FAQEUCyber Resilience Act

EU Cyber Resilience Act FAQ Reporting Obligations

Use this CRA FAQ to understand what must be reported under Article 14, when the reporting clock starts, where filings go, and how user notices and legacy-product reporting work.

Built for incident response, product security, legal, and compliance teams managing CRA reporting workflows.

Back to main artifactReview sources
Author
Sorena AI
Published
Mar 10, 2026
Updated
Mar 10, 2026
Sections
35

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Mar 10, 2026
Updated Mar 10, 2026
Overview

The CRA creates mandatory reporting duties for actively exploited vulnerabilities and severe incidents, with earlier application than most other CRA obligations. This FAQ explains Article 14 reporting triggers, deadlines, CSIRT routing, user-notice duties, voluntary reporting, and how the regime applies to older products already on the market.

Search this module

Find a question or answer quickly

35 of 35 sections
Section 1

What does the CRA require manufacturers to report, and from when?

From 11 September 2026, Article 14 requires manufacturers to notify two things:

- any actively exploited vulnerability contained in the product with digital elements

- any severe incident having an impact on the security of the product with digital elements

Those notifications must be made simultaneously to the relevant CSIRT designated as coordinator and to ENISA via the single reporting platform.

Citations
Recommended next step

Use EU Cyber Resilience Act FAQ Reporting Obligations as a cited research workflow

Research Copilot can turn EU Cyber Resilience Act FAQ Reporting Obligations into a reusable cited workflow for teams implementing EU Cyber Resilience Act FAQ.

Research workflow
Open Research Copilot

Start from EU Cyber Resilience Act FAQ Reporting Obligations and move to source-backed decisions and evidence workflows.

Explore next step
Talk to Sorena
Talk through your EU Cyber Resilience Act FAQ implementation

Review evidence gaps, ownership, and next steps for EU Cyber Resilience Act FAQ.

Explore next step
Section 2

What is an "actively exploited vulnerability" for CRA reporting purposes?

Article 3(42) defines it as a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.

That means the reporting trigger is not just that a flaw exists. The Commission FAQ says a vulnerability found in good-faith testing, a lab, or a bug-bounty context is not subject to mandatory notification unless there is reliable evidence of malicious exploitation.

Citations
Section 3

What is a severe incident under the CRA?

Article 14(5) says an incident is severe where either:

- it negatively affects, or is capable of negatively affecting, the product's ability to protect the availability, authenticity, integrity, or confidentiality of sensitive or important data or functions

- it has led, or is capable of leading, to the introduction or execution of malicious code in the product or in the user's network and information systems

Recital 68 adds that this can include incidents affecting the manufacturer's development, production, or maintenance processes in a way that increases risk for users.

Citations
Section 4

What are the reporting deadlines for actively exploited vulnerabilities?

For an actively exploited vulnerability, the manufacturer must submit:

- an early warning without undue delay and in any event within 24 hours of becoming aware

- a vulnerability notification without undue delay and in any event within 72 hours of becoming aware

- a final report no later than 14 days after a corrective or mitigating measure is available

Citations
Section 5

What are the reporting deadlines for severe incidents?

For a severe incident, the manufacturer must submit:

- an early warning without undue delay and in any event within 24 hours of becoming aware

- an incident notification without undue delay and in any event within 72 hours of becoming aware

- a final report within one month after submission of the incident notification

Citations
Section 6

What information has to be included in CRA reporting notifications and reports?

The CRA stages the information.

For an actively exploited vulnerability:

- the early warning identifies the vulnerability and, where applicable, the Member States where the product is known to have been made available

- the 72-hour notification adds general information about the product, the exploit and vulnerability, corrective or mitigating measures already taken, measures users can take, and, where applicable, the sensitivity of the information

- the final report adds the vulnerability description, severity and impact, information about the malicious actor where available, and details of the security update or other corrective measures

For a severe incident:

- the early warning includes at least whether the incident is suspected of being caused by unlawful or malicious acts and, where applicable, the relevant Member States

- the 72-hour notification adds general information about the nature of the incident, an initial assessment, corrective or mitigating measures already taken, measures users can take, and, where applicable, the sensitivity of the information

- the final report adds the detailed description, severity and impact, the likely threat type or root cause, and the applied and ongoing mitigation measures

Citations
Section 7

When does the CRA reporting clock start?

It starts when the manufacturer becomes aware of the actively exploited vulnerability or severe incident.

The March 2026 draft guidance says a manufacturer is to be regarded as aware when, after an initial assessment, it has a reasonable degree of certainty that a vulnerability is being actively exploited or that a severe incident has occurred and has compromised the security of the product.

Citations
Section 8

Does the CRA require specific monitoring channels in order to become aware?

No.

The Commission FAQ says the CRA does not prescribe how a manufacturer must become aware. It gives examples such as customer reports, partner reports, threat intelligence, researchers, telemetry, honeypots, and internal monitoring, but it also says those examples do not create a legal duty to use all of them.

Citations
Section 9

Do zero-day vulnerabilities always have to be reported?

No.

They are subject to mandatory reporting only when the manufacturer has reliable evidence that a malicious actor has exploited them. If a zero-day is discovered without evidence of malicious exploitation, the manufacturer can still report it voluntarily under Article 15.

Citations
Section 10

If an actively exploited vulnerability is in an integrated third-party component, does the finished-product manufacturer have to notify it?

Yes, if that vulnerability is actively exploited in the finished product.

The Commission FAQ says the finished-product manufacturer must notify any actively exploited vulnerability contained in its product, even if the weakness originates in an integrated component. If the component manufacturer also placed that component on the market, it may have its own notification obligation as well.

Citations
Section 11

What if the component vulnerability exists, but cannot be exploited in the finished product?

Then it is not an actively exploited vulnerability for that finished product, so Article 14 mandatory reporting is not triggered on that basis.

The Commission FAQ says voluntary reporting under Article 15 may still be appropriate, and Article 13(6) still requires reporting upstream to the person or entity manufacturing or maintaining the component.

Citations
Section 12

Where does the manufacturer file the CRA notification?

The notification is submitted via the single reporting platform using the electronic notification end-point of the relevant CSIRT designated as coordinator. It is simultaneously accessible to ENISA.

Citations
Section 13

Which Member State's CSIRT is the right one for reporting?

If the manufacturer has a main establishment in the Union, the report goes to the CSIRT of that Member State.

For CRA reporting, the main establishment is the Member State where decisions related to the cybersecurity of the manufacturer's products are predominantly taken. If that cannot be determined, it is the Member State with the establishment having the highest number of employees in the Union.

Citations
Section 14

What if the manufacturer has no main establishment in the Union?

Article 14(7) provides a fallback order.

The manufacturer reports to the CSIRT of the Member State determined, in order, by:

- the authorised representative acting for the highest number of the manufacturer's products

- the importer placing on the market the highest number of those products

- the distributor making available the highest number of those products

- the Member State where the highest number of users are located

If the last fallback is used, the manufacturer may keep reporting later events to that same CSIRT.

Citations
Section 15

Can the CSIRT ask for more information after the initial CRA reports?

Yes.

Article 14(6) says the CSIRT initially receiving the notification may request an intermediate report on relevant status updates.

Citations
Section 16

Does the CRA also require user notification?

Yes.

After becoming aware of an actively exploited vulnerability or severe incident, the manufacturer must inform impacted users and, where appropriate, all users, including any risk-mitigation and corrective measures they can deploy. The CRA adds that this should, where appropriate, be provided in a structured, machine-readable format that is easily automatically processable.

Citations
Section 17

Does CRA user notification always mean public disclosure to everyone?

Not automatically.

The March 2026 draft guidance says the Article 14(8) duty should be applied in a risk-based and proportionate way. It does not necessarily require indiscriminate public disclosure in every case, especially for sensitive products or contexts where wider disclosure could itself increase cybersecurity risk. Once the vulnerability has been adequately addressed or mitigated, broader disclosure may become appropriate, but the timing and level of detail should still remain proportionate.

Citations
Section 18

What if the manufacturer does not inform users in time under the CRA?

Then the notified CSIRTs may provide that information to users where that is proportionate and necessary to prevent or mitigate the impact.

For severe incidents, Article 17(2) also allows the relevant CSIRT, after consulting the manufacturer and where appropriate in cooperation with ENISA, to inform the public or require the manufacturer to do so where public awareness is necessary or otherwise in the public interest.

Citations
Section 19

Can dissemination of a notification be delayed because the information is sensitive?

Yes, in exceptional circumstances and only for the period strictly necessary.

Article 16 allows the CSIRT initially receiving the notification to delay dissemination on justified cybersecurity-related grounds, including coordinated vulnerability disclosure cases. The CRA also provides an additional regime for particularly exceptional vulnerability cases involving exploitation limited to one Member State, essential national interests, or imminent high cybersecurity risk from further dissemination.

Citations
Section 20

What if no fix is available yet for CRA reporting purposes?

The reporting obligation still applies.

The 24-hour and 72-hour deadlines are triggered by awareness, not by the availability of a corrective measure. The final vulnerability report is due after a corrective or mitigating measure becomes available. Article 16(5) also recognises the case where no corrective or mitigating measure is yet available and requires secure, need-to-know handling on the reporting platform.

Citations
Section 21

Do products placed on the market before 11 December 2027 still have to be reported under Article 14?

Yes.

Article 69(3) says Article 14 applies to all products with digital elements in scope, including products placed on the market before 11 December 2027. The Commission FAQ adds that these reporting obligations start applying on 11 September 2026.

Citations
Section 22

For those pre-11 December 2027 products, do the broader CRA vulnerability-handling obligations also apply automatically?

No.

The Commission FAQ says manufacturers may still have to report actively exploited vulnerabilities and severe incidents for those older products, but the broader CRA obligations do not apply to them on that basis alone unless the product is substantially modified.

Citations
Section 23

What if the product is so old that the manufacturer can no longer investigate or remediate it properly?

The reporting obligation can still apply.

The Commission FAQ expressly notes that, for older products, tooling, build environments, dependencies, or staff knowledge may no longer be available. That practical difficulty does not remove the Article 14 reporting duty for in-scope pre-11 December 2027 products.

Citations
Section 24

Can CRA reporting be done voluntarily even where Article 14 does not require it?

Yes.

Article 15 allows manufacturers and other natural or legal persons to notify vulnerabilities, cyber threats affecting a product's risk profile, incidents, and near misses on a voluntary basis. The CSIRT may prioritise mandatory notifications over voluntary ones.

Citations
Section 25

What happens under the CRA if someone other than the manufacturer submits a report?

If another natural or legal person reports an actively exploited vulnerability or severe incident under Article 15, the CSIRT designated as coordinator must inform the manufacturer without undue delay.

Citations
Section 26

Does CRA reporting itself increase liability?

No.

The CRA expressly says the mere act of notification under Article 14 or Article 15 does not subject the notifying natural or legal person to increased liability.

Citations
Section 27

What happens under the CRA after a vulnerability is reported and a corrective measure becomes available?

After a security update or another corrective or mitigating measure is available, ENISA must, in agreement with the manufacturer, add the publicly known vulnerability notified under Article 14(1) or Article 15(1) to the European vulnerability database.

Citations
Section 28

Do open-source software stewards have the same reporting obligations as manufacturers?

Not in full.

Article 24(3) applies Article 14(1) to stewards only to the extent they are involved in development of the products. It applies Article 14(3) and Article 14(8) only to the extent that severe incidents affect network and information systems the stewards provide for the development of those products.

Citations
Section 29

Is there any specific CRA reporting relief for microenterprises and small enterprises?

There is only a narrow one.

The CRA does not remove the reporting obligation itself, but Article 64 and Recital 120 provide that microenterprises and small enterprises are exempt from the administrative fines tied to failure to meet the 24-hour early-warning deadline in Article 14(2)(a) or Article 14(4)(a). Article 17(6) also says CSIRTs shall provide helpdesk support, in particular for microenterprises and SMEs.

Citations
Section 30

If the manufacturer had already become aware of the issue before 11 September 2026, does Article 14 retroactively require notification on that date?

No, not just because that date arrived.

The Commission FAQ says the obligation to notify applies upon becoming aware following the entry into application of the reporting requirements. So Article 14 starts applying on 11 September 2026, but the trigger is still awareness under that reporting regime rather than a retroactive duty caused by earlier awareness alone.

Citations
Section 31

Can a manufacturer satisfy the mandatory Article 14 duty by notifying only ENISA?

No.

Mandatory notifications must be submitted via the single reporting platform using the electronic notification end-point of the relevant CSIRT designated as coordinator. ENISA gets simultaneous access through that mechanism, but Article 14 does not make direct ENISA-only filing the mandatory route.

Citations
Section 32

If dissemination is delayed under Article 16, does that let the manufacturer delay its own notification?

No.

The CRA's delay mechanism applies after the CSIRT designated as coordinator has received the notification and concerns onward dissemination through the single reporting platform. On that basis, it does not change the manufacturer's own Article 14 deadlines, which still run from becoming aware.

Citations
Section 33

Are importers or distributors the Article 14 reporters instead of the manufacturer?

No.

Article 14 places the mandatory CRA reporting duty on the manufacturer. Importers and distributors have their own related duties: if they become aware of a vulnerability, they must inform the manufacturer without undue delay, and if the product presents a significant cybersecurity risk, they must immediately inform the relevant market surveillance authorities.

Citations
Section 34

Does voluntary reporting create extra obligations for the notifier, and is it handled confidentially?

Not in itself.

Article 15(5) says CSIRTs designated as coordinators and ENISA must ensure confidentiality and appropriate protection of the information provided by a voluntary notifier. It also says voluntary reporting does not create additional obligations that the notifying person would not otherwise have had.

Citations
Section 35

Does CRA reporting also feed market-surveillance action?

Yes.

Article 16(3) says CSIRTs designated as coordinators must provide their national market surveillance authorities with the notified information necessary for those authorities to fulfil their CRA tasks. Recital 69 states the same reporting flow as part of the single-platform design.

Citations
Primary sources

References and citations

Cyber Resilience Act
data.europa.eu35 citations
Referenced sections
  • Article 14(1), Article 14(3), Article 16(1), Article 71(2), Recital 65, Recital 126
  • Article 3(42), Recital 68, Article 14(1)
  • Article 14(3) to (5), Recital 68
Show 30 more
  • Article 14(2)
  • Article 14(4)
  • Article 14(2), Article 14(4)
  • Article 14(1) to (4)
  • Article 14
  • Article 15
  • Article 14(1), Article 13(6)
  • Article 15, Article 13(6)
  • Article 14(7), Article 16(1), Recital 65, Recital 69
  • Article 14(7)
  • Article 14(6)
  • Article 14(8), Recital 67
  • Article 14(8)
  • Article 14(8), Article 17(2)
  • Article 16(2), Article 16(6), Recital 70
  • Article 14(2), Article 16(5)
  • Article 69(3), Article 71(2)
  • Article 69(2), Article 69(3)
  • Article 69(3)
  • Article 15(1) to (3)
  • Article 15(4)
  • Article 17(4)
  • Article 17(5)
  • Article 24(3)
  • Article 17(6), Article 64(10)(a), Recital 120
  • Article 71(2), Article 14(1) to (4)
  • Article 14(2), Article 14(4), Article 16(2), Article 16(6)
  • Article 14(1) to (4), Article 19(5), Article 20(4)
  • Article 15(5)
  • Article 16(3), Recital 69
Related guides

Explore more topics

Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking
Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales
CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies
CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities
CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products
CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
CRA Core Functionality FAQ | Important Products, Critical Products, Classification
CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints
CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties
CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives
CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II
CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence
Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code
CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication
CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality
CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components
CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery
CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries
CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification
CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation
CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance
CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation
CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies
CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking
CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence
CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions
CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths
CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards
CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope
CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation
CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility
CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions
CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits
CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)
CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products
CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability
CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence
CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates
CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay
CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions
CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices
CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking
Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing
CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking
Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA essential cybersecurity requirements in Annex I.
Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking
Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking
Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking
Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking
Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking
Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.