866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

An Overview of the EU Cyber Resiliency Act (EU CRA) Blog Feature
Ryan Mackie

By: Ryan Mackie

Print/Save as PDF

An Overview of the EU Cyber Resiliency Act (EU CRA)

Cybersecurity Assessments

Published: Sep 15, 2025

The EU Cyber Resilience Act (CRA) sets a new regulatory benchmark for product cybersecurity, impacting manufacturers, importers, and distributors worldwide. In this article, we’ll explain the Act’s scope, key requirements, and timeline to help your organization understand what’s changing and how to prepare with a readiness assessment. 

What is the EU Cyber Resilience Act?  

The EU CRA was adopted in 2024 and sets cybersecurity requirements for products with digital elements (PDEs) placed on the EU market. It applies to manufacturers, importers, and distributors of hardware and software products with digital components and requires them to make their products secure and in compliance with minimum cybersecurity standards.  

Initial review of the EU CRA assumes that any PDE in the EU market must submit a Declaration of Conformity. It is assumed that those organizations who are not Class I or Class II, as per the Act, would submit a self-assessment declaration. It is also assumed that those organizations that are Class I or Class II would be required to undergo formal “notification body” assessments.  

Scope of the EU CRA 

The CRA applies to all products with digital elements of software or data connectivity, such as IoT devices, operating systems, applications, network equipment, consumer electronics, and industrial controllers. Within this broad range of relevant product, it includes software-only products, cloud/SaaS platforms, and those with embedded digital components.  

The CRA also introduces categories of critical products that face stricter conformity assessments, such as identity management software, firewalls, and operating systems. CRA obligations extend across the entire product lifecycle, from design and development through the product end-of-life support.  

EU CRA Timeline 

In an effort to strengthen cybersecurity across the EU market, the EU first introduced the Cyber Resilience Act in September 2022. The proposal aimed to establish baseline security requirements for all products with digital elements, ensuring that both consumers and businesses could rely on more resilient connected technologies. 

The European Parliament and the Council then negotiated the details and refined the scope of the EU CRA, focusing heavily on balancing security obligations with the practical realities that manufacturers and software developers face. In late November 2023, a provisional agreement was reached.  

On March 12, 2024, the European parliament adopted the final version of the CRA, with the European Council formally adopting the law on October 10, 2024. The CRA was published in the EU Official Journal on November 20, 2024, and the regulation officially entered into force on December 10, 2024. Compliance will generally be required by the end of 2027, subject to final implementation timelines. 

Key EU CRA Requirements: Articles 

Core requirements established by the EU CRA articles include the following:  

Article 13: Obligations of Manufacturers  

  • Assurance that the product has been designed, developed, and produced in accordance with Annex I (Essential Cybersecurity Requirements) 
  • Cybersecurity risk assessment for the product (initiation and ongoing)   
  • Assessment and review of any third-party vendors relevant to the product   
  • Vulnerability identification and management relevant to applicable third-party product and the delivered product and coordinated vulnerability disclosure policies  
  • Maintaining a support period for at least 5 years   
  • Making available security updates for a minimum of 10 years (or for the remainder of the support period) 
  • Maintain technical documentation (per requirements in Article 31) for at least 10 years or for the support period if less   
  • Produce the EU Declaration of Conformity (post compliance)  
  • Designate a main point of contact   
  • Produce and make available information and instructions for the product  
  • Apply and monitor any remediation for processes not in conformance with the essential cybersecurity requirements 

Article 14: Reporting Obligations of Manufacturers 

  • Notify CSIRT and ENISA for any actively exploited vulnerability including the following:  
    • Within 24 hours, early warning notification  
    • Within 72 hours, relevant information to include the product concerned, general nature of the exploit and the vulnerability concerned, any corrective or mitigating measures taken, any corrective or mitigating measures users can take  
    • No later than 14 days after a corrective or mitigating measure is available, a final report that includes at a minimum: (i) description of the vulnerability including severity and impact, (ii) information concerning any malicious actor that has exploited or that is exploiting the vulnerability, where available, (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability  
  • Notify CSIRT and ENISA for any severe incident having an impact on the security of the product including the following:  
    • Within 24 hours, early warning notification, including whether the incident is suspected of being caused by unlawful or malicious acts   
    • Within 72 hours, information on the nature of the incident, initial assessment of the incident, any corrective or mitigating measures taken, corrective or mitigating measures that users can take   
    • Within one month after the submission of the incident notification a final report that includes (i) detailed description of the incident, including severity and impact, (ii) type of threat or root cause that is likely to have trigged the incident, and (iii) applied and ongoing mitigation measures 
  • Notify impacted users of the product after becoming aware of an actively exploited vulnerability or a severe incident of any risk mitigation and corrective measures that the users can deploy  

Article 18: Authorized Representatives 

  • Appoint an authorized representative to maintain the EU Declaration of Conformity as well as the required technical documentation and support any, if applicable, market surveillance authorities 

Article 31: Technical Documentation 

  • All relevant documentation to support compliance with the essential cybersecurity requirements in Annex I and Annex VII   
  • Must be in place before the product is placed in the EU market and be continuously updated during the support period (as applicable)   
  • Be in a language of the relevant Member State or in a language acceptable to the Member State 

Key EU CRA Requirements: Annexes 

The following EU CRA annexes add further detailed requirements: 

Annex I: Essential Cybersecurity Requirements 

  • Part I of Annex I is focused on cybersecurity hygiene and is in place to support the following: 
    • Ensure an appropriate level of cybersecurity based on risks 
    • Protect availability, authenticity, integrity, and confidentiality of data processed 
    • Minimize security risks during the expected product lifetime or support period 
  • Part II of Annex I is focused on vulnerability management and is in place to mandate the following: 
    • Develop and maintain a coordinated vulnerability disclosure policy 
    • Provide mechanisms for users to report vulnerabilities 
    • Address vulnerabilities without undue delay, including: 
      • Regular testing 
      • Post-market monitoring 
      • Implementing necessary security updates 
    • Notify ENISA and market surveillance authorities of: 
      • Exploited vulnerabilities or actively exploited incidents within 24 hours of becoming aware 

Annex VII: Content of the Technical Documentation 

  • General description of the product including its purpose, versions in compliance, and user information and instructions 
  • A description of the design, development and production of the product and vulnerability handling processes 
  • Assessment of the cybersecurity risks against which the product is designed, developed, produced, delivered, and maintained, including how the essential cybersecurity requirements are applicable
  • Information that was taken into account to determine the support period 
  • Reports of the tests carried out to verity the conformity of the product and of the vulnerability handling processes with the applicable essential cybersecurity requirements 

The Role of an EU CRA Readiness Assessment 

A readiness assessment can help your organization prepare for upcoming compliance with the EU CRA article requirements and applicable Annexes described above. During a readiness assessment, each requirement is assessed to determine your organization’s preparedness to provide an EU Declaration of Conformity. This allows you to identify process and system gaps that need to be addressed to ensure compliance with the CRA.  

Additionally, a readiness assessment report can include a high-level mapping to your existing compliance initiatives, such as SOC 2 or ISO 27001, as well as the identification of commonalities between other EU compliance requirements such as NIS2 and DORA, as applicable, so that the value expands beyond a singular CRA focus. 

There are relevant “themes” associated with the CRA Articles being assessed, including the following:  

  • Governance & Organizational Security 
  • Secure Design & Development 
  • Security Features & Cyber Hygiene 
  • Vulnerability Management & Reporting 
  • Documentation & EU Declaration of Conformity 
  • Post-Market Surveillance & Incident Handling 
  • Supply Chain & Third-Party Risks 

These themes should be reviewed relevant to the scope in addition to the assessment of each requirement of the related CRA article.  

Next Steps for EU CRA Compliance 

Market surveillance authorities for the EU CRA will have the power to request information or technical documentation and withdraw or recall non-compliant products. Penalties for non-compliance can reach up to €15 million or 2.5% of global annual turnover, whichever is higher. It is our understanding that any provider of software with digital elements placed in the EU market would be subject to, at a minimum, a self-assessment against the requirements of the EU CRA.  

With enforcement pending, it’s best practice to begin preparing now with a readiness assessment of the key articles and requirements of the CRA Act, so that you have the output to put a plan in place to address any gaps and help ensure confidence that you’ll be in compliance with the EU CRA.  

Contact us today to learn more about the EU CRA and how Schellman can help with your readiness assessment now.  

About Ryan Mackie

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.