EU Cyber Resilience Act (CRA)
The EU Cyber Resilience Act (CRA) is an European Union regulation, Regulation (EU) 2024/2847, part of the EU Cybersecurity Strategy.
With this regulation, the EU aims to ensure that software producers take cybersecurity seriously from the design and development phases through to production and post-market activities — including vulnerability handling and security updates — to minimize risks once products are placed on the EU market. It also seeks to encourage users to consider cybersecurity when selecting such products.
The regulation sets the boundary conditions for the development of secure products and enhances the visibility of cybersecurity-related information for both notified bodies (auditors) and consumers. The regulation also covers the European Commission’s obligations to oversee and facilitate the effective implementation of the CRA and defines processes for the conformity assessment and certification process.
Software producers are generally allowed to self-assess their products’ conformity with the essential cybersecurity requirements based on internal production controls. However, conformity assessment must involve a notified body for products classified as critical. Ongoing surveillance by the notified body is also required for the highest-risk products.
Summary of the software producers’ obligations under the EU CRA:
- Integrate security measures based on risk assessments in design, development, and production, and demonstrate compliance with the essential cybersecurity requirements in Annex I, Part I.
- Address vulnerabilities throughout the product lifecycle and provide timely security updates, demonstrating compliance with Annex I, Part II.
- Report actively exploited vulnerabilities and significant cybersecurity incidents to ENISA, as required by Article 14.
- Clearly communicate cybersecurity features, update policies, and support periods to users, as required in Annex II.
- Prepare technical documentation in accordance with Annex VII.
- Affix the CE marking to demonstrate conformity, as required by Article 19.
- Issue a written EU Declaration of Conformity for each product and retain it for 10 years or the support period, whichever is longer, as referenced in Article 20 and Annex VI.
While some of the Cyber Resilience Act’s requirements are specific and clear, such as the obligation to affix the CE marking, report active exploits to ENISA, or maintain a declaration of conformity to demonstrate compliance for up to 10 years, other provisions are more general or open-ended, allowing manufacturers to rely on existing cybersecurity frameworks for implementation. This flexibility enables alignment with established best practices and standards, offering manufacturers the opportunity to meet the regulation’s cybersecurity objectives in a manner that suits their particular needs.
How Chainloop Helps You Track and Verify CRA Compliance
Chainloop currently prioritizes compliance with the essential cybersecurity requirements concerning the security properties of products with digital elements and vulnerability handling, as outlined in Annex I of the Cyber Resilience Act. To support this, Chainloop provides a set of automated policies and manual assessment checks designed to help organizations understand their current compliance posture. While this toolkit will evolve over time, it offers a strong starting point for identifying gaps and aligning with key CRA obligations.
At its core, the CRA is about applying proven security best practices. Even though harmonised standards are still under development, organizations can — and should — begin aligning today by adopting industry-recognized security practices. This lays the groundwork for a structured and sustainable path toward full compliance.
Part I: Cybersecurity requirements concerning the security properties of the products
List of requirements for manual confirmation to ensure that cybersecurity is embedded into the design and development processes.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-cybersecurity-req-1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | Self-assessment |
cra-cybersecurity-req-2-a | Products with digital elements shall be made available on the market without known exploitable vulnerabilities. | Self-assessment |
cra-cybersecurity-req-2-b | Products with digital elements shall be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state. | Self-assessment |
cra-cybersecurity-req-2-c | Products with digital elements shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic security updates that are installed within an appropriate timeframe enabled as a default setting, with a clear and easy-to-use opt-out mechanism, through the notification of available updates to users, and the option to temporarily postpone them. | Self-assessement |
cra-cybersecurity-req-2-d | Products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access. | Self-assessment |
cra-cybersecurity-req-2-e | Products with digital elements shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms, and by using other technical means. | Self-assessment |
cra-cybersecurity-req-2-f | Products with digital elements shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions. | Self-assessment |
cra-cybersecurity-req-2-g | Products with digital elements shall process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (data minimisation). | Self-assessment |
cra-cybersecurity-req-2-h | Products with digital elements shall protect the availability of essential and basic functions, also after an incident, including through resilience and mitigation measures against denial-of-service attacks. | Self-assessment |
cra-cybersecurity-req-2-i | Products with digital elements shall minimise the negative impact by the products themselves or connected devices on the availability of services provided by other devices or networks. | Self-assessment |
cra-cybersecurity-req-2-j | Products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces. | Self-assessment |
cra-cybersecurity-req-2-k | Products with digital elements shall be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques. | Self-assessment |
cra-cybersecurity-req-2-l | Products with digital elements shall provide security related information by recording and monitoring relevant internal activity, including the access to or modification of data, services or functions, with an opt-out mechanism for the user. | Self-assessment |
cra-cybersecurity-req-2-m | Products with digital elements shall provide the possibility for users to securely and easily remove on a permanent basis all data and settings and, where such data can be transferred to other products or systems, ensure that this is done in a secure manner. | Self-assessment |
Part II: Vulnerability handling requirements
Our manual proofs and automated policies verify that your vulnerability management process follows industry-recommended practices that support compliance with the CRA:
Manufacturers of products with digital elements shall identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-1 | Identify all components included in your software: an SBOM is present and includes the generally adopted minimum elements recommended by the US National Telecommunications and Information Administration. Perform regular vulnerability scanning to detect known issues across all software components: an SCA scan is performed daily. | sbom-present (automatic), sbom-ntia (automatic), vulnerability-scan-present(periodicity:daily) (automatic) |
Manufacturers of products with digital elements shall in relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-2 | Remediate vulnerabilities based on risk: Critical vulnerabilities are fixed within 2 days. | vulnerabilities(severity:critical SLA:48h) (automatic) |
Manufacturers of products with digital elements shall apply effective and regular tests and reviews of the security of the product with digital elements.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-3 | Perform regular vulnerability scanning to detect known issues across all software components: an SCA scan is performed daily. | vulnerability-scan-present(periodicity:daily) (automatic) |
Manufacturers of products with digital elements shall once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-4 | Information disclosure: Publish security advisories with required information. | security-advisories-public (manual proof), security-advisory-evidence (optional manual proof), security-advisories-process-exists (manual proof), security-advisories-process (manual proof), security-advisory-details (manual proof) |
Manufacturers of products with digital elements shall put in place and enforce a policy on coordinated vulnerability disclosure.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-5 | Maintain a coordinated vulnerability disclosure (CVD) policy, outlining how reports are handled and timelines for response. | cvd-process-exists (manual proof), cvd-triggering-communicated (manual proof), cvd-team-defined (manual proof), cvd-response-guidance (manual proof), cvd-communication-guidance (manual proof), cvd-vendors-coordination (manual proof), cvd-evidence (optional manual proof), cvd-triggering-defined (manual proof), cvd-rollout-guidance (manual proof) |
Manufacturers of products with digital elements shall take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-6 | Implement a vulnerability reporting mechanism to enable users and researchers to report issues. | reporting-mechanism-exists (manual proof), security-contact-exists (manual proof), security-response-team-exists (manual proof), security-response-sla-exists (manual proof), reporting-mechanism-public (manual proof), security-feeds-monitoring-exists (optional manual proof), reporting-mechanism-evidence (optional manual proof) |
Manufacturers of products with digital elements shall provide for mechanisms to securely distribute updates for products with digital elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-7 | Provide a mechanism for distribution of security updates. | update-distribution-automatic (optional manual proof), updates-distribution-public (manual proof), updates-distribution-evidence (optional manual proof), updates-distribution-policy-exists (manual proof), updates-distribution-information (manual proof) |
Manufacturers of products with digital elements shall ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken.
| Requirement | Description | Chainloop Policy |
|---|---|---|
cra-vulnerability-handling-req-8 | Provide a mechanism for timely distribution of security updates and transparent disclosure of relevant vulnerability information to users. | updates-distribution-timeline (manual proof), updates-distribution-free (manual proof), disclosure-policy-exists (manual proof), disclosure-timeline-exception (manual proof), disclosure-policy-evidence (optional manual proof) |