The CRA (Cyber Resilience Act) is the European regulation that makes cybersecurity mandatory for digital products and IoT devices placed on the EU market. Ignoring it means exposing yourself to sanctions and market bans.With SparkFabrik you can integrate CRA requirements into your product lifecycle (from architecture to DevSecOps pipelines), reducing risk and strengthening quality and market trust.
The Cyber Resilience Act (CRA) is the European regulation that introduces mandatory cybersecurity requirements for products with digital elements: software, connected devices, IoT products, and platforms.Its goal is to reduce vulnerabilities in products placed on the EU market and make security a necessary requirement for obtaining the CE marking.
Does it apply to you?
You exclusively offer non-digital services, with no associated software or hardware products.
You develop internal software that is not sold, licensed, or distributed as a product to customers or partners.
Your digital products are already fully covered by sector-specific regulations with equivalent or stricter security requirements (e.g. medical devices or vehicles).
You produce or sell digital products (software, connected devices, IoT products) on the European Union market.
You offer SaaS platforms or applications to European customers.
You supply software components (libraries, SDKs, modules, firmware) that are integrated into digital products intended for your customers.
To comply, products with digital elements must meet CRA security requirements throughout their entire lifecycle: design, development, release, updates, and vulnerability management.A final check or one-off audit is no longer enough: the regulation requires continuous cybersecurity by design and by default processes, with clear responsibilities for manufacturers, importers, and distributors.
Talk to us about itThe CRA applies to manufacturers of software, hardware, connected devices and SaaS, importers who introduce digital products made in third countries into the EU market, distributors who place them on the market, and suppliers of components (libraries, SDKs, firmware, modules). Security responsibility falls on whoever makes the product available on the European market.
The regulation requires structured vulnerability management processes, with risk assessment, periodic security testing, and rapid response to exploits. It mandates security updates for a minimum declared period and the protection of essential product functions and data.
June 11, 2026: conformity assessment body provisions become operative. September 11, 2026: obligation to report exploited vulnerabilities and incidents. December 11, 2027: all CRA requirements mandatory for new products.
SparkFabrik supports you in evaluating products and architectures against CRA requirements, integrating DevSecOps and Secure SDLC practices into existing pipelines, adapting solutions not designed with security-by-design in mind, and setting up continuous security processes.
We support you throughout the entire technical journey to CRA compliance: from initial assessment to implementation, through to ongoing security governance.
We always start with a clear understanding of your context. The goal is to define a concrete, prioritized CRA compliance roadmap that takes into account both regulatory requirements and business and time-to-market constraints.
Start here →Digital products: We map your products with digital elements and their related software and hardware components.
Software supply chain: We analyze dependencies, open source libraries, and external services.
Current processes: We evaluate your existing development, release, and vulnerability management processes.
Paolo Mainardi's talk on software supply chain security and the conscious use of open source.
The Cyber Resilience Act fits into a broader picture: the security of digital products increasingly depends on the security of the software supply chain and the conscious use of open source.
Our CTO, Paolo Mainardi, has been working on these topics for years. In this talk he explores the current state of the software supply chain, major global incidents (SolarWinds, Log4Shell, Codecov), open source ecosystem vulnerabilities, and possible mitigations using tools like Sigstore, Syft and Grype for digital signatures, SBOM generation and automated vulnerability scanning.
The CRA was created to address two main problems: the low level of security in many digital products (widespread vulnerabilities, absent or inconsistent security updates) and the lack of information available to users and companies to evaluate the security of the products they purchase. In a context where a single compromised device can propagate an attack across an entire organization or supply chain, the EU chose to introduce common minimum requirements, valid across the internal market.
Manufacturers, importers, and distributors of products with digital elements placed on the European Union market must comply with the CRA. This generally includes: those who sell software as a product or service (including many SaaS models), those who manufacture connected devices or IoT, and those who supply software or hardware components integrable by third parties. The CRA applies to both B2B and B2C contexts. SMEs are also involved, although they can benefit from support tools and simplified procedures provided by the regulation.
Some products with digital elements are excluded because they are already regulated by more specific or stricter sector regulations, for example: certain medical devices regulated by dedicated standards, automotive sector products, aviation or maritime equipment, products developed exclusively for defense or national security, spare parts identical to already compliant components. This is why it is important to carefully analyze your catalog, evaluating both product categories and regulations already applicable in the sector.
The CRA introduces a significant penalty regime. The most serious violations can result in fines of up to millions of euros or a percentage of the economic operator's global annual turnover. National authorities can also impose corrective measures such as: withdrawal or recall of non-compliant products, market placement bans, obligation to report exploited vulnerabilities or security incidents within very tight deadlines.
The CRA applies to products with digital elements placed on the market after the deadlines set by the regulation. However, if you continue to sell or update existing products beyond those dates, you will still need to consider their compliance. The difference is between legacy products that are no longer on the market and products still actively marketed or supported. Therefore, if you have legacy products still on sale or under maintenance, it is advisable to evaluate in advance whether and how to bring them to a security level compatible with the CRA.
Yes, in many cases. The CRA does not only concern hardware or physical devices: numerous SaaS services and cloud platforms fall within scope when offered as products with digital elements on the EU market. You need to evaluate the business model (license, subscription, managed service), the method by which the product is made available to users, and the type of connection to the customer's systems. Analyzing the delivery model and technical perimeter is a key step in understanding if and how the CRA applies to your cloud solutions.
It means integrating cybersecurity into all phases of the product lifecycle: risk analysis and security requirements definition already at the design phase, secure development with automated controls (code review, static/dynamic analysis, dependency scanning), vulnerability management throughout the product's life, planning security updates and guaranteed minimum support, and runtime monitoring to detect and manage incidents. In practice, it means adopting a true Secure SDLC supported by DevSecOps practices.
The CRA does not prohibit the use of third-party components or open source software, but requires them to be managed consciously. This means: maintaining an up-to-date inventory of dependencies (SBOM), monitoring known vulnerabilities of used components, defining clear update, replacement, and deprecation policies, and evaluating the impact of components on the entire product security architecture. The software supply chain becomes an integral part of the conformity assessment.
The European security regulatory landscape is evolving on multiple fronts: the CRA focuses on the security of products with digital elements (hardware and software), the NIS2 directive aims at the resilience of operators, infrastructures, and essential services, the AI Act regulates artificial intelligence systems (particularly high-risk ones) to ensure safety and protection of fundamental rights. Many organizations may be subject to more than one of these regulations. Seeing them as complementary is essential for building a coherent security strategy across the entire supply chain.
From December 11, 2027 your products must meet the requirements of the Cyber Resilience Act.
Talk to an expert and find out how to get compliant in time.
The new European cyber resilience regulation: impacts on businesses, the software supply chain and digital sovereignty, between security obligations and competitive opportunities.
A practical introduction to software supply chain security: from attack models to tools (like GUAC) for tracking components and dependencies.
An essential guide to securing Cloud Native environments: architectures, pipelines, runtime and best practices to protect the entire application lifecycle.
Discover how to protect applications and source code with security principles, controls and best practices, including in Cloud Native and Open Source environments.
