What the CRA means for your connected devices
The EU Cyber Resilience Act introduces mandatory cybersecurity requirements for all products with digital elements sold in the European Union.
What is the Cyber Resilience Act?
The CRA is an EU-wide regulation covering all products with digital elements, routers, sensors, cameras, edge compute devices, and more. It entered into force on 10 December 2024, with vulnerability reporting obligations beginning September 2026 and full compliance required by December 2027. It establishes baseline cybersecurity requirements across the entire product lifecycle.
Who does the CRA apply to?
The CRA applies to all economic operators involved in placing products with digital elements on the EU market.
- Manufacturers, organisations that design, develop, or manufacture products with digital elements
- Importers, EU-based entities placing non-EU manufactured products on the market
- Distributors, entities making products available on the EU market
- If an importer or distributor places a product under their own name or trademark, they are treated as a manufacturer and bear full manufacturer obligations
Key requirements
Security by design
Products must be designed and developed with cybersecurity in mind from the outset, following secure development practices throughout the lifecycle.
Vulnerability reporting
Actively exploited vulnerabilities must be reported within 24 hours of discovery, with a follow-up within 72 hours and a final report within 14 days.
Lifecycle vulnerability management
Manufacturers must handle and remediate vulnerabilities effectively throughout the product support period.
Automated security updates
Products must support automatic security updates with the ability for users to configure update settings.
Software Bill of Materials (SBOM)
A machine-readable SBOM must be created and maintained, identifying all components and dependencies.
Technical documentation
Comprehensive technical documentation must be maintained and kept available for 10 years after the product is placed on the market.
Conformity assessment and CE marking
Products must undergo the appropriate conformity assessment procedure and bear the CE marking before being placed on the market.
Non-compliance consequences
- Up to €15 million or 2.5% of global annual turnover for serious non-compliance
- Up to €10 million or 1% of global annual turnover for other infringements
CRA compliance, built into the connectivity layer
SIMSY addresses CRA requirements at the network and device management level, giving you a head start on compliance.
Secure by design
Default-deny network posture with Edge API provisioning ensures devices are secure from first connection.
Vulnerability management
Remote firmware updates across your entire estate enable rapid patching and vulnerability remediation.
Continuous monitoring
Real-time network monitoring with anomaly detection supports 24-hour vulnerability reporting obligations.
Documentation and audit trail
Every network event is recorded, providing the evidence base for technical documentation requirements.
Device inventory
Complete device visibility via API integration and LAN discovery keeps your asset register accurate and up to date.
Get ahead of CRA compliance
Talk to us about how SIMSY can help you meet Cyber Resilience Act requirements.