If Your Product Has Digital Bits, the EU CRA Is Talking to You

If your company builds software, ships hardware with firmware, or sells connected products, the CRA belongs in your product-planning conversation before the next release or EU market-entry decision.

What "Product with Digital Elements" Means

Article 3 defines a product with digital elements as a software or hardware product and its remote data processing solutions, while Article 2 sets the scope and connectivity criterion: the product must have a direct or indirect logical or physical data connection to a device or network ¹.

In practical terms, the first question is whether the product runs software and connects to anything. That can include standalone software, connected hardware, industrial controllers, consumer devices, embedded software components, firmware-supported products, and products with cloud-connected features ¹.

The CRA also distinguishes economic-operator roles. Manufacturers have the primary design, risk-assessment, conformity, documentation, vulnerability-handling, reporting, and CE-marking obligations under Article 13 and related provisions ¹. Importers and distributors have their own obligations under Articles 19 and 20, including checks before placing or making products available on the market, and Articles 21 and 22 explain when manufacturer obligations can apply to importers, distributors, or other actors ¹.

Open-source software is treated specifically. Non-commercial open-source software is not treated the same way as a commercial product placed on the market, while open-source components integrated into a commercial product can still be part of the product's cybersecurity and vulnerability-handling analysis ¹.

How the CRA Differs From NIS2 and DORA

NIS2 is about the cybersecurity governance of organisations in listed sectors, including scope, management-body duties, risk-management measures, and incident reporting ². DORA is about digital operational resilience for financial entities, including ICT risk management and third-party ICT risk ³. The CRA is about products with digital elements placed on the EU market ¹.

A single organisation can be touched by all three. A financial-services company may operate under DORA, be linked to NIS2 sector obligations, and also place a software product on the EU market that needs CRA analysis. The rules stack because the legal trigger is different: organisation, financial entity, and product.

What the CRA Requires

The CRA requirements are easiest to understand as four linked layers.

1. Essential cybersecurity requirements. Annex I Part I sets product-level essential cybersecurity requirements, including secure-by-design expectations, protection against unauthorised access, confidentiality and integrity protections, attack-surface reduction, secure updates, and resilience-related product properties ¹.

2. Vulnerability handling. Annex I Part II sets vulnerability-handling requirements, including processes to identify, document, remediate, and disclose vulnerabilities, and the CRA also creates reporting obligations for actively exploited vulnerabilities and severe incidents. Article 14 reporting obligations apply from 11 September 2026, before the regulation's full application date ¹.

3. Role-specific obligations. Article 13 governs manufacturer obligations, Articles 19 and 20 govern importer and distributor obligations, and Articles 21 and 22 explain cases where manufacturer obligations apply to other actors ¹.

4. Conformity assessment and CE marking. Conformity assessment under Article 32 is the path to demonstrating the product and manufacturer processes meet Annex I requirements; Article 28 governs the EU declaration of conformity, Article 30 governs CE marking, and Annexes III and IV identify important and critical product classes that affect the assessment route ¹.

The dates matter. The CRA entered into force in December 2024, Article 14 reporting obligations apply from 11 September 2026, Chapter IV provisions apply from 11 June 2026, and the regulation applies fully from 11 December 2027 ¹.

Your First Step: Role and Product Inventory

Before attempting to plan CRA work, a manufacturer, importer, or distributor needs two inventories.

Role inventory. For each product, are you the manufacturer, importer, distributor, authorised representative, or another actor whose changes trigger manufacturer obligations? That answer determines which CRA articles apply to you ¹.

Product inventory. For each product, list the software components, firmware, connectivity, remote data processing, update mechanism, vulnerability intake route, and whether the product may fall into an important or critical class under Annex III or IV ¹.

A useful first CRA workshop does not start with a generic checklist. It starts with the product catalogue and the role map, then identifies which product lines need conformity planning, vulnerability-handling process design, and evidence discipline.

Where Cyvalent Can Help

Cyvalent 360 Cyber Services / CISOaaS provides the practitioner-led scoping work: role mapping, product inventory, CRA exposure assessment, product-class review against Annexes III and IV, and a practical evidence plan for design, vulnerability handling, and conformity-readiness work ¹.

CORTEX AI maps CRA obligations to the control framework you already operate, such as ISO 27001, NIST CSF, or an internal secure-development framework. That makes evidence reuse visible: a secure-development process, vulnerability-management record, supplier-risk review, or access-control measure may support more than one regulatory or control-framework requirement.

The engagement output is a scoped operating view: which products appear relevant, which roles Cyvalent has identified for review, which CRA requirement areas need evidence, and how those requirements map to your existing control library.

The EU Cyber Resilience Act is in force. If you make or ship products with software and are unsure whether the CRA applies to your product line, discuss your exposure with Cyvalent.

References

[1] European Parliament & Council. Regulation (EU) 2024/2847 (Cyber Resilience Act) — Art. 2 (scope/connectivity), Art. 3 (definitions and roles), Art. 13 (manufacturer obligations), Art. 14 (reporting from 11 Sep 2026), Arts. 19-22 (importer/distributor and related obligations), Art. 28 (EU declaration of conformity), Art. 30 (CE marking), Art. 32 (conformity assessment), Annex I (essential requirements and vulnerability handling), Annexes III-IV (product classes), full application 11 Dec 2027. Status/date: in force 10 Dec 2024; phased application. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/2847/oj

[2] European Parliament & Council. Directive (EU) 2022/2555 (NIS2) — Art. 2 & Annexes I-II (scope/sectors), Arts. 20-21 (governance and risk measures), Art. 23 (incident reporting). Status/date: in force; adopted 14 Dec 2022. Source: EUR-Lex. https://eur-lex.europa.eu/eli/dir/2022/2555/oj

[3] European Parliament & Council. Regulation (EU) 2022/2554 (DORA) — Art. 5 (governance/management body), Arts. 17-23 (incident management), Arts. 28-30 (third-party risk), Art. 64 (applies 17 Jan 2025). Status/date: applicable from 17 Jan 2025. Source: EUR-Lex. https://eur-lex.europa.eu/eli/reg/2022/2554/oj

[4] Germany / BSI. Cyber Resilience Act information and BSI TR-03183 support context — German CRA support and authority-designation context for products with digital elements. Status/date: CRA guidance current; authority designation should be verified before publication. Source: BSI. https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html

[5] Luxembourg / ILNAS and national implementation materials. Cyber Resilience Act authority designation — Luxembourg market-surveillance / authority-designation context for CRA. Status/date: authority designation to be verified before publication. Source: ILNAS / Luxembourg official materials. https://ilnas.public.lu/