The EU Cyber Resilience Act: Guide

8 min de lecture • April 2026

Regulation (EU) 2024/2847, often referred to as the Cyber Resilience Act (CRA), came into force on 10 December 2024. This text represents the most ambitious legislation on product cybersecurity, whether hardware or software, within the European Union. The first implementation deadline is set for September 2026, leaving little time to prepare.

For over 30 years, ISIT has been supporting engineering teams in sectors such as aerospace, automotive, healthcare and industry, helping them to design and certify embedded systems that are both safe and secure. The CRA has a direct impact on the products our clients develop every day.

This article summarises the requirements of the regulation to provide you with a clear and practical overview.

The Cyber Resilience Act establishes mandatory, EU-wide cybersecurity requirements for all products with digital elements. It addresses a gap in previous legislation (NIS2, EU Cybersecurity Act).

CRA compliance will be part of CE marking. National market surveillance authorities will enforce the rules, with support from ENISA.

Products must ship with no known exploitable vulnerabilities, a secure default configuration, data protection and proper access controls. The Commission’s guidance emphasises that cost considerations are irrelevant.

Article 14 introduces mandatory reporting of actively exploited vulnerabilities and severe security incidents. This applies from 11 September 2026 and covers ALL products already on the EU market.

For severe incidents, the final report deadline extends to one month. The Commission’s guidance clarifies that manufacturers are deemed “aware” once they have a reasonable degree of certainty.

The Commission’s guidance introduces the concept of “core functionality”. A product integrating a component from a higher category does not automatically inherit that category.

●  Third-party components — Modern applications contain 70–90% third-party code (open-source libraries, SDKs, middleware)

●  Legacy code debt — Outdated codebases with unpatched vulnerabilities accumulated over years

●  AI-generated code — Vulnerable patterns from training data, code without clear provenance

●  Weak encryption — Outdated algorithms or poor implementation of cryptographic protocols

●  Unlicensed OSS snippets — Open-source code used without proper tracking or license compliance

●  Insecure programming languages — Memory safety issues in C/C++ without proper verification

The CRA does not allow manufacturers to transfer cybersecurity risk to users or third parties.

The Cyber Resilience Act requires manufacturers to maintain a Software Bill of Materials (SBOM). While formally enforceable in December 2027, the September 2026 reporting deadline means you cannot report what you don’t know. Without an accurate component inventory, detecting vulnerabilities is difficult.

Free software that is not monetised and is not marketed commercially is not subject to the CRA. The CRA introduces the concept of ‘open-source software stewards’, who are subject to a simplified regime (Article 24). For manufacturers who incorporate open-source components into commercial products, the full obligations apply.

Our consultants also support pre-audits, risk assessments, and the development of compliant processes aligned with IEC 62443, ISO 21434, and the CRA.

Sources & Références