CRA is the European Union's mandatory cybersecurity regulation for all connected products. It applies to hardware, software, and IoT devices sold anywhere in the EU market. Non-compliance is not an option โ it is a legal violation.
The regulation is already enacted. These are the dates that will determine whether your business survives in the EU market.
Regulation (EU) 2024/2847 entered into force. The clock started.
Member states began transposition. National authorities started preparing enforcement frameworks.
Manufacturers must have vulnerability disclosure and incident reporting processes in place. 21-month transition ends.
All connected products must carry CE marking demonstrating CRA compliance. Non-compliant products face market ban, fines, and legal action. NO EXTENSIONS.
If you make, import, or sell connected products in the EU โ CRA applies to you. There are very few exceptions.
Any company that designs or manufactures hardware, software, or IoT products with digital elements sold in the EU. This includes OEM manufacturers, electronics companies, industrial equipment makers, and software vendors.
Companies that import non-EU products into the European market, or distributors who sell products in the EU, carry secondary CRA obligations. You cannot import non-compliant products.
Component and software suppliers who provide parts to EU-selling manufacturers must be CRA compliant themselves. Manufacturers are responsible for their entire supply chain's compliance status.
Annex I of the CRA defines 14 essential cybersecurity requirements. Every single one is pre-built into the Cognisec CRA Engine. No manual interpretation required.
Products must be placed on the market without any known exploitable vulnerabilities in critical components.
Products must be delivered with secure default settings. Default credentials must be unique or changeable. Unnecessary services disabled.
Confidentiality, integrity, and availability of data must be protected. Encryption at rest and in transit required where applicable.
Unauthorised manipulation of data must be prevented. All data accessed, modified, or deleted must be logged and traceable.
Products must minimise their own negative impact on the availability of services. DoS protection and resilience measures required.
Products must minimise the attack surface including external interfaces. Principle of least privilege must be applied throughout.
Products must be designed to limit the impact of cybersecurity incidents. Compartmentalisation and isolation mechanisms required.
Security-relevant information must be recorded and monitored. Products must detect anomalies and deviations from expected operation.
Access to data, services, and functions must be controlled and limited to authorised users, services, and programs only.
Security updates must be available, free of charge where possible, with adequate notification. Signed updates required to prevent tampering.
Manufacturers must apply secure development lifecycle practices. Code review, threat modelling, and security testing required throughout.
A coordinated vulnerability disclosure policy must be published and maintained. Contact details for reporting vulnerabilities must be public.
Discovered vulnerabilities must be addressed without delay. SBOM (Software Bill of Materials) must be maintained in machine-readable format.
A comprehensive cybersecurity risk assessment must be conducted, documented, and kept current throughout the product lifecycle.
These are not theoretical risks. EU enforcement authorities have extensive powers and a track record of using them. GDPR fines proved it.
Or 2.5% of total worldwide annual turnover โ whichever is higher. A โฌ1B company faces up to โฌ25M per violation. Multiple non-compliant products mean multiple violations.
Violations related to obligations other than essential requirements carry fines up to โฌ10M or 2% of worldwide turnover. Non-cooperation with authorities adds further penalties.
National market surveillance authorities can order immediate product withdrawal from all 27 EU member states simultaneously. No appeals process stops the initial ban.
The Cognisec CRA Engine makes it achievable. All 14 requirements. Three role panels. Real-time dashboards. 30-day free trial.
We are actively seeking motivated sales partners across the United Kingdom and European Union to represent the Cognisec CRA Engine. If you work in cybersecurity, compliance consulting, or IT services โ let's talk.