies to products with digital elements made available on the Union market when their intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. The compliance program should therefore begin with a product inventory that records the product, software versions that affect cybersecurity compliance, remote data processing dependencies, intended purpose, reasonably foreseeable use, market channel, and support period.

Role assignment matters because the CRA places different obligations on manufacturers, authorised representatives, importers, distributors, open-source software stewards, and other operators. Importers and distributors also become subject to manufacturer obligations when they place a product on the market under their own name or trademark or substantially modify a product already placed on the market.

Article 13 requires manufacturers to design, develop, and produce products in line with the essential cybersecurity requirements in Annex I Part I, and to operate vulnerability handling processes in line with Annex I Part II. The risk assessment must be documented, updated during the support period, and used during planning, design, development, production, delivery, and maintenance.

For engineering teams, Annex I should be translated into release gates, not left as legal text. Each gate should produce evidence that can be reused in the technical documentation and in market surveillance responses.

The CRA requires the manufacturer to assess both the product and the manufacturer's processes against Annex I. Article 32 gives four routes: internal control based on module A, EU-type examination based on module B followed by conformity to type based on module C, full quality assurance based on module H, or an applicable European cybersecurity certification scheme.

The route depends on product classification and the availability or use of harmonised standards, common specifications, or certification schemes. Ordinary products may use the Article 32(1) routes. Important class I products need module B plus C or module H when the relevant standards, specifications, or certification schemes are not applied or do not exist. Important class II products use module B plus C, module H, or an applicable certification scheme. Critical products follow the certification route when required, otherwise the class II routes.

Article 31 and Annex VII make the technical documentation the core evidence set. It must be drawn up before the product is placed on the market and continuously updated where appropriate during the support period. Manufacturers must keep the technical documentation and EU declaration of conformity available for market surveillance authorities for at least 10 years after placement on the market or for the support period, whichever is longer.

The documentation should be structured so an authority can understand the product, assess the cybersecurity risk analysis, see the Annex I mapping, and trace test results and vulnerability-handling procedures without reconstructing the product history from scattered tools.

The CRA support period is the period during which the manufacturer must handle vulnerabilities effectively. Article 13 requires the manufacturer to set that period based on expected use, reasonable user expectations, product nature and intended purpose, relevant Union law, comparable products, operating-environment availability, and support periods for core third-party components. It is at least five years unless the product is expected to be used for less than five years.

Article 14 reporting is a separate operating process. Manufacturers must notify actively exploited vulnerabilities and severe incidents affecting product security through the single reporting platform to the CSIRT designated as coordinator and ENISA. The program needs a triage path that can identify reportable events, route them to the correct notification endpoint, inform impacted users, and preserve final-report evidence.

Importers must check before placing a product on the Union market that the manufacturer has carried out the appropriate conformity assessment, drawn up technical documentation, applied the CE marking, provided the EU declaration of conformity, and supplied required user information. Distributors must act with due care and verify CE marking, manufacturer and importer identification, support-period information, user instructions, and necessary documents before making products available.

Market surveillance authorities can request data and documentation needed to assess design, development, production, and vulnerability handling. Where a product or its vulnerability handling presents a significant cybersecurity risk, authorities can evaluate the product, require corrective action, withdrawal, or recall, and coordinate with CSIRTs, ENISA, other market surveillance authorities, and data-protection authorities where relevant.