EU Cyber Resilience Act (Regulation 2024/2847)
EU regulation establishing horizontal cybersecurity requirements for products with digital elements. Applies to manufacturers, importers, and distributors of hardware and software sold in the EU. 22 essential cybersecurity requirements in Annex I covering secure-by-design, vulnerability handling, SBOM, coordinated disclosure, and secure update mechanisms. Penalties up to EUR 15M or 2.5% turnover. Reporting obligations from September 2026, full applicability December 2027. Complements NIS2 (which targets operators) with product-level security.
| Clause | Title | SP 800-53 Controls |
|---|---|---|
| CRA.Art14 | Incident reporting — 24-hour early warning to CSIRT/ENISA, 72-hour notification, 14-day final report | |
| CRA.I.1 | General obligation — products designed, developed, and produced ensuring appropriate cybersecurity | |
| CRA.I.2a | No known exploitable vulnerabilities at market availability | |
| CRA.I.2b | Secure by default configuration with reset capability | |
| CRA.I.2c | Vulnerability addressable through security updates — automatic update as default, opt-out available | |
| CRA.I.2d | Protection from unauthorised access — authentication, identity management, report unauthorised access | |
| CRA.I.2e | Data confidentiality — encrypt relevant data at rest and in transit, state of the art | |
| CRA.I.2f | Data integrity — protect stored/transmitted data, commands, programs, configuration; report corruption | |
| CRA.I.2g | Data minimisation — only adequate, relevant, limited data processed | |
| CRA.I.2h | Availability — protect essential and basic functions, denial-of-service resilience | |
| CRA.I.2i | Minimise negative impact on availability/security of other devices and networks | |
| CRA.I.2j | Attack surface reduction — limit external interfaces to minimum necessary | |
| CRA.I.2k | Incident impact reduction — exploitation mitigation mechanisms | |
| CRA.I.2l | Monitoring and logging — record and monitor internal activity, user opt-out | |
| CRA.I.2m | Secure data removal — permanent deletion and secure transfer capability | |
| CRA.II.1 | SBOM and vulnerability identification — document vulnerabilities and components, machine-readable SBOM | |
| CRA.II.2 | Timely remediation — address and remediate vulnerabilities without delay, provide security updates | |
| CRA.II.3 | Security testing — effective and regular tests and reviews | |
| CRA.II.4 | Public disclosure — share information about fixed vulnerabilities after security update | |
| CRA.II.5 | Coordinated vulnerability disclosure policy | |
| CRA.II.6 | Vulnerability reporting channel — contact address for vulnerability reports | |
| CRA.II.7 | Secure update distribution — mechanisms for timely and automatic security updates | |
| CRA.II.8 | Free security updates — disseminated without delay, free of charge, with advisory information | |
| CRA.Info.1 | Manufacturer identification details — name, registered trade name, trademark, postal and electronic addresses | |
| CRA.Info.2 | Vulnerability reporting single point of contact | |
| CRA.Info.3 | Product identification — type, batch, serial number, version | |
| CRA.Info.4 | Intended purpose and security environment description | |
| CRA.Info.5 | Known or foreseeable cybersecurity risk circumstances | |
| CRA.Info.6 | EU declaration of conformity access — simplified or full, with internet address | |
| CRA.Info.7 | Support period and end-date information | |
| CRA.Info.8a | Instructions for secure commissioning and lifetime use | |
| CRA.Info.8b | How changes to the product affect data security | |
| CRA.Info.8c | How to install security updates | |
| CRA.Info.8d | Secure decommissioning instructions — including data deletion | |
| CRA.Info.8e | How to disable automatic security updates | |
| CRA.Info.8f | Integration documentation — secure integration with other products and systems |