Everything about the CRA — mandatory cybersecurity requirements for all products with digital elements sold in the EU, including SBOM, vulnerability handling, and CE marking.
The Cyber Resilience Act (CRA), EU Regulation 2024/2847, establishes mandatory cybersecurity requirements for all products with digital elements placed on the European Union market. It covers the entire product lifecycle — from design and development through production, delivery, and post-market maintenance. Manufacturers must implement security by design, provide a Software Bill of Materials (SBOM), handle and disclose vulnerabilities within prescribed timelines, and ensure free security updates for the expected product lifetime or a minimum of five years. The CRA entered into force on 10 December 2024, with full enforcement from 11 December 2027.
Any economic operator placing products with digital elements on the EU market — IoT devices, smart home appliances, industrial control systems, operating systems, firmware, standalone software, and microprocessors. Covers manufacturers, importers, distributors, and introduces a new category for open-source software stewards.
Article 2
Article 3
Article 4
Article 8
Article 10
Article 11
Article 13
Entered into force
10 Dec 2024CRA became EU law.
Reporting obligations
11 Sept 2026Vulnerability handling and incident reporting requirements apply.
Full enforcement
11 Dec 2027All CRA obligations, including CE marking and conformity assessment, become fully enforceable.
Three-tier system: up to €15M or 2.5% for non-compliance with essential cybersecurity requirements; up to €10M or 2% for conformity assessment and documentation failures; up to €5M or 1% for providing incorrect or misleading information.
The CRA classifies products with digital elements into four categories, each with escalating conformity assessment requirements.
Article 8 of the CRA specifies essential cybersecurity requirements that all products with digital elements must meet before being placed on the EU market.
The CRA introduces specific, time-bound vulnerability handling and disclosure requirements.
Law4Devs provides all 71 CRA articles as structured JSON from EUR-Lex. Filter by product category, economic operator role, obligation type, and lifecycle phase. Cross-reference with NIS2 and the RED Delegated Act for overlapping product cybersecurity requirements.
GET /v1/frameworks/cra/articles → 200 OK · structured JSON · official EUR-Lex source
The Cyber Resilience Act (CRA), published as EU Regulation 2024/2847 (CELEX 32024R2847), establishes mandatory cybersecurity requirements for all products with digital elements placed on the European Union market. Containing 71 articles, the CRA covers the entire product lifecycle — from design and development through production, delivery, and post-market maintenance. Manufacturers must implement security by design, provide a Software Bill of Materials (SBOM), handle and disclose vulnerabilities within prescribed timelines, and ensure free security updates for the expected product lifetime or a minimum of five years. Products are classified into default, important (Class I and II), and critical categories, each with escalating conformity assessment requirements. The CRA entered into force on 10 December 2024, with reporting obligations applying from September 2026 and full enforcement from 11 December 2027. It applies to hardware and software products including IoT devices, operating systems, firmware, and standalone software. Law4Devs provides all 71 CRA articles as structured JSON, enabling teams to identify obligations by product category and lifecycle phase.
EU Regulation 2024/2847 applies to any economic operator placing products with digital elements on the EU market. This includes manufacturers who design, develop, or produce connected products — covering IoT devices, smart home appliances, industrial control systems, networking equipment, operating systems, desktop and mobile applications, firmware, and microprocessors with security-relevant functionality. Importers who bring non-EU manufactured products into the EU market must verify that manufacturers have completed conformity assessments and applied CE marking. Distributors must ensure products bear CE marking and that manufacturers and importers have met their obligations. Open-source software stewards, a new category introduced by the CRA, have lighter obligations focused on cybersecurity policy documentation and vulnerability coordination. The regulation explicitly excludes products already covered by sector-specific EU cybersecurity rules, such as medical devices, aviation systems, and motor vehicles. Products intended exclusively for national security or military use are also outside scope. Law4Devs lets you filter CRA articles by economic operator role and product classification to pinpoint your specific obligations.
Under EU Regulation 2024/2847, Cyber Resilience Act fines are structured in three tiers based on the severity of the infringement. The highest tier imposes fines up to €15 million or 2.5% of the organisation's total worldwide annual turnover of the preceding financial year, whichever is higher, for non-compliance with essential cybersecurity requirements and vulnerability handling obligations. The second tier reaches up to €10 million or 2% of global turnover for failure to meet other CRA obligations including conformity assessment, documentation, and SBOM requirements. The third tier imposes fines up to €5 million or 1% of global turnover for providing incorrect, incomplete, or misleading information to market surveillance authorities. Beyond fines, national market surveillance authorities can order the withdrawal or recall of non-compliant products from the entire EU market, effectively blocking commercial distribution. For SMEs and micro-enterprises, supervisory authorities must consider proportionality when determining penalty amounts. Law4Devs structures all CRA penalty and enforcement provisions as queryable JSON to help engineering teams prioritise compliance efforts by risk level.
Law4Devs provides all 71 articles of EU Regulation 2024/2847 as structured, machine-readable JSON via a REST API, sourced directly from EUR-Lex. Engineering teams can query CRA articles by product category (default, important Class I, important Class II, critical), economic operator role (manufacturer, importer, distributor, open-source steward), obligation type (security by design, SBOM, vulnerability handling, CE marking, conformity assessment), and lifecycle phase (design, development, production, post-market). Each response includes the full legal text, article metadata, semantic tags, and cross-references to related provisions in NIS2, the RED Delegated Act, and GDPR. The API tracks EUR-Lex amendments automatically, ensuring integrations always reflect the latest consolidated regulation text. Responses average 34 milliseconds, making the API suitable for embedding in product security dashboards, CI/CD compliance gates, or supply chain risk tools. Official SDKs for Python, TypeScript, Java, Rust, PHP, and Dart are available on GitHub.
All articles, recitals, and amendments — queryable, filterable, and always up to date.