Question 1

What is the EU Cyber Resilience Act?

Accepted Answer

The Cyber Resilience Act (Regulation 2024/2847) is the EU regulation that obliges manufacturers, importers and distributors of products with digital elements to comply with strict cybersecurity requirements, including security-by-design, SBOM, technical documentation (Annex VII), vulnerability disclosure (PSIRT), 24-hour incident reporting, and 5-year security update obligations. Full enforcement from 11 December 2027. Maximum fines: EUR 15 million or 2.5 percent of global turnover.

Question 2

What does CRA-Portal cost?

Accepted Answer

CRA-Portal offers a free 10-minute CRA Check (EUR 0). Compliance Starter is EUR 1,950 one-time for one product category. Compliance Plus is EUR 4,950 setup plus EUR 1,950 per year for up to five product categories and includes the incident-reporting portal, PSIRT, and audit trail. Enterprise from EUR 15,000 per year with unlimited categories, dedicated compliance officer, API access. All prices excluding VAT. Maandelijks opzegbaar.

Question 3

When does the CRA become enforceable?

Accepted Answer

Three key dates. 10 December 2024: the regulation entered into force. 11 September 2026: incident and vulnerability reporting obligation starts. 11 December 2027: full enforcement of all CRA obligations including the technical documentation, conformity assessment, and CE marking requirement. Products placed on the EU market after this date must be fully compliant.

Question 4

Does the CRA apply to my products?

Accepted Answer

The CRA applies to all products with digital elements placed on the EU market, regardless of where they were manufactured. This includes smart consumer products, IoT devices, industrial control systems, operating systems, and most software. Excluded are products already covered by specific EU sectoral legislation (medical devices, motor vehicles, aviation). Use the Free CRA Check to determine your specific scope.

Question 5

What are the obligations for importers and distributors?

Accepted Answer

Importers must verify manufacturer compliance, ensure CE marking is present, that technical documentation is accessible, and maintain traceability. Distributors must conduct due diligence before placing products on the EU market, withdraw non-compliant products, and maintain traceability. CRA-Portal offers dedicated modules: Importer Due Diligence Pack (EUR 495 per relation) and Distributor Verification Pack (EUR 295 per relation).

Question 6

How does the 24-hour incident reporting work?

Accepted Answer

Under the CRA, manufacturers must notify ENISA or their national CSIRT within 24 hours of becoming aware of an actively exploited vulnerability or a severe incident impacting product security. CRA-Portal's Compliance Plus and Enterprise tiers include a dedicated incident reporting portal that drafts the notification, routes it to the appropriate authority, and maintains the audit trail. The platform supports the 24-hour early warning, 72-hour incident notification, and 14-day final report timelines required by the regulation.

Question 7

Is CRA-Portal GDPR-compliant?

Accepted Answer

Yes. CRA-Portal is EU-hosted (Hetzner Falkenstein, Germany) with no third-country data transfer. AVG/GDPR by design with data minimisation, purpose limitation, audit logging, and right to erasure. A verwerkersovereenkomst (data processing agreement) is available for business customers.

News & Updates

Latest news

ENISA updates CRA reporting and consults on secure updates

OpenSSF submits feedback on EU Cybersecurity Act revision

ENISA publishes 'Secure by Design' playbook for SMEs

Cyber Resilience Act officially enters into force

Follow CRA developments

Questions about the CRA?