# What the EU Cyber Resilience Act is, and who it covers

> The CRA is an EU law that ties cybersecurity rules to CE marking, so a product with digital elements cannot enter the EU market without it.

Source: https://fmcybersecurity.com/en/insights/compliance/what-the-eu-cyber-resilience-act-is/
Locale: English
Other locale: https://fmcybersecurity.com/insights/compliance/hva-er-eu-cyber-resilience-act/

## Metadata

- Date: 2026-06-05
- Author: maximilian-sharoyan
- Topic: compliance
- Format: article

If your product has software in it, the EU Cyber Resilience Act decides whether you can sell it in Europe. The Cyber Resilience Act, or CRA, ties cybersecurity rules to the CE mark, the same mark you already put on a product to show it is safe for the EU market. Miss the rules and you lose the mark. Lose the mark and the product cannot legally be placed on the EU or EEA market.

In compliance reviews this spring I kept meeting the same blind spot. The firm treated the CRA as an IT problem. It is a product problem, and it sits with the people who decide what you build and ship.

![Cyber Resilience Act, FM CyberSecurity](../../../assets/news/what-the-eu-cyber-resilience-act-is-inline.png)

## What it costs you if you miss the CRA

A product that does not meet the CRA cannot be sold in the EU, and that market does not wait. The CRA is product-safety law for anything with a digital part, so the cost is not a fine you can budget around. It is a product you cannot ship, a customer order you cannot fill, and a competitor who can. For most Norwegian product firms, the EU is the market, so this is revenue, not paperwork.

The law also lets authorities order a non-compliant product off the market and fine the maker. The headline penalty runs up to 15 million euro or 2.5 percent of worldwide annual turnover for the core breaches ([Regulation (EU) 2024/2847, Article 64](https://eur-lex.europa.eu/eli/reg/2024/2847/oj)). The bigger risk is the order to stop selling while a launch window closes.

## What the Cyber Resilience Act is

The CRA is an EU Regulation that sets mandatory cybersecurity rules for products with digital elements, enforced through the CE mark. "Products with digital elements" means anything that has software or talks to a network: hardware with embedded software, standalone software, and connected devices, from a router to a smart lock to a business app. The full text is [Regulation (EU) 2024/2847](https://eur-lex.europa.eu/eli/reg/2024/2847/oj).

Because it is a Regulation, it applies directly across the EU. It does not need each country to write its own copy first. That is the opposite of a Directive like NIS2, which each country has to turn into national law.

The CRA [entered into force on 10 December 2024](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act). The dates that matter for you come after that. The duty to report problems to the authorities [starts on 11 September 2026](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act). The main obligations, the design rules and the CE-mark requirement, [start on 11 December 2027](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act). So the clock for the heavy work is the December 2027 date, with a reporting duty that bites a year earlier.

## Who the CRA covers

The CRA covers manufacturers, importers, and distributors of products with digital elements sold in the EU. If you make a product and put your name on it, you are the manufacturer and you carry the most duties. If you bring a non-EU product into the EU, you are the importer. If you resell without changing the product, you are the distributor. Each role has its own checklist, but the chain means a reseller is on the hook too, not only the maker.

Inside that scope the CRA sorts products by risk. Most products sit in the default class and the maker can self-assess. Some sit in higher tiers. "Important" products (Annex III), such as password managers, firewalls, and VPNs, face stricter checks, and in places need an outside body to assess them. "Critical" products (Annex IV), such as smartcards and certain hardware security modules, face the toughest route and cannot rely on self-assessment alone. The higher your product sits, the more proof you have to show before the CE mark goes on.

## The core obligations

The CRA asks for four things across a product's life: secure design, vulnerability handling, fast reporting, and security updates. Take them one at a time, because each is a concrete duty, not a slogan.

Secure by design means the product ships safe by default and meets the security rules in Annex I from day one, not as a later patch. Vulnerability handling means you have a process to find, track, and fix security flaws while the product is supported, and you publish a way for outsiders to report a flaw to you, which is called coordinated vulnerability disclosure.

Reporting is the duty with the early clock. From 11 September 2026, when a vulnerability in your product is being actively exploited, or you hit a severe incident, you must warn both [ENISA, the EU cybersecurity agency, and your national response team within 24 hours](https://digital-strategy.ec.europa.eu/en/policies/cra-summary), then file a fuller report inside 72 hours. Last, you owe security updates for a defined support period, and you have to tell buyers how long that period runs.

## How the CRA relates to NIS2 and ISO 27001

The CRA covers products, NIS2 covers the organisations that run services, and ISO 27001 is the management system that helps you meet both. The three do not overlap, they stack. [NIS2](/en/insights/compliance/what-nis2-is-and-who-it-covers-in-norway/) puts security duties on operators in covered sectors. The CRA puts security duties on the thing you sell. A firm can fall under both: NIS2 because of the service it runs, the CRA because of the product it ships.

[ISO 27001](/en/insights/compliance/what-iso-27001-is-and-why-tenders-require-it/), the international standard for an information-security management system, is the backbone under both. Its controls for risk, supplier oversight, and incident response are the same muscles the CRA and NIS2 ask you to flex. Build the management system once and you serve both laws from it. Norway also has its own [Digital Security Act](/en/insights/compliance/what-norways-digital-security-act-is/) for critical-service operators, which is the NIS-family rule, separate from the product rules in the CRA.

## What a Norwegian product company should do now

Norway is in the EEA, so the CRA is not yet Norwegian law, but it already reaches you if you sell into the EU. The CRA is marked EEA-relevant and is under review for incorporation into the EEA Agreement by Norway and the other EEA-EFTA states, so the formal Norwegian applicability date is still pending. Treat any firm Norwegian enforcement date you see quoted as unconfirmed. None of that changes the market reality: a product you place on the EU market must meet the CRA from December 2027, whatever the EEA timeline does.

So the decision the board has to make this quarter is one yes-or-no item: do we confirm which of our products fall under the CRA, and who owns getting them ready. Name the owner, list the products, and mark each one as default, important, or critical. That single call starts the trail every other duty hangs from.

## Make the scope call this quarter

See FM CyberSecurity's credentials and partner certifications at [our partners page](/en/#partners). Or book a 30-minute board-level conversation with [our compliance practice](/en/services/compliance/) to map which of your products the CRA covers and what the path to December 2027 looks like.

## FAQ

### Does the CRA apply to us?

If you make, import, or resell any product that contains software or connects to a network and you sell it in the EU, assume yes until you have checked. That covers hardware with embedded software, standalone apps, and connected devices. Confirm against the scope and the product lists in [Regulation (EU) 2024/2847](https://eur-lex.europa.eu/eli/reg/2024/2847/oj) and write down, per product, whether it is in scope and which class it sits in.

### When does the CRA start to apply?

The CRA [entered into force on 10 December 2024](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act). The reporting duty for actively exploited vulnerabilities and severe incidents [starts on 11 September 2026](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act). The main obligations, including the CE-mark requirement, [start on 11 December 2027](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act).

### Does the CRA apply in Norway?

Norway is in the EEA, and the CRA still has to be incorporated into the EEA Agreement before it becomes Norwegian law. That process is in progress and the Norwegian applicability date is not yet confirmed, so treat any specific Norwegian date you see online as unconfirmed. Either way, if you place a product on the EU market, the CRA reaches you through that market regardless.

### How is the CRA different from NIS2?

The CRA regulates the security of the product you sell. NIS2 regulates the security of organisations that operate services in covered sectors. One firm can fall under both: NIS2 for the service it runs, the CRA for the product it ships. They have different scopes, different duties, and different deadlines.

### What does the CRA mean for the CE mark?

From 11 December 2027, a product with digital elements needs to meet the CRA's cybersecurity rules before you can affix the CE mark and place it on the EU market. The CE mark already signals product safety, and the CRA adds cybersecurity to what that mark stands for. No compliance, no mark, no sale.

---

For the full documentation index, see https://fmcybersecurity.com/llms.txt
For the complete corpus as a single document, see https://fmcybersecurity.com/llms-full.txt