Logo Teldat
boton
Contact us

• Cybersecurity Glossary

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is EU Regulation 2024/2847 establishing mandatory cybersecurity requirements for all products with digital elements placed on the European market. It applies to hardware, software and IoT devices, requiring manufacturers to implement security by design, vulnerability management and incident reporting throughout the entire product lifecycle. Entered into force on 10 December 2024, with vulnerability reporting obligations from 11 September 2026 and full application from 11 December 2027, the CRA represents the most comprehensive product cybersecurity regulation ever adopted.

1Cyber Resilience Act definition2Essential cybersecurity requirements3Product categories and conformity assessment4Implementation timeline5Compliance challenges6Compliance framework7Teldat CRA aligned solutions8Frequently asked questions – (FAQ’s)

Cyber Resilience Act definition

The Cyber Resilience Act (CRA) is an EU regulation that introduces mandatory cybersecurity requirements for all products with digital elements (PDEs) sold or made available on the European market. A product with digital elements is any software or hardware product whose intended use includes a direct or indirect data connection to a device or network. This covers everything from consumer IoT devices and smart home products to enterprise routers, firewalls, network management systems and embedded industrial controllers.

The CRA was proposed by the European Commission on 15 September 2022, formally adopted by the Council on 10 October 2024 and entered into force as Regulation (EU) 2024/2847 on 10 December 2024. It forms part of the EU Cybersecurity Strategy alongside NIS2, the Cybersecurity Act and the EU cybersecurity certification framework. While NIS2 regulates the organizations that operate critical infrastructure, the CRA regulates the products those organizations buy and deploy.

The regulation addresses two systemic problems. First, the majority of connected products on the market lack adequate cybersecurity, and manufacturers have had no legal obligation to provide security updates or manage vulnerabilities after sale. Second, consumers and businesses have no reliable way to evaluate the cybersecurity of the products they purchase. The CRA solves both by mandating security by design, lifecycle vulnerability management, standardized security information for users and CE marking as proof of cybersecurity conformity.

Essential cybersecurity requirements

The CRA establishes two sets of essential requirements in Annex I: product security requirements (Part I) and vulnerability handling requirements (Part II). These apply to every manufacturer regardless of product category.

1
Security by design and default
Products must be designed, developed and produced with an appropriate level of cybersecurity based on the risks they present. They must ship with secure default configurations, no known exploitable vulnerabilities and with security features enabled out of the box. Data stored, transmitted or processed by the product must be protected with appropriate encryption.
2
Vulnerability handling (Annex I, Part II)
Manufacturers must identify and document vulnerabilities in their products, including third party components. They must provide security updates free of charge for at least the expected product lifetime or five years, whichever is longer. Security updates must be separated from feature updates where technically feasible, and automatic security updates must be enabled by default where reasonably expected.
3
Manufacturers must create and maintain a machine readable SBOM documenting all components, including open source libraries and third party dependencies. The SBOM must be kept up to date and made available to market surveillance authorities upon request. This requirement enables systematic vulnerability tracking across the software supply chain.
4
Vulnerability and incident reporting
From 11 September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours of becoming aware of them, followed by a full notification within 72 hours and a final report within 14 days of a corrective measure being available. Severe incidents impacting product security require a final report within one month. Reporting is done through the CRA Single Reporting Platform operated by ENISA.
5
User information and transparency
Products must be accompanied by clear documentation covering cybersecurity properties, secure configuration instructions, the designated support period for security updates and contact information for vulnerability reporting. Users must be informed about end of support dates and the security implications of continuing to use unsupported products.
6
CE marking and declaration of conformity
Once a product passes the applicable conformity assessment, the manufacturer must draw up an EU declaration of conformity and affix the CE marking. The CE marking signals to buyers and regulators that the product meets the essential cybersecurity requirements of the CRA. Products without CE marking cannot legally be sold in the EU after 11 December 2027.

Product categories and conformity assessment

The CRA classifies products into three tiers based on their cybersecurity risk. Classification is determined by the core functionality of the product, not its marketing description. The tier determines which conformity assessment procedure the manufacturer must follow before affixing the CE marking.

Category Examples Conformity assessment Approx. share
Default Smart speakers, mobile apps, computer games, memory chips, connected toys Self assessment (Module A) ~90%
Important Class I (Annex III) Routers, modems, switches, VPN software, SIEM systems, password managers, operating systems, network management systems, smart home products with security functions Self assessment if harmonised standards applied; otherwise third party (Module B+C or H)  
Important Class II (Annex III) Firewalls, intrusion detection/prevention systems, hypervisors, tamper resistant microprocessors, container runtime systems Mandatory third party assessment (Module B+C or H) ~10%
Critical (Annex IV) Hardware security modules, smart meter gateways, smartcards, secure elements Mandatory third party assessment; may require EU cybersecurity certification combined

Why this matters for network equipment: routers, switches and modems are classified as Important Class I under Annex III. Firewalls and intrusion detection systems fall under Important Class II. This means network infrastructure manufacturers must either apply harmonised standards or undergo third party conformity assessment. Teldat products are designed to meet these requirements through security by design engineering and CPSTIC/ENS certification.

Implementation timeline

The CRA uses a phased implementation approach. While full application is in December 2027, several obligations apply earlier. Manufacturers that wait until 2027 will already be non compliant for over a year on reporting obligations.

1
10 December 2024: entry into force
The CRA was published as Regulation (EU) 2024/2847 and entered into force. The 36 month implementation period began. Manufacturers should start cybersecurity risk assessments, SBOM creation and vulnerability management process design immediately.
2
11 June 2026: conformity assessment bodies
The framework for notification of conformity assessment bodies applies. Member states must designate notifying authorities. Conformity assessment bodies can begin operating and assessing products under the CRA.
3
11 September 2026: reporting obligations
Manufacturers must report actively exploited vulnerabilities and severe incidents through the ENISA Single Reporting Platform. This applies to all products already on the market, not just new ones. Early warning within 24 hours, full notification within 72 hours, final report within 14 days (vulnerabilities) or one month (incidents).
4
Q3 2026: first standardisation deliverables
Horizontal and vertical harmonised standards developed by CEN, CENELEC and ETSI reach maturity. These include standards for routers, firewalls, VPN products, network management systems, SIEM and browsers. Manufacturers applying these standards benefit from a presumption of conformity.
5
11 December 2027: full application
All CRA requirements apply. Products with digital elements that do not comply cannot be placed on the EU market. Manufacturers must have completed conformity assessment, drawn up the EU declaration of conformity and affixed the CE marking.
6
Ongoing: lifecycle obligations
Manufacturers must continue providing security updates and managing vulnerabilities for the designated support period after market placement, which must reflect the expected product lifetime. Minimum five years. Technical documentation must be retained for ten years or the support period, whichever is longer.

Compliance challenges

The CRA introduces obligations that most manufacturers have not previously faced for connected products. Understanding the practical challenges helps organizations prioritize their readiness efforts.

1
SBOM creation at scale
Building and maintaining accurate SBOMs for products with hundreds of software components, including transitive open source dependencies, requires tooling and processes most manufacturers do not yet have. The SBOM must be machine readable, kept current and made available to authorities on request.
2
Vulnerability management for legacy products
The September 2026 reporting obligation applies to all products already on the market, not just new ones. Manufacturers must track actively exploited vulnerabilities across their entire installed base, including products shipped years ago. Without automated vulnerability tracking, compliance at scale is not achievable.
3
Supply chain security
Manufacturers are responsible for the cybersecurity of third party components integrated into their products. For components imported from outside the EU, the importer assumes CRA obligations. This requires due diligence on every component in the bill of materials, including open source libraries whose maintenance status may be uncertain.
4
Harmonised standards still in development
The 41 harmonised standards requested by the European Commission (15 horizontal, 26 vertical) are still being developed by CEN, CENELEC and ETSI. Until these are finalised, manufacturers lack a clear presumption of conformity pathway and may need third party assessment even for Important Class I products.
5
Conformity assessment capacity
The number of notified bodies qualified to assess CRA compliance is still limited. As thousands of manufacturers seek assessment simultaneously ahead of the December 2027 deadline, capacity constraints may create bottlenecks. Early engagement with conformity assessment bodies is recommended.
6
Coordination with NIS2 and other regulations
Organizations subject to both NIS2 (as operators) and the CRA (as manufacturers) must align their compliance programs. Incident reporting timelines, risk management procedures and supply chain security requirements overlap but are not identical. DORA adds additional complexity for financial services.

Compliance framework

A structured approach to CRA compliance covers product classification, risk assessment, documentation and conformity assessment. The steps below follow the CRA annexes and current European Commission guidance.

1
Classify your products
Determine whether each product with digital elements falls under Default, Important (Class I or II) or Critical category by checking its core functionality against Annex III and Annex IV. Use the technical descriptions in Commission Implementing Regulation (EU) 2025/2392. Classification determines the conformity assessment pathway.
2
Conduct cybersecurity risk assessment
Perform a documented risk assessment for each product covering the entire lifecycle. Identify threat scenarios, evaluate attack surfaces and determine the level of cybersecurity appropriate to the risk. This assessment drives the security architecture decisions and must be included in the technical documentation.
3
Build and maintain SBOMs
Create machine readable SBOMs for all products, documenting every software component, version, supplier and known vulnerability. Implement automated tools that update the SBOM when components change and cross reference against vulnerability databases (NVD, CISA KEV, OSV) continuously.
4
Implement vulnerability management
Establish processes for identifying, triaging and remediating vulnerabilities across all products in the field. Prepare reporting workflows aligned with the ENISA Single Reporting Platform: 24 hour early warning, 72 hour full notification, 14 day or one month final report. Test these workflows before September 2026.
5
Design with security by default
Ensure products ship with secure configurations, no known exploitable vulnerabilities, encrypted data protection and automatic security updates enabled. Separate security updates from feature updates where feasible. Teldat network devices implement these principles through centralized policy management via CNM and embedded security functions.
6
Complete conformity assessment and CE marking
Follow the appropriate assessment procedure for your product category. Prepare the technical documentation required by Annex VII. Draw up the EU declaration of conformity per Annex V. Affix the CE marking. Retain documentation for ten years or the product support period, whichever is longer.

Teldat CRA aligned solutions

As a European network hardware manufacturer, Teldat designs products under EU jurisdiction with security by design principles that align with CRA essential requirements. The following capabilities address the specific obligations the regulation places on manufacturers of network infrastructure products.

1
Security by design hardware
Teldat SD-WAN routers and edge devices are engineered with security built into the hardware and firmware from the design phase. Secure boot, hardware root of trust, encrypted storage and tamper detection are standard features, not aftermarket additions. This aligns directly with the CRA Annex I Part I requirement for products to be designed with an appropriate level of cybersecurity.
2
CNM centralized update management
Teldat Cloud Net Manager (CNM) enables centralized firmware and security update deployment across entire SD-WAN fabrics. Security patches can be separated from feature updates and deployed automatically with zero touch provisioning, meeting the CRA requirement for timely, free security updates throughout the product lifecycle.
3
be.Safe Pro SSE
Teldat’s cloud delivered SASE platform integrating Secure Web Gateway, CASB, ZTNA and Next Generation Firewall. With over 15,000 IPS signatures and 4,000 application decoders, it provides defense in depth for connected products and the networks they operate on. Classified under Important products in the CRA, be.Safe Pro SSE is built to meet the corresponding conformity requirements.
4
AI powered extended detection and response with personalized machine learning models. Provides real time vulnerability detection, behavioral analytics and automated incident response across IT and OT environments. Supports the CRA requirement for manufacturers to identify and document vulnerabilities and address them through targeted security updates.
5
CPSTIC and ENS Alta certification
Teldat holds both Qualified and Approved status in Spain’s CPSTIC Catalog (CCN/ENS) at the highest level (ENS Alta). This existing certification validates alignment with European cybersecurity standards and provides a strong foundation for CRA conformity assessment, particularly for Important product categories.
6
SBOM and vulnerability management
Teldat maintains documented software bills of materials for its product portfolio, tracking components, versions and known vulnerabilities. Combined with CNM’s automated update infrastructure, this enables the systematic vulnerability management and reporting capability that the CRA requires from September 2026.

The Teldat CRA advantage: as a European headquartered manufacturer, Teldat controls the entire product lifecycle from hardware design through firmware development to security update delivery. Every stage of the CRA compliance chain, from risk assessment and secure design to vulnerability management and conformity documentation, is handled within European jurisdiction. Organizations deploying Teldat network infrastructure can rely on a single vendor for CRA compliant SD-WAN, SASE, XDR and OT security.

Frequently asked questions about the Cyber Resilience Act – (FAQ’s)

❯ What is the Cyber Resilience Act in simple terms?

The Cyber Resilience Act (CRA) is an EU regulation that requires all products with digital elements sold in the European market to meet mandatory cybersecurity standards. This includes hardware, software and IoT devices. Manufacturers must design products with security built in, provide security updates throughout the product lifecycle, report actively exploited vulnerabilities to ENISA within 24 hours and affix the CE marking to confirm compliance. The regulation entered into force on 10 December 2024 and fully applies from 11 December 2027.

❯ Which products does the CRA cover?

The CRA covers all products with digital elements (PDEs) that have a direct or indirect data connection to a device or network. This includes routers, firewalls, IoT devices, operating systems, VPN software, smart home products, network management systems and embedded software. Products are classified into three tiers: Default (about 90% of products, self assessment), Important (Annex III, Classes I and II, including routers, firewalls and SIEM systems) and Critical (Annex IV, such as smart meter gateways and hardware security modules). Medical devices, vehicles and national security products are excluded.

❯ What are the key CRA deadlines?

The CRA has three main deadlines. From 11 June 2026, the framework for conformity assessment bodies applies. From 11 September 2026, manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA, even for products already on the market. From 11 December 2027, all CRA product requirements apply in full and non compliant products cannot be sold in the EU.

❯ What are the penalties for CRA non compliance?

Penalties under the CRA are substantial. Failure to meet essential cybersecurity requirements in Annex I can result in fines up to 15 million euros or 2.5% of global annual turnover. Other obligation breaches carry fines up to 10 million euros or 2% of turnover. Providing incorrect or misleading information to authorities can result in fines up to 5 million euros or 1% of turnover. Microenterprises and small enterprises are exempt from fines for missing the 24 hour vulnerability reporting deadline.

❯ How does the CRA relate to NIS2 and GDPR?

The CRA complements NIS2 and GDPR as part of the EU cybersecurity framework. NIS2 focuses on the cybersecurity of organizations operating critical infrastructure, while the CRA focuses on the security of the products those organizations use. GDPR protects personal data. Together they create a layered regulatory architecture: CRA secures the product, NIS2 secures the operator and GDPR secures the data. Compliance with one does not satisfy the others, but aligned implementation reduces duplication.

❯ How does Teldat support CRA compliance?

Teldat is a European network hardware manufacturer whose products are designed with security by design principles aligned with CRA requirements. Teldat SD-WAN routers, be.Safe Pro SSE and be.Safe XDR incorporate secure default configurations, automated firmware updates through CNM, vulnerability management processes and SBOM documentation. Teldat holds CPSTIC certification at ENS Alta level, validating conformity with European cybersecurity standards. As a European manufacturer, Teldat products carry CE marking and comply with EU product security legislation.

Build CRA compliant network infrastructure with Teldat

From security by design SD-WAN hardware to centralized update management, SASE and XDR, Teldat delivers European cybersecurity aligned with CRA, NIS2 and EU product security requirements.