The Cyber Resilience Act (CRA) is a European Union regulation that sets horizontal cybersecurity requirements for all products with digital elements — including connected hardware and software, from IoT devices to standalone software applications. Unlike sector-specific laws, the CRA ensures a unified minimum level of cybersecurity across the entire EU market.

It requires manufacturers to consider cybersecurity throughout the entire product lifecycle — from design and development to maintenance and vulnerability handling. This means security can no longer be treated as an afterthought but must be built into products by design (“security by design” and “security by default”).

Although the CRA formally entered into force on 10 December 2024, it will only become fully applicable on 11 December 2027. This three-year transition period allows manufacturers and other stakeholders to adjust their development, compliance, and support processes in line with the new requirements.

After this date, any product with digital elements that is not compliant with CRA requirements cannot be legally placed on the EU market. Companies should therefore already start preparing by identifying affected products and aligning existing standards and risk management processes with the CRA.

The RED Delegated Act (EU) 2022/30 — which currently defines cybersecurity requirements for certain radio-connected products — will be repealed on 11 December 2027, the same day the CRA becomes fully applicable.

From that point onward, the CRA will serve as the overarching legal framework for product cybersecurity, avoiding duplication of obligations. Until then, manufacturers must still comply with the RED-DA, and existing RED-DA compliance work will still support future CRA compliance.

Both the RED-DA and the CRA impose mandatory cybersecurity requirements enforceable via CE marking.

• RED-DA applies to internet-connected radio equipment.
• CRA applies to all digital products, including software-only products.

Many devices fall under both frameworks (e.g., smart home devices, routers, industrial gateways). Once the CRA applies, it will take precedence, creating a single streamlined cybersecurity framework.

“Module A” refers to the Internal Production Control conformity assessment procedure. Under the CRA, it allows manufacturers to self-declare conformity if they fully implement relevant harmonised standards.

Manufacturers using Module A must implement internal processes ensuring their product meets all essential cybersecurity requirements, then issue an EU Declaration of Conformity, taking full legal responsibility.

However, Module A can only be used if harmonised standards (hENs) fully apply. If no standards exist or only partially apply, additional justification or third-party involvement may be required.

Presumption of Conformity means that a product is presumed to meet CRA requirements if it complies with harmonised standards (hENs) published in the Official Journal of the European Union.

By following these standards, manufacturers can demonstrate compliance in a straightforward and recognised way. However, PoC only applies to the aspects covered by the standards; any uncovered risks must be handled separately.

Important: No harmonised standards have yet been published under the CRA. Therefore, full Presumption of Conformity is currently impossible, and manufacturers must rely on alternative assessment methods until standards are finalised.

No. Under the CRA, only Class I products listed in Annex III (“important products with digital elements”) can achieve full PoC by applying harmonised standards.

For other product classes, only partial PoC will be possible — especially because the complete set of CRA-related harmonised standards is still under development.

Currently, no harmonised standards exist, meaning even Class I products cannot yet claim full Presumption of Conformity.

Harmonised standards form the technical backbone for demonstrating CRA compliance. The EN 18031 series — originally used for RED-DA — is expected to form the basis for future CRA harmonised standards.

This continuity means current RED-DA alignment efforts will continue to be useful and will ease the transition to CRA compliance.

Once harmonised standards are published, they will provide manufacturers with clear, recognised methods to meet cybersecurity and vulnerability management requirements.

Important: Candidate standards (such as EN 18031-1/-2/-3) are in development, but none have yet been harmonised. Until published in the Official Journal, compliance must rely on custom technical documentation and risk assessments.