Skip to main content

Getting Started with the Cyber Resilience Act

The Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for products with digital elements sold on the EU market. This covers hardware and software products that can connect to a device or network - from IoT devices and operating systems to firmware and standalone software applications. The CRA entered into force on December 10, 2024. Reporting obligations for actively exploited vulnerabilities begin September 11, 2026, and the full set of product security requirements becomes enforceable on December 11, 2027. Matproof maps CRA obligations to controls, evidence workflows, and vulnerability management processes so manufacturers can demonstrate compliance to market surveillance authorities.
Activate the CRA under Settings - Frameworks - Cyber Resilience Act. Controls are pre-populated based on whether your products are classified as default, important (Class I or II), or critical.

Am I in Scope?

The CRA applies to any organization that places products with digital elements on the EU market:
RoleDefinitionKey Obligations
ManufacturerDevelops or has a product developed and markets it under their nameFull compliance: secure by design, vulnerability handling, technical documentation, conformity assessment
ImporterPlaces a product from a non-EU manufacturer on the EU marketVerify manufacturer compliance, ensure product bears CE marking, maintain documentation
DistributorMakes a product available on the EU market (without modifying it)Verify CE marking and documentation, report known vulnerabilities to manufacturer
Open source software developed in a non-commercial context is generally excluded. However, if an open source project is used commercially or integrated into a commercial product, the CRA may apply to the integrator as the manufacturer.

Product Classification

The CRA uses a tiered classification for products with digital elements:
CategoryExamplesConformity Assessment
DefaultMost consumer and business software, IoT devices without critical functionsSelf-assessment (Annex VIII)
Important - Class IPassword managers, VPNs, network management systems, security information and event management (SIEM)Harmonised standard or third-party assessment
Important - Class IIOperating systems, firewalls, tamper-resistant microprocessors, industrial automation systemsThird-party assessment required
CriticalHardware devices with security boxes, smart meter gateways, smartcardsEuropean cybersecurity certification required
Most software products fall into the default category and can use self-assessment. Check Annexes III and IV of the regulation for the complete product lists in each class.

Key Enforcement Dates

DateMilestone
December 10, 2024Regulation enters into force
June 11, 2026Conformity assessment bodies can begin operating
September 11, 2026Vulnerability and incident reporting obligations apply
December 11, 2027Full enforcement - all product security requirements, conformity assessments, penalties apply

Core Requirements in Matproof

Secure by Design

ControlsProducts must be designed and developed with appropriate cybersecurity measures from the start. No known exploitable vulnerabilities at time of release.

Vulnerability Handling

Incidents, ControlsManufacturers must identify and remediate vulnerabilities throughout the product’s expected lifetime (minimum 5 years). Provide security updates free of charge.

Technical Documentation

Evidence, PoliciesMaintain documentation covering security architecture, risk assessment, SBOM (Software Bill of Materials), and testing results.

Conformity Assessment

Audit ProgramsComplete the applicable conformity assessment procedure before placing the product on the market. Affix CE marking.

Incident Reporting

IncidentsReport actively exploited vulnerabilities to ENISA within 24 hours of becoming aware. Report severe incidents within 72 hours.

Security Updates

ControlsProvide timely, free security updates for the entire support period. Document your update delivery mechanism.
1
Step 1 - Inventory your products with digital elements
2
List every product your organization manufactures, imports, or distributes that connects to a device or network.
3
  • Go to Controls - CRA - Product Inventory
  • For each product, document: product name, version, intended use, connectivity type, and expected product lifetime
  • Classify each product (default, important Class I/II, or critical)
    • 4
    Step 2 - Conduct product security risk assessments
    5
    For each product:
    6
  • Go to Risk Management - New Risk Assessment
  • Assess cybersecurity risks based on the product’s intended use, connectivity, and data processed
  • Document risk mitigation measures built into the product design
  • Include risks from third-party components and dependencies
    • 7
    Step 3 - Implement secure development practices
    8
    The CRA requires security to be integrated into the development lifecycle:
    9
  • Implement secure coding standards and code review processes
  • Conduct security testing (static analysis, dynamic analysis, fuzz testing)
  • Manage third-party dependencies and track known vulnerabilities
  • Generate and maintain a Software Bill of Materials (SBOM) for each product
  • Document these practices in your Secure Development Policy
    • 10
    Go to Policies - Generate to create your CRA-aligned Secure Development Policy.
    11
    Step 4 - Establish vulnerability handling
    12
    Set up your vulnerability management process:
    13
  • Configure the Incidents module for vulnerability intake (from researchers, users, and monitoring)
  • Define your coordinated vulnerability disclosure policy
  • Establish a process for issuing security updates within a reasonable timeframe
  • Maintain a vulnerability log with remediation timelines
  • Provide a public contact point for vulnerability reports
    • 14
    From September 2026, you must report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware. Set up your reporting workflow before this deadline.
    15
    Step 5 - Build technical documentation
    16
    The CRA requires comprehensive technical documentation including:
    17
  • Product description and intended purpose
  • Security architecture and design decisions
  • Risk assessment results
  • SBOM listing all components and dependencies
  • Testing and validation results
  • Instructions for secure configuration and use
    • 18
    Upload all documentation as evidence against the relevant CRA controls in Matproof.
    19
    Step 6 - Conformity assessment
    20
    Complete the applicable assessment procedure:
    21
  • Go to Audit Programs - New Audit - CRA
  • For default products: complete the self-assessment using the internal control procedure (Annex VIII)
  • For Important Class II and Critical products: engage a notified body for third-party assessment
  • Affix CE marking and draft the EU declaration of conformity
  • Register in the EU product database where required
    • 22
    Step 7 - Post-market monitoring
    23
    After placing the product on the market:
    24
  • Monitor for new vulnerabilities in your product and its components
  • Issue security updates as needed and notify users
  • Report actively exploited vulnerabilities to ENISA (24-hour deadline from September 2026)
  • Report severe security incidents within 72 hours
  • Update technical documentation when the product changes materially

    • Penalties

    ViolationMaximum Penalty
    Essential cybersecurity requirements (Annex I)Up to 15M EUR or 2.5% of global annual turnover, whichever is higher
    Other CRA obligationsUp to 10M EUR or 2% of global annual turnover, whichever is higher
    Incorrect or misleading information to authoritiesUp to 5M EUR or 1% of global annual turnover, whichever is higher

    Next Steps