July 14, 2026
The EU Cyber Resilience Act (CRA, formally Regulation (EU) 2024/2847) introduces binding cybersecurity requirements for products with digital elements sold in the EU, with fines reaching EUR 15 million or 2.5% of global turnover for non-compliance. Manufacturers must prepare for vulnerability reporting obligations beginning on September 11, 2026, and broader conformity assessment and CE-marking requirements by December 11, 2027.
Hack the CRA does not mean bypassing the rules—it means understanding them well enough to avoid unnecessary cost and effort. The good news is that roughly 90% of products can follow the self-assessment route (Module A), avoiding costly third-party certification. However, self-certification still requires meeting applicable Annex I cybersecurity requirements, building Annex VII technical documentation, and signing a legally binding Declaration of Conformity. The challenge is focusing on what matters most: risk assessment, security testing, vulnerability remediation, and technical documentation.
The practical implementation guide below is contributed by Julian Meroi, founder of Meroi Security, and outlines the CRA compliance process in two phases and eight steps that manufacturers can follow to achieve compliance efficiently and cost-effectively.
Step 1: Is your product in scope? What’s your role?
The CRA covers any software or hardware with a direct or indirect connection to a device or network: standalone software, firmware, IoT devices, mobile apps, cloud-connected hardware. There are some exclusions, such as medical devices (Regulation 2017/745), automotive (UN R155), certified aviation products (Regulation 2018/1139), and non-monetized open-source software.
If in scope, determine your role under Articles 19-22. Manufacturers carry the heaviest obligations, but importers and distributors have their own. If you place a product under your own name or trademark, you are the manufacturer regardless of who built it. If you carry out a substantial modification (Article 3(30)), you become the manufacturer for the modified product. Non-EU manufacturers need an EU-based economic operator under Regulation (EU) 2019/1020.
Step 2: Classify your product
Check your product against Implementing Regulation (EU) 2025/2392 and Annexes III and IV. Default category products can self-assess. Important Class I can self-assess only if a harmonized standard is fully applied. Important Class II and Critical products require a notified body. Classification determines your conformity route and the standards you select in Phase 2.
Step 3: Risk assessment
Article 13(2-4) requires a cybersecurity risk assessment before implementing any security measures. It defines which Annex I Part I requirements apply to your product, how you implement them, and where you justify exclusions. It must cover intended purpose, reasonably foreseeable use and misuse, threat scenarios, operational environment, and third-party component risks. This is a lifecycle obligation: updated throughout the support period when new vulnerabilities emerge or the threat landscape changes.
If your product holds an IEC 62443 or ISO 27001 certification, you have a strong baseline that reduces the gap assessment work in Steps 6 and 7.
Step 4: Reporting readiness
From September 11, 2026, manufacturers must report actively exploited vulnerabilities via ENISA’s Single Reporting Platform: early warning within 24 hours, detailed notification within 72 hours, final report within 14 days after a corrective measure is available. You need a functioning PSIRT with named escalation owners, ENISA platform registration, and CSIRT contacts established before that date.
Meeting the 24-hour window requires rapidly identifying which components are affected and assessing severity. Lucent Sky AVM detects vulnerabilities across source code, binaries, and third-party dependencies, and its automatic remediation (Instant Fixes) lets you work toward the corrective measure required for the final report.
Step 5: Select standards and conformity route
Choose which standards you will apply. Harmonized standards are not yet published under the CRA, but the technical content is substantially stable: apply prEN 40000 working drafts as a baseline (it’s a horizontal standard, meaning it’s applicable to all products categories) and category-appropriate established vertical standards (for example EN 18031 for radio equipment, IEC 62443 for OT/industrial, ETSI EN 303 645 for consumer IoT, etc.). Document the mapping in Annex VII section 5. Your classification from Step 2 determines the conformity module: Module A (self-assessment), Module B+C, Module H, or EUCC.
Step 6: Gap assessment, Annex I Part I
Run the gap against the standard(s) selected in Step 5, scoped by the risk assessment from Step 3. The 13 essential security requirements (secure by default, no known exploitable vulnerabilities, encryption, minimized attack surfaces, secure updates, logging, data deletion, and others) apply based on your risk assessment. Where a requirement does not apply, include a clear justification in the technical documentation.
The CRA requires products to be developed with an appropriate level of cybersecurity and to ship without known exploitable vulnerabilities (Annex I, Part I), and compliance cannot be demonstrated through SBOM generation and software composition analysis (SCA) alone. Manufacturers must identify and remediate vulnerabilities in both their own software and third-party components. In practice, this requires application security testing and code review, whether performed manually or through automated tools. Lucent Sky AVM performs source code, binary, and software composition analysis in a single scan, helping organizations identify vulnerabilities, track remediation activities, and produce verification results that form part of the technical evidence supporting Annex I compliance.
Step 7: Gap assessment, Annex I Part II
The 8 vulnerability handling obligations apply unconditionally to all manufacturers regardless of product class. No risk-assessment exclusion exists. SBOM in machine-readable format, timely remediation with free security updates, regular security testing, coordinated vulnerability disclosure policy (templates available from disclose.io and ENISA), public disclosure of fixed vulnerabilities, secure update distribution, and a contact address for vulnerability reports.
Lucent Sky AVM automates SBOM creation, vulnerability discovery, security testing, automated vulnerability remediation, and reporting. This helps manufacturers efficiently generate and maintain much of the technical documentation needed for CRA compliance (Annex VII, points 3, 4, and 6), including risk assessment records, test reports, patch history, and standards mapping.
Step 8: Formal compliance and CE marking
Assemble the Annex VII technical file from the evidence produced in Steps 3-7. Sign the EU Declaration of Conformity (Annex V template). Affix the CE marking. For software products, the CE marking goes on the Declaration itself or the product’s website. Retain all documentation for 10 years or the support period (minimum five years), whichever is longer. The CE marking cannot be affixed until the conformity assessment is completed with a positive result.
Manufacturers who begin now can spread the effort and cost over a reasonable timeline. Those who wait will face compressed schedules, higher costs, and the risk of falling behind competitors who are already compliant.
The EU Cyber Resilience Act sets legally binding cybersecurity requirements for products with digital elements sold in the EU. Roughly 90% of products can self-certify (Module A), but that still means meeting Annex I requirements, building Annex VII documentation, and signing a Declaration of Conformity. Non-compliance results in fines up to EUR 15 million or 2.5% of global turnover, whichever is the higher.
Julian Meroi is the founder of Meroi Security, an EU cybersecurity regulatory compliance consulting company based in the Netherlands and Taiwan, specializing in CRA compliance, trainings, and EU Authorized Representative services.