Cyber Resilience Act

Check CRA when you ship commercial software, hardware, components, or remote data-processing features that connect directly or indirectly to a device or network.

Pure SaaS and non-commercial open-source software are not the default target, but remote data processing tied to a product, commercial open-source stewardship, import, and distribution can change the analysis.

The key operating themes are secure design, vulnerability handling, support-period disclosure, technical documentation, conformity assessment, EU declaration of conformity, and CE marking.

The CRA entered into force on 10 December 2024. Conformity body rules apply from 11 June 2026, Article 14 reporting applies from 11 September 2026, and full application starts on 11 December 2027.

The controlling source is Regulation (EU) 2024/2847 in the Official Journal. Secondary explainers are useful, but product decisions should trace back to the legal text.

Fast generated builds often miss secure defaults, update processes, dependency hygiene, vulnerability intake, and user-facing support-period information, which are exactly the product-security habits CRA pushes into the lifecycle.