Cyber Resilience Act
What is the EU Cyber Resilience Act?
The EU Cyber Resilience Act (CRA) is a European regulation that entered into force in December 2024 and will be fully applicable from December 2027. The regulation establishes mandatory cybersecurity requirements for all hardware and software products with digital elements that are made available on the EU market.
The CRA addresses a critical challenge: many digital products are developed and brought to market with inadequate security. Security updates are often provided too late or not at all, and users have limited ability to assess a product’s cybersecurity. The estimated annual cost of cybercrime amounts to approximately €5.5 trillion globally.
With the CRA, the EU creates a legal framework that obligates manufacturers to ensure cybersecurity throughout the entire product lifecycle—from conception through development to maintenance and support.
Who is affected?
The CRA applies to so-called “Products with Digital Elements” (PDEs)—products that have or could have a direct or indirect data connection to a device or network. This includes:
- Hardware products (IoT devices, smart home devices, etc.)
- Software products (apps, programs, operating systems)
- Remote data processing solutions (SaaS applications)
Excluded are products already covered by other EU regulations, such as medical devices or motor vehicles.
Core Concepts of the CRA
Secure by Default
Products must be delivered with a secure default configuration. This means: security features are activated from the start, not optional.
Vulnerability Handling
Manufacturers must identify, document, and remediate vulnerabilities throughout the entire product lifecycle. This includes the obligation to report actively exploited vulnerabilities to ENISA (EU Cybersecurity Agency) within 24 hours.
Software Bill of Materials (SBOM)
For each product, a machine-readable SBOM must be created that documents at least the top-level dependencies. This enables better traceability of the software supply chain.
DevGuard and the CRA
DevGuard was developed to support development teams in implementing CRA requirements. The platform covers many of the technical and organizational requirements mandated by the CRA—from vulnerability management to SBOM generation to documentation of security updates.
The following tables indicate for each CRA requirement the extent to which DevGuard helps with implementation:
| Symbol | Meaning |
|---|---|
| ✅ | DevGuard covers this requirement for the monitored applications |
| 🔵 | DevGuard partially covers this requirement |
| 🍋 | DevGuard supports the implementation of this requirement |
| ❌ | DevGuard does not cover this requirement |
Requirements from Annex 1 - Basic Cybersecurity Requirements
Security requirements in relation to the properties of products with digital elements
| ID | Requirement | |
|---|---|---|
| 1 | Products with digital elements shall be designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks. | |
| 2 | Products with digital elements shall be delivered without any known exploitable vulnerabilities. | |
| 2 a | Products with digital elements shall be delivered with a secure by default configuration, including the possibility to reset the product to its original state. | |
| 2 b | Products with digital elements shall ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems. | |
| 2 c | Products with digital elements shall protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state-of-the-art mechanisms. | |
| 2 d | Products with digital elements shall protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions. | |
| 2 e | Products with digital elements shall process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended use of the product (‘minimisation of data’). | |
| 2 f | Products with digital elements shall protect the availability of essential functions, including the resilience against and mitigation of denial of service attacks. | |
| 2 g | Products with digital elements shall minimise their own negative impact on the availability of services provided by other devices or networks. | |
| 2 h | Products with digital elements shall be designed, developed and produced to limit attack surfaces, including external interfaces. | |
| 2 i | Products with digital elements shall be designed, developed and produced to reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques. | |
| 2 j | Products with digital elements shall provide security-related information by recording and/or monitoring relevant internal activity, including the access to or modification of data, services or functions. | |
| 2 k | Products with digital elements shall ensure that vulnerabilities can be addressed through security updates, including, where applicable, through automatic updates and the notification of available updates to users. |
Vulnerability handling requirements
As a minimum, the product with digital elements shall be accompanied by:
| ID | Requirement | |
|---|---|---|
| 1 | Identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the product. | |
| 2 | In relation to the risks posed to the products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates. | |
| 3 | Apply effective and regular tests and reviews of the security of the product with digital elements. | |
| 4 | Once a security update has been made available, publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities. | |
| 5 | Put in place and enforce a policy on coordinated vulnerability disclosure. | |
| 6 | Take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third-party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements. | |
| 7 | Provide for mechanisms to securely distribute updates for products with digital elements to ensure that exploitable vulnerabilities are fixed or mitigated in a timely manner. | |
| 8 | Ensure that, where security patches or updates are available to address identified security issues, they are disseminated without delay and free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. |