CRA Regulatory Timeline
Regulation (EU) 2024/2847 entered into force on December 10, 2024, covering approximately 90% of digital products sold in the EU. September 11, 2026 activates mandatory vulnerability reporting through ENISA's Single Reporting Platform, with full conformity assessment required by December 11, 2027.
Product Risk Classification
The CRA classifies products into four categories. Default class (approximately 90% of products) allows self-assessment. Important Class I and II require varying levels of third-party involvement. Critical products mandate third-party evaluation by notified bodies.
| Class | Products | Assessment Type |
|---|---|---|
| Default (90%) | Consumer IoT, Apps, Standard Software | Self-Assessment |
| Important I | Password Managers, VPNs, Routers, Smart Assistants | Self/Third-Party |
| Important II | Firewalls, IDS/IPS, OS, Microprocessors | Third-Party Required |
| Critical | HSM, Smart Meter Gateways, Smartcards | Notified Body |
CRA Product Classification Examples
CRA applies globally to any company placing products on the EU market, regardless of headquarters location. Non-EU manufacturers must designate authorized representatives within the EU.
Vulnerability Reporting Mandate
Starting September 11, 2026, manufacturers must report vulnerabilities through ENISA's Single Reporting Platform. Early warnings are due within 24 hours of awareness of active exploitation, with comprehensive notification within 72 hours.
Essential Security Requirements
CRA mandates secure-by-default configuration, authenticated access controls, data confidentiality and integrity protection, attack surface minimization, and the ability to receive and install security updates throughout the product lifecycle.
- Secure-by-default configuration required at shipment
- Authenticated and authorized access controls mandatory
- Data confidentiality and integrity must be protected
- Attack surface must be minimized by design
- Security updates must be receivable and installable
- Support period: Expected lifetime or 5 years (whichever shorter)
SBOM Requirements
Software Bill of Materials (SBOM) is required in machine-readable format. SBOMs must identify top-level dependencies, version numbers, and licensing information. Documents are provided to authorities upon request, not publicly disclosed.
Open Source Software Provisions
Free and open-source software not placed on the market in the course of commercial activity is exempt. However, monetizing services via the platform, charging for technical support, or using personal data beyond security improvements constitutes commercial activity.
| Scenario | Commercial Activity | CRA Scope |
|---|---|---|
| Pure OSS Project | No | Exempt |
| OSS + Paid Support | Yes | In Scope |
| OSS + SaaS Monetization | Yes | In Scope |
| OSS + Personal Data Use | Yes | In Scope |
| OSS Steward (Non-profit) | Limited | Lighter Obligations |
Open Source CRA Applicability
New legal category for organizations sustaining OSS for commercial activities. Lighter obligations apply with no administrative fines. Obligations start December 2027.
Regulatory Intersections
CRA overlaps with NIS2 for risk management, incident reporting, and supply chain security. DORA applies additionally to financial sector products. The proposed Cybersecurity Act (CSA2) overhaul aims to align certifications and streamline reporting by early 2027.
Manufacturers must exercise due diligence over third-party components, including open-source libraries. Existing supply chain security programs can cover 50-60% of CRA requirements, reducing implementation burden.