---
title: "EU Cyber Resilience Act, CRA Compliance, CE Marking and Reporting"
canonical_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act"
source_url: "https://www.sorena.io/artifacts/eu/cyber-resilience-act"
author: "Sorena AI"
description: "Practical Cyber Resilience Act guidance for products with digital elements: scope, Annex I requirements, support period, Article 14 reporting."
published_at: "2026-03-04"
updated_at: "2026-03-11"
keywords:
  - "EU Cyber Resilience Act"
  - "CRA compliance"
  - "products with digital elements"
  - "CRA Article 14 reporting"
  - "CRA CE marking"
  - "CRA technical documentation"
  - "CRA Annex I requirements"
  - "CRA support period"
  - "CRA conformity assessment"
  - "Cyber Resilience Act"
  - "Article 14 reporting"
  - "CE marking"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EU Cyber Resilience Act, CRA Compliance, CE Marking and Reporting

Practical Cyber Resilience Act guidance for products with digital elements: scope, Annex I requirements, support period, Article 14 reporting.

![Cyber Resilience Act artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-cra-timeline-small.jpg?v=cheatsheets%2Fprod)

*Cyber Resilience Act* *Free Resource*

## Cyber Resilience Act Product Security, Reporting and CE Marking

Use this CRA hub to decide scope, classify products, map Annex I requirements, design technical documentation, and stand up reporting and support period operations before the regulation fully applies.

This resource is grounded in Regulation (EU) 2024/2847, the European Commission policy page, the January 2026 CRA FAQ, and the Commission's March 2026 draft guidance on scope, remote data processing, open source software, and support periods. It is practical guidance, not legal advice.

[Get implementation support](/contact.md)

## What this CRA hub helps you decide

- **Scope and exclusions**: Confirm whether you have a product with digital elements, whether remote data processing is in scope, and whether any Article 2 exclusion applies.
- **Control and evidence model**: Translate Annex I, Annex II, Article 13, Article 14, Article 31, and Article 32 into owners, tests, records, and release gates.
- **Timing and enforcement risk**: Sequence the 11 June 2026, 11 September 2026, and 11 December 2027 milestones so reporting, support, CE marking, and authority response are ready.

By Sorena AI | Updated 2026-03 | Grounded in official sources

### Quick scan

*Artifact*

- **Core dates**: Entered into force on 10 December 2024. Draft Commission guidance was published for feedback on 3 March 2026. Reporting starts on 11 September 2026. Main application starts on 11 December 2027.
- **Support period**: Manufacturers must set and disclose a support period of at least five years unless expected use is shorter, then keep handling vulnerabilities throughout that period.
- **Conformity routes**: Default products can use internal control in many cases. Important and critical products may need Module B plus C or Module H, depending on category and standards coverage.

Use the topic guides to turn the CRA from a legal requirement set into a portfolio level product security operating model.

| Value | Metric |
| --- | --- |
| 1 | Hub |
| 16 | Guides |
| 2026 | Updated |
| EU | Focus |

**Key highlights:** Scope first | Map evidence | Prepare reporting

## Topic Guides

- [Applicability Test | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/applicability-test.md): Use this CRA applicability test to confirm product scope, exclusions, remote data processing boundaries, operator role, product classification.
- [Checklist | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/checklist.md): Use this Cyber Resilience Act checklist to assign owners, deadlines, evidence, and release gates for scope, Annex I controls, support period operations.
- [Compliance Program | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/compliance.md): Build a CRA compliance program that covers product scope, governance, engineering controls, support period operations, Article 14 reporting.
- [Conformity Assessment and CE Marking | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/conformity-assessment-and-ce-marking.md): Choose the right CRA conformity route, prepare the declaration of conformity, structure the technical file.
- [CRA Blue Guide Concepts FAQ | Placing on the Market, Making Available, Distance Sales](/artifacts/eu/cyber-resilience-act/faq/blue-guide-concepts.md): CRA FAQ on Blue Guide concepts used in Cyber Resilience Act interpretation: placing on the market, making available, putting into service, online sales.
- [CRA CE Marking FAQ | Meaning, Placement Rules, Software Labeling, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/ce-marking.md): CRA CE marking FAQ covering what the mark means, when it is mandatory, software and website placement rules, packaging fallback, notified body numbers.
- [CRA Component Due Diligence FAQ | Third-Party Components, FOSS, SBOM, Vulnerabilities](/artifacts/eu/cyber-resilience-act/faq/component-due-diligence.md): CRA component due diligence FAQ covering third-party components, FOSS, CE-marked components, SBOM review, risk-based checks, upstream vulnerability reporting.
- [CRA Conformity Assessment Routes FAQ | Module A, Module B+C, Module H, Critical and Important Products](/artifacts/eu/cyber-resilience-act/faq/conformity-assessment-routes.md): CRA FAQ on conformity assessment routes covering module A, module B+C, module H, important and critical products, harmonised standards, certification schemes.
- [CRA Core Functionality FAQ | Important Products, Critical Products, Classification](/artifacts/eu/cyber-resilience-act/faq/core-functionality.md): CRA FAQ on core functionality covering classification of important and critical products, ancillary functions, integrated components.
- [CRA Cybersecurity Risk Assessment FAQ | Article 13, Threat Modelling, Variants, Constraints](/artifacts/eu/cyber-resilience-act/faq/cybersecurity-risk-assessment.md): CRA FAQ on cybersecurity risk assessment covering Article 13, threat modelling, intended purpose, foreseeable misuse, external dependencies, documentation.
- [CRA Declaration of Conformity FAQ | Full vs Simplified, Languages, Updates, Duties](/artifacts/eu/cyber-resilience-act/faq/declaration-of-conformity.md): CRA FAQ on the EU declaration of conformity covering full and simplified formats, required contents, languages, updates, single declarations across EU laws.
- [CRA Economic Operators FAQ | Manufacturers, Importers, Distributors, Authorised Representatives](/artifacts/eu/cyber-resilience-act/faq/economic-operators.md): CRA FAQ on economic operators covering manufacturer, authorised representative, importer, distributor, responsible operator rules, checks, traceability.
- [CRA Essential Cybersecurity Requirements FAQ | Annex I Part I and Part II](/artifacts/eu/cyber-resilience-act/faq/essential-cybersecurity-requirements.md): CRA FAQ on the essential cybersecurity requirements covering Annex I Part I and Part II, applicability, evidence, interoperability constraints.
- [CRA FAQ Hub | Blue Guide Concepts, CE Marking, Component Due Diligence](/artifacts/eu/cyber-resilience-act/faq.md): Browse the CRA FAQ hub for Blue Guide market-access concepts, CE marking, and component due diligence.
- [CRA Hardware and Software Boundaries FAQ | Product Scope, Combined Products, Source Code](/artifacts/eu/cyber-resilience-act/faq/hardware-software-boundaries.md): CRA FAQ on hardware and software boundaries covering combined products, standalone software, source code, companion apps, remote data processing.
- [CRA Harmonised Standards and Common Specifications FAQ | Presumption of Conformity, OJ Publication](/artifacts/eu/cyber-resilience-act/faq/harmonised-standards-and-common-specifications.md): CRA FAQ on harmonised standards, common specifications, and certification schemes covering presumption of conformity, Official Journal publication.
- [CRA Important and Critical Products FAQ | Annex III, Annex IV, Core Functionality](/artifacts/eu/cyber-resilience-act/faq/important-and-critical-products.md): CRA FAQ on important and critical products covering Annex III and Annex IV classification, core functionality, conformity routes, FOSS rule limits.
- [CRA Integrated Components and Dependencies FAQ | Due Diligence, RDPS, Third-Party Components](/artifacts/eu/cyber-resilience-act/faq/integrated-components-and-dependencies.md): CRA FAQ on integrated components and dependencies covering due diligence, third-party components, RDPS, cloud dependencies, upstream fixes, FOSS dependencies.
- [CRA Interplay With Other EU Laws FAQ | RED, AI Act, GDPR, Data Act, EHDS, Machinery](/artifacts/eu/cyber-resilience-act/faq/interplay-with-other-eu-laws.md): CRA FAQ on interplay with other EU laws covering exclusions, overlap with RED, AI Act, GDPR, Data Act, EHDS, Machinery, GPSR, NIS2, aviation, marine.
- [CRA Known Exploitable Vulnerabilities at Launch FAQ | Placement on the Market, CVEs, Late Discoveries](/artifacts/eu/cyber-resilience-act/faq/known-exploitable-vulnerabilities-at-launch.md): CRA FAQ on known exploitable vulnerabilities at launch covering the launch-time rule, exploitability, known vulnerabilities, CVEs, compensating controls.
- [CRA Legacy Products FAQ | Pre-2027 Products, Reporting, Grandfathering, Substantial Modification](/artifacts/eu/cyber-resilience-act/faq/legacy-products.md): CRA FAQ on legacy products covering pre-11 December 2027 products, Article 14 reporting, continued sale, substantial modification, spare parts, old designs.
- [CRA Manufacturer Obligations FAQ | Article 13 Duties, Support Period, Reporting, Documentation](/artifacts/eu/cyber-resilience-act/faq/manufacturer-obligations.md): CRA FAQ on manufacturer obligations covering Article 13 duties, risk assessment, support periods, vulnerability handling, reporting, documentation.
- [CRA Market Surveillance and Enforcement FAQ | Authorities, Safeguards, Sweeps, Formal Non-Compliance](/artifacts/eu/cyber-resilience-act/faq/market-surveillance-and-enforcement.md): CRA FAQ on market surveillance and enforcement covering authorities, investigations, safeguard procedures, formal non-compliance, sweeps, joint activities.
- [CRA Module A FAQ | Internal Control, Self-Assessment, Eligibility, Documentation](/artifacts/eu/cyber-resilience-act/faq/module-a.md): CRA FAQ on module A covering internal control, eligible products, class I limits, FOSS exception, technical documentation, testing, CE marking.
- [CRA Module B+C FAQ | EU-Type Examination, Conformity to Type, Notified Bodies](/artifacts/eu/cyber-resilience-act/faq/module-b-c.md): CRA FAQ on module B+C covering EU-type examination, conformity to type, notified-body role, certificate changes, production control, CE marking.
- [CRA Module H FAQ | Full Quality Assurance, Notified Body Surveillance, CE Marking](/artifacts/eu/cyber-resilience-act/faq/module-h.md): CRA FAQ on module H covering full quality assurance, quality-system approval, notified-body surveillance, scope changes, CE marking, language rules, records.
- [CRA Notified Bodies FAQ | Notification, Scope, NANDO, Independence, Competence](/artifacts/eu/cyber-resilience-act/faq/notified-bodies.md): CRA FAQ on notified bodies covering notification, competence, independence, NANDO scope, accreditation, cross-border choice, subcontracting.
- [CRA Open-Source Software FAQ | FOSS, Commercial Activity, Stewards, Donations, Paid Editions](/artifacts/eu/cyber-resilience-act/faq/open-source-software.md): CRA FAQ on open-source software covering FOSS qualification, commercial activity, donations, paid support, stewards, contributors, repositories.
- [CRA Over-the-Air Updates FAQ | OTA, Automatic Updates, Secure Distribution, Offline Paths](/artifacts/eu/cyber-resilience-act/faq/over-the-air-updates.md): CRA FAQ on over-the-air updates covering OTA versus automatic updates, secure distribution, screenless products, gateways, offline update paths.
- [CRA Penalties and Fines FAQ | Fine Tiers, Turnover Caps, SME Carve-Outs, Stewards](/artifacts/eu/cyber-resilience-act/faq/penalties-and-fines.md): CRA FAQ on penalties and fines covering Article 64 fine tiers, turnover caps, SME carve-outs, steward exemptions, cumulative fines, criminal sanctions.
- [CRA Product Families FAQ | Variants, Shared Assessments, Family Reuse, Conformity Scope](/artifacts/eu/cyber-resilience-act/faq/product-families.md): CRA FAQ on product families covering shared risk assessments, family-wide documentation reuse, cybersecurity-relevant variant differences.
- [CRA Remote Data Processing Solutions FAQ | RDPS Scope, Cloud Services, SaaS Boundaries, Documentation](/artifacts/eu/cyber-resilience-act/faq/remote-data-processing-solutions.md): CRA FAQ on remote data processing solutions covering Article 3(2) RDPS tests, cloud-service boundaries, websites and portals, third-party SaaS, backend scope.
- [CRA Repairs and Spare Parts FAQ | Repairs, Refurbishment, Spare-Part Exemption, Compatibility](/artifacts/eu/cyber-resilience-act/faq/repairs-and-spare-parts.md): CRA FAQ on repairs and spare parts covering substantial modification, Article 2(6) identical spare parts, non-identical replacements.
- [CRA Reporting Obligations FAQ | Article 14 Deadlines, CSIRT Filing, User Notices, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/reporting-obligations.md): CRA FAQ on reporting obligations covering Article 14 deadlines, actively exploited vulnerabilities, severe incidents, CSIRT routing, user notifications.
- [CRA Scope FAQ | Products with Digital Elements, Connections, Software, Exclusions](/artifacts/eu/cyber-resilience-act/faq/scope-and-products-with-digital-elements.md): CRA FAQ on scope and products with digital elements covering software, firmware, components, direct and indirect connections, offline products, exclusions.
- [CRA Secure-by-Default FAQ | Default Configuration, Auto Updates, Tailor-Made Limits](/artifacts/eu/cyber-resilience-act/faq/secure-by-default.md): CRA FAQ on secure by default covering Annex I default configuration, automatic security updates, opt-outs, components, inapplicability.
- [CRA Security Updates vs Functionality Updates FAQ | Separation, Free Updates, Article 13(10)](/artifacts/eu/cyber-resilience-act/faq/security-updates-vs-functionality-updates.md): CRA FAQ on security updates versus functionality updates covering separation where technically feasible, free security updates, automatic updates.
- [CRA Substantial Modification FAQ | Post-Market Changes, New Manufacturer, Legacy Products](/artifacts/eu/cyber-resilience-act/faq/substantial-modification.md): CRA FAQ on substantial modification covering Article 3(30), software updates, repairs, new manufacturer status, conformity reassessment.
- [CRA Support Period FAQ | Placement on the Market, Unit-Level Timing, Update Availability](/artifacts/eu/cyber-resilience-act/faq/support-period.md): CRA FAQ on support periods covering Article 13(8), placement on the market timing, unit-level support periods, standalone software, update availability.
- [CRA Tailor-Made Products FAQ | Business-User Exception, Paid Updates, Evidence](/artifacts/eu/cyber-resilience-act/faq/tailor-made-products.md): CRA FAQ on tailor-made products covering the narrow business-user carve-out, secure-by-default and paid-update deviations, required evidence.
- [CRA Technical Documentation FAQ | Annex VII, Languages, Authority Access, Updates](/artifacts/eu/cyber-resilience-act/faq/technical-documentation.md): CRA FAQ on technical documentation covering Annex VII content, timing, languages, versioning, authority access, reused documentation, simplified formats.
- [CRA Transition Period FAQ | Key Dates, Legacy Products, Pre-CRA Stock, RED Interplay](/artifacts/eu/cyber-resilience-act/faq/transition-period.md): CRA FAQ on the transition period covering entry into force, phased application dates, legacy products, stock and customs timing, standalone software.
- [CRA Update Availability and Archives FAQ | Article 13(9), Archives, Historical Versions](/artifacts/eu/cyber-resilience-act/faq/update-availability-and-archives.md): CRA FAQ on update availability and software archives covering Article 13(9), Article 13(10), Article 13(11), retention of issued security updates.
- [CRA User Information and Transparency FAQ | Annex II, Support Disclosure, User Notices](/artifacts/eu/cyber-resilience-act/faq/user-information-and-transparency.md): CRA FAQ on user information and transparency covering Annex II instructions, support-period disclosure, end-of-support notices, vulnerability notices.
- [CRA vs RED Cybersecurity Delegated Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-red-cybersecurity-delegated-act.md): Compare the Cyber Resilience Act with the RED cybersecurity delegated act so you can decide which products fall under which rule, what dates apply.
- [CRA vs UK PSTI Act | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/cra-vs-uk-psti-act.md): Compare the EU Cyber Resilience Act with the UK PSTI product security regime so your team can plan dual market compliance without mixing two different rule.
- [CRA Vulnerability Handling FAQ | Lifecycle Duties, Components, Disclosure, Fix Sharing](/artifacts/eu/cyber-resilience-act/faq/vulnerability-handling.md): CRA FAQ on vulnerability handling covering Annex I Part II duties, component vulnerabilities, upstream reporting and fix sharing.
- [Deadlines and Compliance Calendar | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/deadlines-and-compliance-calendar.md): Track the CRA entry into force date, the notified body date, the reporting start date, and the main application date.
- [Essential Cybersecurity Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/essential-cybersecurity-requirements.md): Understand the CRA essential cybersecurity requirements in Annex I.
- [Penalties and Fines | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/penalties-and-fines.md): Understand the CRA administrative fine tiers in Article 64, the conduct that attracts the highest penalties, and the evidence that reduces enforcement exposure.
- [Products with Digital Elements Scope | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/products-with-digital-elements-scope.md): Understand what counts as a product with digital elements under the CRA, how remote data processing fits, and where the scope boundary usually causes mistakes.
- [Reporting Obligations | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/reporting-obligations.md): Prepare for CRA Article 14 reporting, including the twenty four hour early warning, the seventy two hour notification, final reports, CSIRT routing.
- [Requirements | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/requirements.md): Review the full CRA requirement set, including manufacturer duties, operator duties, support period rules, user information, corrective action, reporting.
- [SBOM and Vulnerability Management Template | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/sbom-and-vulnerability-management-template.md): Use this CRA SBOM and vulnerability management template to structure dependency records, triage, remediation, advisory publication, and support period evidence.
- [Technical Documentation and Audit File | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/technical-documentation-and-audit-file.md): Build a CRA technical documentation file that covers product definition, risk assessment, support period, Annex I mapping, standards use, test evidence.
- [Vulnerability Handling and Disclosure | EU Cyber Resilience Act, CRA Product Security and CE Marking](/artifacts/eu/cyber-resilience-act/vulnerability-handling-and-disclosure.md): Build a CRA vulnerability handling system that covers SBOM, intake, triage, remediation, coordinated vulnerability disclosure, secure updates.

## Key milestones for Cyber Resilience Act

*Timeline*

Use milestones to sequence governance, engineering controls, vulnerability handling, reporting readiness, and CE marking evidence work.

## How to operationalize Cyber Resilience Act

*Decision Flow*

Use the decision flow to convert scope, conformity route, and requirement questions into clear implementation actions.

*Next step*

## Turn Cyber Resilience Act Product Security, Reporting and CE Marking into an operational assessment workflow

Cyber Resilience Act Product Security, Reporting and CE Marking should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into Research Copilot when the artifact needs deeper research, evidence governance, or supporting analysis.

- Start from Cyber Resilience Act Product Security, Reporting and CE Marking and route the work by entity, product, team, or control owner.
- Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
- Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.

- [Open Assessment Autopilot](/solutions/assessment.md): Turn the guidance into owned tasks, evidence requests, and review checkpoints for Cyber Resilience Act Product Security, Reporting and CE Marking.
- [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs from the same artifact.
- **Download decision flow**: Share the CRA logic with product and engineering leads.
- **Download timeline**: Align dates across product, legal, and operations teams.
- [Talk through Cyber Resilience Act Product Security, Reporting and CE Marking](/contact.md): Review your current process, evidence model, and next steps for Cyber Resilience Act Product Security, Reporting and CE Marking.

## Decision Steps

### STEP 1: Are you making available on the EU market a product with digital elements?

*Reference: Art. 2(1); Art. 3(1)-(2),(21)-(22)*

- CRA scope focuses on products with digital elements made available on the market whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.
- Product with digital elements includes software or hardware and its remote data processing solutions (and components placed separately).
- Making available on the market means supply for distribution or use on the Union market in the course of a commercial activity (payment or free of charge).

- **YES** Is the product excluded from the CRA scope?
- **NO** Stop: CRA likely does not apply

### STEP 2: Is the product excluded from the CRA scope?

*Reference: Art. 2(2)-(8)*

- Excluded if covered by: Regulation (EU) 2017/745 (medical devices), Regulation (EU) 2017/746 (IVDs), or Regulation (EU) 2019/2144 (vehicles).
- Excluded if certified under Regulation (EU) 2018/1139 (aviation) or if equipment falls under Directive 2014/90/EU (marine equipment).
- Excluded for spare parts replacing identical components manufactured to the same specifications.
- Excluded for products developed or modified exclusively for national security or defence purposes, or designed to process classified information.

- **YES** Stop: CRA excluded for this product category
- **NO** Are you the manufacturer for CRA purposes (or treated as one)?

### STEP 3: Are you the manufacturer for CRA purposes (or treated as one)?

*Reference: Art. 3(13),(30); Art. 21; Art. 22*

- Manufacturer includes anyone marketing the product under its name or trademark (payment, monetisation, or free of charge).
- Importers or distributors are treated as manufacturers if they place a product on the market under their name/trademark or carry out a substantial modification (Art. 21).
- Other persons carrying out a substantial modification and making the product available are treated as manufacturers, for the affected part or entire product (Art. 22).

- **YES** Is the product a critical product category listed in Annex IV?
- **NO** Are you an importer or distributor making the product available on the EU market?

### STEP 3B: Are you an importer or distributor making the product available on the EU market?

*Reference: Art. 19-20; Art. 23*

- If you import from outside the Union and place the product on the market in the Union, you are an importer.
- If you make the product available in the supply chain without affecting its properties, you are a distributor.
- Economic operators must be able to identify who supplied them and to whom they supplied (Art. 23).

- **YES** Do you place it on the market under your name/trademark, or carry out a substantial modification?
- **NO** Are you an open-source software steward for free and open-source software intended for commercial activities?

### STEP 3C: Do you place it on the market under your name/trademark, or carry out a substantial modification?

*Reference: Art. 21; Art. 3(30)*

- If yes, CRA treats the importer or distributor as a manufacturer and applies manufacturer obligations (Art. 21).
- Substantial modification includes changes after placing on the market that affect compliance with Annex I Part I or change intended purpose.

- **YES** Is the product a critical product category listed in Annex IV?
- **NO** Importer and distributor obligations (CRA)

### STEP 3D: Are you an open-source software steward for free and open-source software intended for commercial activities?

*Reference: Art. 3(14); Art. 24*

- Open-source software steward is a legal person (other than a manufacturer) that provides sustained support to specific products with digital elements qualifying as free and open-source software and intended for commercial activities (Art. 3(14)).

- **YES** Open-source software steward obligations (CRA)
- **NO** No direct CRA economic-operator obligations from this flow

### STEP 4: Is the product a critical product category listed in Annex IV?

*Reference: Art. 8(1); Art. 32(4)*

- Critical products are product categories listed in Annex IV.
- Annex IV categories can be required (via delegated acts) to obtain a European cybersecurity certificate if a relevant certification scheme exists and is available (Art. 8(1)).

- **YES** Is a European cybersecurity certificate required for this Annex IV category (and is a scheme available)?
- **NO** Is the product an important product category listed in Annex III?

### STEP 4A: Is a European cybersecurity certificate required for this Annex IV category (and is a scheme available)?

*Reference: Art. 8(1); Art. 32(4)(a)-(b)*

- CRA allows delegated acts to require certification for Annex IV categories where a European cybersecurity certification scheme covering the category exists and is available (Art. 8(1)).
- If no such delegated act exists, Annex IV products are subject to the Art. 32(3) procedures (Art. 8(1), second subparagraph).

- **YES** CRA compliance: critical product requiring European cybersecurity certification
- **NO** CRA compliance: critical product conformity route (no certification requirement)

### STEP 4B: Is the product an important product category listed in Annex III?

*Reference: Art. 7(1); Art. 32(2)-(3)*

- Important products have the core functionality of a category set out in Annex III (Art. 7(1)).
- Annex III categories are divided into class I and class II (Art. 7(2); Annex III).

- **YES** Is it listed under Annex III class II?
- **NO** CRA compliance: standard product conformity route

### STEP 4C: Is it listed under Annex III class II?

*Reference: Art. 7(2); Art. 32(3)*

- If yes, stricter conformity assessment routes apply (Module B + C, Module H, or an applicable certification scheme at assurance level at least 'substantial') (Art. 32(3)).

- **YES** CRA compliance: important product (class II) conformity route
- **NO** For Annex III class I, do harmonised standards/common specifications/certification schemes fully cover the essential requirements you rely on?

### STEP 4D: For Annex III class I, do harmonised standards/common specifications/certification schemes fully cover the essential requirements you rely on?

*Reference: Art. 32(1)-(2)*

- If you have not applied (or only partly applied) harmonised standards, common specifications, or certification schemes (assurance level at least 'substantial'), or they do not exist, then for those essential requirements you must use Module B + C or Module H (Art. 32(2)).
- If they do exist and you apply them, you can demonstrate conformity using any of the Art. 32(1) procedures (including Module A), subject to product category rules.

- **YES** CRA compliance: important product (class I) with full standards coverage
- **NO** CRA compliance: important product (class I) requiring Module B + C or Module H

## Reference Information

### Key CRA Definitions (short list)

### Conformity assessment overview (CRA)

### Manufacturer obligations checklist (core)

### Support period and updates (CRA)

### Mandatory reporting (CRA)

## Possible Outcomes

### [OUT OF SCOPE] Stop: CRA likely does not apply

Not made available on the EU market as a product with digital elements

- If you are not making a product with digital elements available on the Union market in a commercial activity, the CRA obligations in this decision map are not triggered.
- If you are still uncertain, validate against the definitions in Art. 3 and seek legal review.

### [EXCLUDED] Stop: CRA excluded for this product category

Follow applicable sector rules and any other EU harmonisation legislation

- CRA does not apply to the excluded categories listed in Art. 2(2)-(4), plus the specific exclusions in Art. 2(6)-(7).
- For products covered by other Union rules that address all or some CRA risks, CRA application may be limited or excluded via delegated acts where sector rules achieve the same or higher protection (Art. 2(5)).

### [IMPORTER / DISTRIBUTOR] Importer and distributor obligations (CRA)

Due care, verification, corrective actions, and traceability

- Importers: place on the market only compliant products; before placing on the market, verify conformity assessment, technical documentation, CE marking, EU declaration of conformity, and required instructions; keep EU DoC available and ensure technical documentation can be made available for at least 10 years or the support period (whichever is longer) (Art. 19).
- Importers: if non-conformity, take corrective measures (bring into conformity, withdraw, or recall) and inform authorities when there is a significant cybersecurity risk; inform the manufacturer without undue delay upon becoming aware of a vulnerability (Art. 19).
- Distributors: act with due care; before making available, verify CE marking and that required documents were provided; do not make available if you believe there is non-conformity; cooperate and take corrective actions as needed (Art. 20).
- Traceability: on request, provide information on who supplied you and (where available) to whom you supplied, and keep that information for 10 years (Art. 23).

### [OSS STEWARD] Open-source software steward obligations (CRA)

Cybersecurity policy, cooperation, and (limited) reporting duties

- Put in place and document a verifiable cybersecurity policy to foster secure development and effective vulnerability handling by developers, and foster voluntary reporting under Art. 15 (Art. 24(1)).
- Cooperate with market surveillance authorities upon request to mitigate risks; provide the documented policy on request (Art. 24(2)).
- Mandatory reporting: Art. 14(1) applies to the extent the steward is involved in development; Art. 14(3) and (8) apply to the extent severe incidents affect network and information systems provided by the steward for development (Art. 24(3)).

### [NO OPERATOR ROLE] No direct CRA economic-operator obligations from this flow

You are not acting as a manufacturer, importer, distributor, or OSS steward

- This decision map focuses on CRA obligations for economic operators (manufacturer, importer, distributor) and open-source software stewards.
- If you are an end user or a downstream entity without those roles, CRA may not impose obligations on you through these articles, but other rules could still apply.

### [STANDARD] CRA compliance: standard product conformity route

Not Annex III (important) and not Annex IV (critical)

- Conformity assessment: demonstrate Annex I conformity using Module A, Module B + C, Module H, or (where available and applicable) a European cybersecurity certification scheme (Art. 32(1)).
- Use the manufacturer checklist (Art. 13; Art. 31-32) and implement support-period and mandatory reporting processes (Art. 13(8)-(9); Art. 14-16).

### [ANNEX III CLASS I] CRA compliance: important product (class I) with full standards coverage

Internal control is available when harmonised standards/common specs/cert schemes are fully applied

- Conformity assessment: you can use any Art. 32(1) procedure (including Module A), provided the class I condition in Art. 32(2) is not triggered for any essential requirements you need to demonstrate.
- Keep evidence of applied standards/specifications/schemes in your technical documentation (Art. 31; Annex VII).
- Apply manufacturer, support-period, and reporting obligations (Art. 13; Art. 14-16).

### [ANNEX III CLASS I] CRA compliance: important product (class I) requiring Module B + C or Module H

Triggered when standards/specifications/schemes are not applied (or do not exist) for essential requirements

- Conformity assessment: for the essential requirements not covered by (or not applying) harmonised standards/common specs/cert schemes, use Module B + C or Module H (Art. 32(2)).
- Document the scope of third-party assessment and keep technical documentation updated through the support period (Art. 31(2)).
- Apply manufacturer, support-period, and reporting obligations (Art. 13; Art. 14-16).

### [ANNEX III CLASS II] CRA compliance: important product (class II) conformity route

Third-party route required (or certification scheme) at assurance level at least 'substantial'

- Conformity assessment: use Module B + C, Module H, or (where available and applicable) a European cybersecurity certification scheme at assurance level at least 'substantial' (Art. 32(3)).
- Apply manufacturer, support-period, and reporting obligations (Art. 13; Art. 14-16).

### [ANNEX IV] CRA compliance: critical product requiring European cybersecurity certification

Certification route applies when required by delegated act and a scheme is available

- Conformity assessment: demonstrate Annex I conformity by obtaining a European cybersecurity certificate under a relevant scheme at assurance level at least 'substantial', when required under Art. 8(1) (Art. 32(4)(a)).
- Apply manufacturer, support-period, and reporting obligations (Art. 13; Art. 14-16).

### [ANNEX IV] CRA compliance: critical product conformity route (no certification requirement)

Use Art. 32(3) procedures when certification is not required or conditions are not met

- If a delegated act requiring certification is not adopted, Annex IV products are subject to Art. 32(3) procedures (Art. 8(1), second subparagraph).
- Conformity assessment: use Module B + C, Module H, or (where available and applicable) an applicable certification scheme at assurance level at least 'substantial' (Art. 32(4)(b) referring to Art. 32(3)).
- Apply manufacturer, support-period, and reporting obligations (Art. 13; Art. 14-16).

## EU Cyber Resilience Act Timeline

| Date | Event | Reference |
| --- | --- | --- |
| 2024-10-23 | Regulation adopted | Reg. (EU) 2024/2847 |
| 2024-11-20 | Published in Official Journal (OJ L) | Reg. (EU) 2024/2847 |
| 2024-12-10 | Entry into force (20 days after publication) | Art. 71(1) |
| 2025-12-11 | Commission deadline for Annex III and Annex IV technical descriptions (implementing act) | Art. 7(4) |
| 2025-12-11 | Commission deadline for delegated act on delaying dissemination grounds | Art. 14(9) |
| 2026-06-11 | Chapter IV (notification of conformity assessment bodies) applies | Art. 71(2) |
| 2026-09-11 | Mandatory reporting obligations apply | Art. 71(2); Art. 14 |
| 2027-12-11 | CRA generally applies | Art. 71(2) |

## Compliance Timeline

| Date | Event | Category | Reference |
| --- | --- | --- | --- |
| 2021-09-15 | CRA announced in State of the Union | Legislative History | SOTEU 2021 |
| 2021-09-16 | Commission explainer on the CRA (quotes SOTEU speech) | Legislative History |  |
| 2022-03-16 | Public consultation | Legislative History |  |
| 2022-09-15 | Commission proposal published | Legislative History | COM(2022) 454 |
| 2023-06-08 | Council general approach | Legislative History |  |
| 2023-07-19 | Council common position | Legislative History |  |
| 2023-07-19 | EP ITRE Committee adopts report | Legislative History |  |
| 2023-09-01 | Parliament enters interinstitutional negotiations | Legislative History |  |
| 2023-11-30 | Political agreement reached | Legislative History |  |
| 2023-12-01 | Parliament press release on political agreement | Legislative History |  |
| 2024-03-12 | Parliament plenary adoption | Legislative History | P9_TA(2024)0130 |
| 2024-10-10 | Council formal adoption | Legislative History |  |
| 2024-10-23 | Act date | Official Publication | Reg. (EU) 2024/2847 |
| 2024-11-20 | Published in Official Journal | Official Publication | OJ L 2024/2847 |
| 2024-12-05 | Corrigendum: editorial title fix | Corrigendum |  |
| 2024-12-10 | Entry into force | Applicability | Art. 71(1) |
| 2024-12-10 | Delegated powers conferred (5-year period begins) | Delegated & Implementing Acts | Art. 61(2) |
| 2025-02-03 | Standardisation request M/606 adopted | Standardisation | C(2025) 618 |
| 2025-04-03 | M/606 officially accepted by CEN-CENELEC | Standardisation | M/606 |
| 2025-07-02 | Corrigendum: Art. 64(10) cross-reference | Corrigendum | Art. 64(10) |
| 2025-07-29 | Delegated Reg. 2025/1535 adopted | Delegated & Implementing Acts | Reg. (EU) 2025/1535 |
| 2025-10-03 | Corrigendum: Annex I language fix | Corrigendum | Annex I |
| 2025-10-17 | Corrigendum: Art. 67 numbering | Corrigendum | Art. 67 |
| 2025-10-29 | Delegated Reg. 2025/1535 published in OJ | Delegated & Implementing Acts | OJ L 2025/1535 |
| 2025-11-18 | Delegated Reg. 2025/1535 enters into force | Delegated & Implementing Acts | Reg. (EU) 2025/1535 |
| 2025-11-28 | Implementing Reg. 2025/2392 adopted | Delegated & Implementing Acts | Reg. (EU) 2025/2392 |
| 2025-12-01 | Implementing Reg. 2025/2392 published in OJ | Delegated & Implementing Acts | OJ L 2025/2392 |
| 2025-12-11 | Delegated act on CSIRT notification delays | Delegated & Implementing Acts | Art. 16(2) |
| 2025-12-11 | Delegated act record published on EUR-Lex | Delegated & Implementing Acts | C(2025) 8407 |
| 2025-12-21 | Implementing Reg. 2025/2392 enters into force | Delegated & Implementing Acts | Reg. (EU) 2025/2392 |
| 2026-03-03 | Draft CRA guidance published for feedback | Commission Deliverables |  |
| 2026-03-31 | Feedback closes on draft CRA guidance | Commission Deliverables |  |
| 2026-06-11 | Chapter IV applies: notified bodies | Conformity Assessment | Art. 35-51 |
| 2026-06-11 | Notified bodies listed on NANDO/SMCS (as they are designated) | Conformity Assessment |  |
| 2026-09-11 | Vulnerability reporting obligations apply | Vulnerability Reporting | Art. 14 |
| 2026-09-11 | CRA reporting deadlines (24h / 72h / 14d / 1 month) | Vulnerability Reporting |  |
| 2026-09-11 | Open-source software stewards: reporting obligations apply (conditional) | Vulnerability Reporting | Art. 24(3), Art. 14 |
| 2026-09-11 | Single Reporting Platform operational by this date | Commission Deliverables |  |
| 2027-12-11 | CRA applies in full | Applicability | Art. 71(2) |
| 2027-12-11 | Legacy products: substantial modification rule | Applicability |  |
| 2027-12-11 | Economic operators obligations apply (importers, distributors, authorised representatives) | Applicability | Arts. 18-21 |
| 2027-12-11 | Open-source software stewards: Article 24 obligations apply | Applicability | Art. 24(1)-(2) |
| 2029-12-10 | End of initial 5-year delegation period (unless extended) | Delegated & Implementing Acts | Art. 61(2) |

**Event details:**

- **2021-09-15 - CRA announced in State of the Union**: President von der Leyen announces the CRA in the State of the Union address: 'including legislation on common standards under a new European Cyber Resilience Act.'
- **2021-09-16 - Commission explainer on the CRA (quotes SOTEU speech)**: Commission explainer page published the day after SOTEU highlights the CRA and quotes the speech's CRA passage.
- **2022-03-16 - Public consultation**: Commission launches CRA public consultation, open 16 March to 25 May 2022.
- **2022-09-15 - Commission proposal published**: Commission presents the CRA proposal COM(2022) 454 final.
- **2023-06-08 - Council general approach**: Council reaches its 'general approach' (negotiating mandate) on the CRA at the JHA Council meeting.
- **2023-07-19 - Council common position**: Member States agree a common position on security requirements for digital products.
- **2023-07-19 - EP ITRE Committee adopts report**: EP ITRE Committee adopts its report/position on the CRA.
- **2023-09-01 - Parliament enters interinstitutional negotiations**: Parliament confirms its committee decision to enter interinstitutional (trilogue) negotiations in September 2023.
- **2023-11-30 - Political agreement reached**: Council and Parliament reach provisional political agreement on the CRA.
- **2023-12-01 - Parliament press release on political agreement**: European Parliament press release on the agreement reached with the Council to boost digital products security.
- **2024-03-12 - Parliament plenary adoption**: European Parliament adopts the CRA in plenary: 517 in favour, 12 against, 78 abstentions.
- **2024-10-10 - Council formal adoption**: Council formally adopts the Cyber Resilience Act.
- **2024-10-23 - Act date**: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 (Cyber Resilience Act) is signed.
- **2024-11-20 - Published in Official Journal**: CRA published in the Official Journal of the European Union (OJ L 2024/2847, 20.11.2024).
- **2024-12-05 - Corrigendum: editorial title fix**: First corrigendum: corrects '(EU) No 2019/1020' to '(EU) 2019/1020' in the regulation title.
- **2024-12-10 - Entry into force**: CRA enters into force on the 20th day following OJ publication (20 Nov + 20 days = 10 Dec 2024).
- **2024-12-10 - Delegated powers conferred (5-year period begins)**: Delegation of power to the Commission is conferred for a period of five years from 10 December 2024, with tacit extensions unless opposed.
- **2025-02-03 - Standardisation request M/606 adopted**: Commission adopts CRA standardisation request M/606 containing 41 standards. Accepted by CEN, CENELEC, and ETSI on 3 April 2025.
- **2025-04-03 - M/606 officially accepted by CEN-CENELEC**: CEN-CENELEC officially accepted the CRA standardisation request on 3 April 2025.
- **2025-07-02 - Corrigendum: Art. 64(10) cross-reference**: Corrigendum fixes Article 64(10): 'paragraphs 3 to 9' corrected to 'paragraphs 2 to 9'.
- **2025-07-29 - Delegated Reg. 2025/1535 adopted**: Commission excludes most L-category vehicle products from CRA scope (exception for L1e pedal-designed). OJ publication 29 Oct 2025; enters into force 20 days later.
- **2025-10-03 - Corrigendum: Annex I language fix**: Corrigendum fixes FR/HU language wording in Annex I, Part I, paragraph 2, point (c).
- **2025-10-17 - Corrigendum: Art. 67 numbering**: Corrigendum fixes numbering reference in Article 67: '69' corrected to '72'.
- **2025-10-29 - Delegated Reg. 2025/1535 published in OJ**: Delegated Regulation (EU) 2025/1535 is published in the Official Journal on 29 October 2025.
- **2025-11-18 - Delegated Reg. 2025/1535 enters into force**: Delegated Regulation (EU) 2025/1535 enters into force on the twentieth day following its OJ publication.
- **2025-11-28 - Implementing Reg. 2025/2392 adopted**: Commission adopts technical descriptions for Annex III/IV product categories (important and critical products). OJ publication 1 Dec 2025; enters into force 20 days later.
- **2025-12-01 - Implementing Reg. 2025/2392 published in OJ**: Implementing Regulation (EU) 2025/2392 is published in the Official Journal on 1 December 2025.
- **2025-12-11 - Delegated act on CSIRT notification delays**: Commission adopts delegated act specifying terms and conditions for delaying dissemination of vulnerability notifications by CSIRTs under Article 16(2).
- **2025-12-11 - Delegated act record published on EUR-Lex**: EUR-Lex record for the Commission delegated act concerning Article 16(2) conditions for CSIRTs delaying dissemination to other CSIRTs.
- **2025-12-21 - Implementing Reg. 2025/2392 enters into force**: Implementing Regulation (EU) 2025/2392 enters into force on the twentieth day following its OJ publication.
- **2026-03-03 - Draft CRA guidance published for feedback**: Commission publishes draft CRA guidance for stakeholder feedback, clarifying scope, remote data processing, free and open-source software, support periods, and interplay with other EU law.
- **2026-03-31 - Feedback closes on draft CRA guidance**: The stakeholder feedback period on the Commission's draft CRA guidance closes on 31 March 2026.
- **2026-06-11 - Chapter IV applies: notified bodies**: CRA Chapter IV (Articles 35-51) on notification of conformity assessment bodies begins to apply.
- **2026-06-11 - Notified bodies listed on NANDO/SMCS (as they are designated)**: From the Chapter IV applicability date, conformity assessment bodies can be notified under the CRA framework and, once notified, will appear in the Commission's NANDO/SMCS notified bodies list for the CRA.
- **2026-09-11 - Vulnerability reporting obligations apply**: Article 14 (vulnerability and incident reporting) applies. Manufacturers must report actively exploited vulnerabilities and severe incidents via ENISA's Single Reporting Platform.
- **2026-09-11 - CRA reporting deadlines (24h / 72h / 14d / 1 month)**: From the Article 14 applicability date, incident/vulnerability notifications follow operational time limits (early warning within 24 hours of awareness; full notification within 72 hours; final report timelines depending on case, such as 14 days or 1 month).
- **2026-09-11 - Open-source software stewards: reporting obligations apply (conditional)**: Open-source software stewards are subject to Article 14(1) (and, where applicable, Article 14(3) and (8)) to the extent they are involved in development, from the date Article 14 applies.
- **2026-09-11 - Single Reporting Platform operational by this date**: Commission states ENISA's Single Reporting Platform (SRP) will be operational by 11 September 2026 to support CRA vulnerability and incident reporting.
- **2027-12-11 - CRA applies in full**: General application date: the CRA applies in full from 11 December 2027.
- **2027-12-11 - Legacy products: substantial modification rule**: Products placed on the EU market before 11 December 2027 are subject to CRA product requirements only if, from that date, they undergo a substantial modification; reporting obligations still apply from the earlier reporting applicability date.
- **2027-12-11 - Economic operators obligations apply (importers, distributors, authorised representatives)**: From the general CRA application date, authorised representatives, importers, and distributors must comply with their CRA obligations; in certain cases (e.g., own-branding or substantial modification) importers/distributors are treated as manufacturers.
- **2027-12-11 - Open-source software stewards: Article 24 obligations apply**: Open-source software stewards must have a verifiable cybersecurity policy for secure development and vulnerability handling, and cooperate with market surveillance authorities (subject to CRA scope).
- **2029-12-10 - End of initial 5-year delegation period (unless extended)**: The initial five-year period for the Commission's delegated powers runs until 10 December 2029, subject to tacit extensions unless opposed.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/cyber-resilience-act