The CRA (EU) 2024/2847 establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU, covering design, development, production, and the entire product lifecycle.
Focus: Product cybersecurity, SBOM, vulnerability handling, CE marking
Article 2 — Scope
Article 3 — Definitions
Article 4 — Classification
Article 8 — Security Requirements
Article 10 — Vulnerability Handling
Article 11 — SBOM Requirements
Article 13 — CE Marking
GET /v1/frameworks/cra/articles → 200 OK · structured JSON · official source
The Cyber Resilience Act (CRA), published as EU Regulation 2024/2847 (CELEX 32024R2847), establishes mandatory cybersecurity requirements for all products with digital elements placed on the European Union market. Containing 71 articles, the CRA covers the entire product lifecycle — from design and development through production, delivery, and post-market maintenance. Manufacturers must implement security by design, provide a Software Bill of Materials (SBOM), handle and disclose vulnerabilities within prescribed timelines, and ensure free security updates for the expected product lifetime or a minimum of five years. Products are classified into default, important (Class I and II), and critical categories, each with escalating conformity assessment requirements. The CRA entered into force on 10 December 2024, with reporting obligations applying from September 2026 and full enforcement from 11 December 2027. It applies to hardware and software products including IoT devices, operating systems, firmware, and standalone software. Law4Devs provides all 71 CRA articles as structured JSON, enabling teams to identify obligations by product category and lifecycle phase.
EU Regulation 2024/2847 applies to any economic operator placing products with digital elements on the EU market. This includes manufacturers who design, develop, or produce connected products — covering IoT devices, smart home appliances, industrial control systems, networking equipment, operating systems, desktop and mobile applications, firmware, and microprocessors with security-relevant functionality. Importers who bring non-EU manufactured products into the EU market must verify that manufacturers have completed conformity assessments and applied CE marking. Distributors must ensure products bear CE marking and that manufacturers and importers have met their obligations. Open-source software stewards, a new category introduced by the CRA, have lighter obligations focused on cybersecurity policy documentation and vulnerability coordination. The regulation explicitly excludes products already covered by sector-specific EU cybersecurity rules, such as medical devices, aviation systems, and motor vehicles. Products intended exclusively for national security or military use are also outside scope. Law4Devs lets you filter CRA articles by economic operator role and product classification to pinpoint your specific obligations.
Under EU Regulation 2024/2847, Cyber Resilience Act fines are structured in three tiers based on the severity of the infringement. The highest tier imposes fines up to €15 million or 2.5% of the organisation's total worldwide annual turnover of the preceding financial year, whichever is higher, for non-compliance with essential cybersecurity requirements and vulnerability handling obligations. The second tier reaches up to €10 million or 2% of global turnover for failure to meet other CRA obligations including conformity assessment, documentation, and SBOM requirements. The third tier imposes fines up to €5 million or 1% of global turnover for providing incorrect, incomplete, or misleading information to market surveillance authorities. Beyond fines, national market surveillance authorities can order the withdrawal or recall of non-compliant products from the entire EU market, effectively blocking commercial distribution. For SMEs and micro-enterprises, supervisory authorities must consider proportionality when determining penalty amounts. Law4Devs structures all CRA penalty and enforcement provisions as queryable JSON to help engineering teams prioritise compliance efforts by risk level.
Law4Devs provides all 71 articles of EU Regulation 2024/2847 as structured, machine-readable JSON via a REST API, sourced directly from EUR-Lex. Engineering teams can query CRA articles by product category (default, important Class I, important Class II, critical), economic operator role (manufacturer, importer, distributor, open-source steward), obligation type (security by design, SBOM, vulnerability handling, CE marking, conformity assessment), and lifecycle phase (design, development, production, post-market). Each response includes the full legal text, article metadata, semantic tags, and cross-references to related provisions in NIS2, the RED Delegated Act, and GDPR. The API tracks EUR-Lex amendments automatically, ensuring integrations always reflect the latest consolidated regulation text. Responses average 34 milliseconds, making the API suitable for embedding in product security dashboards, CI/CD compliance gates, or supply chain risk tools. Official SDKs for Python, TypeScript, Java, Rust, PHP, and Dart are available on GitHub.