Login Try for Free Book a Demo
Login Book a Demo Try for Free
Login Try for Free Book a Demo
EU Cyber Resilience Act

Your Roadmap to EU CRA Compliance

This landmark regulation establishes rigorous security standards for IoT manufacturers to protect critical digital infrastructure in the EU and beyond. Take steps to comply today to strengthen the security of your connected devices, ensure continued access to the European market, and get ahead of the evolving regulatory landscape.  

Stay Ahead of the Regulations with Finite State

Download your free CRA datasheet today →

Preparing Manufacturers for the EU CRA

Core Requirements

Secure by design

Secure by Design Principles

Under the CRA, manufacturers must integrate security practices throughout the product lifecycle, including

  • Secure boot 
  • Access controls 
  • Encryption
  • Default security settings
  • Lifecycle security management
Secure by Design Principles
threat intelligence icon

Vulnerability Handling

IoT manufacturers must proactively manage vulnerabilities and respond swiftly to security incidents with

  • Continuous monitoring 
  • Formal reporting processes
  • 24hr disclosure periods 
  • Secure patch distribution 
  • End-of-life policy for legacy devices
Vulnerability Handling
SBOM icon

SBOM & Technical Documentation

The CRA improves software supply chain transparency by imposing specific security requirements on manufacturers, such as 

  • Including proprietary & open-source components in SBOMs & updating them with each modification
  • Include hardware & software configurations, security features, update protocols, & maintenance guidelines in technical documentation 
SBOM & Technical Documentation
product lifecycle

Product Lifecycle Support

The EU CRA demands product lifecycle support to keep devices secure through their operational lifespan, including 

  • Defined End-of-Life Policies 
  • Long-term maintenance commitments 
  • Provision for timely security updates 
  • Incident response planning 
Product Lifecycle Support
software supply chain

Software Supply Chain Security

Reliance on third-party software increases attack surfaces, which is why the CRA requires

  • Comprehensive assessments of third-party suppliers
  • Continuous vulnerability scanning 
  • Robust logging & auditing practices  
  • Open source risk management practices 
Software Supply Chain Security
conformity assessments

Conformity Assessments

The CRA introduces mandatory conformity assessments aligned to product risk categories 

  • Self-assessments: Default & Important Class I (with exceptions) 
  • 3rd-party assessments: Important Class II 
  • European Common Criteria certification: Critical
Conformity Assessments

Go deeper into each requirement

Discover how cyber regulations and compliance are shaping enterprise security for device manufacturers

Join regulations experts Eric Greenwald and Dr Amit Elazari for this insightful webinar to uncover practical strategies to prepar your organization for compliance with global requirements.

Watch Now →

regulations webinar
platform images small (2)

Meet Finite State, Your Partners in Compliance

Leverage expertise from former U.S. government officials and get the support you need to tackle EU CRA requirements with confidence 

  • Create audit-ready reports to demonstrate product compliance
  • Generate SBOMs with VDR/VEX vulnerability data in industry-standard formats (CycloneDX, SPDX)
  • Employ continuous monitoring and alerting to meet regulatory reporting requirements

Book a Demo to Learn More →

EU CRA Compliance Timeline

Dec 11, 2027
The EU CRA becomes fully applicable
Dec 11, 2027
Sept 11, 2026
Reporting obligations for manufacturers begin
Sept 11, 2026
Dec 10, 2024
The EU CRA comes into force
Dec 10, 2024
Nov 20, 2024
The CRA is officially published in the Official Journal of the European Union
Nov 20, 2024
Oct 2024
The Council of the European Union formally adopts the CRA 
Oct 2024
Sep 2012
The EU CRA is first proposed by the European Commission 
Sep 2012
Related Articles

From Our Blog

Countdown to Compliance: Why Connected Device Manufacturers Must Prepare for the EU CRA Now
Why Connected Device Manufacturers Must Prepare for the EU CRA Now

Countdown to Compliance: Why Connected Device Manufacturers Must Prepare for the EU CRA Now

Dec 12, 2024 5:00:00 PM
CRA Compliance Made Simple: Addressing Common Software Supply Chain Security Obstacles
EU CRA common software supply chain security compliance obstacles

CRA Compliance Made Simple: Addressing Common Software Supply Chain Security Obstacles

Dec 6, 2024 3:52:36 PM
5 Challenges Manufacturers Face with EU CRA Product Lifecycle Support Requirements
EU CRA product lifecycle support requirements

5 Challenges Manufacturers Face with EU CRA Product Lifecycle Support Requirements

Dec 2, 2024 12:00:00 AM
Overcoming Challenges in Vulnerability & Incident Management for EU CRA Compliance
challenges in vulnerability & incident management

Overcoming Challenges in Vulnerability & Incident Management for EU CRA Compliance

Nov 14, 2024 3:49:10 PM
The EU CRA was Adopted! What Manufacturers Need to Know About What’s Coming
EU CRA Adopted! What Manufacturers Need to Know About What’s Coming

The EU CRA was Adopted! What Manufacturers Need to Know About What’s Coming

Oct 16, 2024 2:39:19 PM
Navigating the EU Cyber Resilience Act: Essential Insights for Product Security Teams
Navigating the EU CRA: Essential Insights for Product Security Teams

Navigating the EU Cyber Resilience Act: Essential Insights for Product Security Teams

Jul 19, 2024 9:00:00 AM
Does the EU CRA Go Too Far?
It's Almost Here! But Does the EU CRA Go Too Far?

Does the EU CRA Go Too Far?

Dec 4, 2023 1:22:32 PM