Komplyo
Cyber Resilience Act (EU) 2024/2847

The CRA mandates security by design. Prepare your products for the new requirements.

Every product with digital elements sold in the EU will have to meet the CRA's requirements: reporting obligations from September 2026, full requirements and CE marking by December 2027. Komplyo turns the regulation's annexes into concrete questions, an action plan and usable documentation.

Is your product in scope of the CRA?

The CRA targets products, not organisations. It applies as soon as a product with digital elements is placed on the European market:

Manufacturers

Hardware and software alike: connected devices, applications, firmware, components. The manufacturer carries most of the obligations, from design through end of support.

Important and critical products

Class I and II products (password managers, firewalls, hypervisors, VPNs…) follow stricter conformity-assessment procedures. Third-party certification possible.

Importers and distributors

They must verify that products placed on the market bear the CE marking and that the manufacturer has met its obligations. Compliance propagates along the distribution chain.

The CRA requirements, translated into actions

The regulation organises its requirements in two parts (Annex I) completed by notification and documentation duties:

Security by design (Annex I, Part I)

Reduced attack surface, secure default configuration, data protection, logging. Security properties must be designed into the product, not bolted on afterwards.

Vulnerability handling (Annex I, Part II)

A software bill of materials (SBOM), a coordinated disclosure policy, and free, timely security fixes throughout the support period.

Notification to ENISA (Art. 14)

Actively exploited vulnerabilities and severe incidents. Early warning within 24 hours, notification within 72 hours. These duties apply from September 2026, ahead of the rest of the regulation.

Technical documentation and CE marking

Conformity assessment, maintained technical documentation, EU declaration of conformity and CE marking for market placement from December 2027.

Support period

A defined support period (in principle at least 5 years) during which security updates remain available. To be clearly announced to buyers.

A product assessment anchored in your security posture

The CRA's requirements overlap heavily with organisational security practice. Vulnerability management, logging, access control, incident response. Komplyo projects your NIST CSF 2.0 assessment onto the regulation's requirements and isolates what is specifically product-level.

  • Free CRA diagnostic. 23 questions to gauge your product readiness in minutes.
  • Dedicated CRA module in the dashboard. Annex I requirements tracked one by one, gaps prioritised.
  • Generated risk register and procedures. The foundation of your CE technical documentation.
Komplyo risk register applied to CRA product requirements

What Komplyo produces for your CRA file

Deliverables aligned with the regulation's requirements, generated from your answers:

  • Vulnerability handling and coordinated disclosure policy
  • Notification procedure (ENISA / CSIRT) with the 24 h / 72 h deadlines
  • Product-oriented risk register
  • Secure development policy
  • Prioritised roadmap towards the December 2027 deadline

CRA. Frequently asked questions

Is my SaaS in scope of the CRA?

Pure SaaS falls rather under NIS2; the CRA targets products with digital elements. But if your offering includes an installed client, a device, firmware, or remote data-processing solutions tied to the product, the CRA applies to those elements.

What are the CRA deadlines?

The regulation entered into force in December 2024. Reporting duties for actively exploited vulnerabilities and severe incidents apply from 11 September 2026; the full set of requirements, including CE marking, from 11 December 2027.

CRA or NIS2. Which one applies to us?

The CRA targets your products, NIS2 your organisation. A company can be subject to both (a software vendor in a critical sector, for instance). Komplyo tracks both in the same workspace without assessing shared measures twice.

What penalties does the CRA provide?

Up to €15M or 2.5% of worldwide annual turnover for breaches of the essential requirements, and non-compliant products can be withdrawn from the market.

Is open source exempt?

Free software developed outside a commercial activity is largely excluded, with a lighter regime for open-source stewards. As soon as the product is monetised, the manufacturer obligations apply.

Do we need an SBOM?

Yes. Annex I requires an inventory of the product's components covering at least its top-level dependencies. It's also the foundation of credible vulnerability handling. Worth tooling early.

Gauge your CRA readiness in 23 questions

Free, no account. An immediate baseline, before the 2026 and 2027 deadlines decide for you.