Cyber Resilience Act - Regulation (EU) 2024/2847

Prepare your digital product for CRA milestones in 2026-2027

CRAReady helps manufacturers, SaaS publishers and importers selling in the EU frame CRA obligations: product scope, security by design, SBOM, vulnerability handling, EU declaration and incident notification.

Run the diagnostic View templates

Content based on official European Commission, EUR-Lex and ENISA pages. It is not legal advice.

CRA product diagnostic

Estimate readiness in 5 minutes. The weighted score highlights gaps that block a conformity file: economic role, evidence, SBOM, disclosure process, technical documentation and security support.

01

Classify the product

Confirm whether the product is a product with digital elements, its intended use and the role of manufacturer, importer or distributor.

02

Trace components

Build an SBOM per version and connect dependencies, third-party components, licences, owners and support status.

03

Run vulnerability handling

Document intake, triage, remediation, coordinated disclosure, evidence and Article 14 notification readiness.

04

Assemble the file

Prepare technical documentation, conformity assessment, EU declaration and security instructions for users.

1Is the economic role documented for every product sold in the EU?

Manufacturer, authorised representative, importer and distributor do not carry the same obligations.

2Do you maintain a product-version inventory with intended use, interfaces and processed data?

The scope drives risk analysis and technical documentation.

3Does a machine-readable SBOM exist for active versions?

CycloneDX or SPDX, signed or attached to the release, accelerates CVE response.

4Are vulnerabilities monitored, qualified and remediated with SLA?

Include dependencies, embedded components, container images and remote services tied to the product.

5Can your team notify ENISA/CSIRT within 24h and 72h?

On-call chain, thresholds and minimum information must be ready before September 2026.

6Are security-by-design requirements mapped to evidence?

Authentication, updates, secure default configuration, confidentiality, logging and hardening.

7Is CRA technical documentation versioned with the product?

It must stay consistent with architecture, risks, tests, security support and EU declaration.

8Do users receive clear security instructions?

Configuration, updates, support period, vulnerability disclosure contact and use limitations.

9Is the EU declaration of conformity prepared for sales channels?

Importers and marketplaces will ask for evidence consistent with CE marking.

SBOM and vulnerability handling checklist

A usable CRA programme connects every product version to its components, known vulnerabilities, triage decisions, fixes and notifications.

SBOM per release

Generate CycloneDX/SPDX for application, image, firmware, dependencies and third-party components; keep hash, date and owner.

CVE source of truth

Monitor NVD, supplier advisories, GitHub Security Advisories, OSV and critical component bulletins.

Documented triage

Assess exploitability, EU exposure, severity, affected versions, workaround and remediation decision.

Remediation SLA

Define SLA by severity, test evidence, advisory publication and secure update channel.

Coordinated disclosure

Publish security.txt, contact, optional PGP key, intake policy and acknowledgement process.

Article 14 notification

Prepare 24h early warning, 72h notification, final report 14 days after a fix or one month for severe incident.

Templates ready to adapt

Short texts to start the file. Replace bracketed fields, validate with legal/compliance and keep history per product version.

EU declaration

CRA EU declaration of conformity

Template for software, SaaS or connected hardware made available on the EU market.

We, [manufacturer], declare under our sole responsibility that [product/version] conforms with applicable requirements of Regulation (EU) 2024/2847. Intended use: [use]. Technical documentation: [reference]. Applied standards/specifications: [list]. Security contact: [email]. Signature: [name, role, date].

24h notification

ENISA/CSIRT early warning

First message when an actively exploited vulnerability or severe incident is known.

Product: [name/version]. Type: [exploited vulnerability/severe incident]. Awareness time: [UTC]. Known affected Member States: [list]. Suspected malicious act: [yes/no/unknown]. Immediate measures: [containment]. Crisis contact: [name/email/phone].

72h notification

Full notification

Technical details, initial assessment and user mitigation measures.

Nature: [CVE/incident]. Affected versions: [list]. Initial impact: [confidentiality/integrity/availability]. Corrective or mitigating measures taken: [details]. User actions: [patch/configuration]. Information sensitivity: [level].

Final report

Post-fix final report

Close treatment with root cause, impact, fix and prevention.

Summary: [incident/vulnerability]. Root cause: [analysis]. Timeline: [UTC dates]. Severity and actual impact: [details]. Fix available: [version/link/hash]. User communication: [date/channel]. Preventive measures: [backlog and owners].

CRA 2026-2027 calendar

These milestones guide operational preparation. Official dates confirm progressive application before the general application date.

  1. Conformity assessment bodiesProvisions on notification of conformity assessment bodies start to apply.
  2. Article 14 reportingManufacturers must be able to report actively exploited vulnerabilities and severe incidents via the single platform.
  3. IndustrialisationStabilise SBOM, security updates, technical file, security tests, EU declaration and importer workflows.
  4. General applicationMain CRA obligations apply to products with digital elements made available on the EU market.
  5. Existing certificatesCertain existing certificates or approval decisions may remain valid until this date if they do not expire earlier.

FR/EN SEO pages

Crawlable guides for CRA preparation queries by role and deliverable.

Official sources tracked

Need a CRA product scoping review?

Send your product type, target EU market, number of active versions and current SBOM maturity. Response with a short audit plan.

Request a CRA audit
AdSense slot ready to activate Affiliate slot: SBOM, SCA and secure product lifecycle training tools Tracking and advertising should be activated only with GDPR consent and environment variables.