Cyber Resilience Act

The Cyber Resilience Act (CRA) is an EU regulation that defines harmonization requirements for products with digital elements. The EU’s goal with this regulation is to require manufacturers, importers, and distributors to consider and implement cybersecurity in their products. The EU’s goal and motivation here is to address various identified problems in the current cybersecurity landscape in the EU internal market.

The number of known vulnerabilities—errors in design or libraries—in software is increasing every year. The CRA is therefore intended to ensure that security gaps are identified and eliminated before products are placed on the market. This will prevent unsafe products from reaching the market in the first place.

What manufacturers need to know

The Cyber Resilience Act (CRA) was enacted by the European Council in October 2024. This defines two key dates that are relevant for manufacturers, importers and distributors of products with digital elements: From 11 December 2027, a product with digital elements may only be CE marked and sold in the EU internal market if it complies with the requirements of the CRA.

Violations are subject to heavy fines: up to €15 million or 2.5% of the company’s global annual turnover, whichever is higher. Furthermore, the market surveillance authority can also remove products from the market or demand improvements.

Starting 11 September 2026

There is a reporting obligation: companies must report severe security incidents and actively exploited vulnerabilities affecting the cybersecurity of a product to national (CSIRT) and European authorities (ENISA).

Starting 11 December 2027

All technical and organisational requirements of the CRA must be fulfilled. These include risk-based security measures and the provision of security updates throughout the entire defined support period.

Am I affected by the Cyber Resilience Act?

This is a question currently being asked by companies across Europe! Find out the answer with our 1-MINUTE self-check!

Go to CRA Self Check

How we support you in implementing CRA!

Limes Security offers a wide range of support services for the structured and practical implementation of the Cyber Resilience Act – from initial orientation to technical implementation and training.

The services offered are interlinked and enable structured, traceable and practical implementation of CRA requirements – tailored to individual product and company needs. The aim is to provide the best possible support as a partner in the efficient development of a safe, CRA-compliant product.

Provision of guidance and interpretations on normative and regulatory requirements

Regular check-ins to have an external sparring partner for discussing plans, implementations, and open questions to ensure that the project does not get stuck!

Review of internally created documents

Support in the creation of concrete security concepts for products!

Joint implementation of security processes for learning on the job, such as workshops on threat modeling or security testing for your product!

Creation of documents and provision of templates

The Limes Academy also offers practical OT security training and certification courses for professionals who not only want to understand security, but also want to actively shape it. Two particularly relevant training courses in the context of the Cyber Resilience Act are:

SEC.311 Secure Development Process for OT and (I)IoT

Basic training to Develop products compliant with the Cyber Resilien Act, Machinery Regulation, IEC 62443-4-1 and Co

More Info

SEC.331 Secure Embedded & (I)IoT-Products

Basic training in implementing security correctly and holistically in embedded and IoT products

More Info

You can find more information about CRA in our free white paper.

We – Limes Security and Ginzinger Electronic Systems – have bundled our expertise to provide you with a clear overview of the CRA requirements, including specific recommendations for practical implementation.