The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for all products with digital elements (PDEs) placed on the EU market.
Its purpose is to ensure that:
- PDEs have minimal cybersecurity vulnerabilities
- Manufacturers are responsible for the ongoing cybersecurity of PDEs throughout their lifecycle
A PDE is any hardware or software product that connects (directly or indirectly) to a device or network. This covers everything from smart home devices and children’s connected toys to operating systems, microcontrollers, and security software.
Who Is Affected?
Your organisation’s products are in scope if both of the following apply:
- You manufacture, import, or distribute products for commercial sale in the EU, and
- Those products connect to a network or other devices.
The CRA applies across a wide range of risk based classifications from default low risk products to ‘Important’ and ‘Critical’ PDEs that require third party assessment or certification.
When Does It Come Into Effect?
Key enforcement milestones include:
- Ratified: December 2024
- Mandatory reporting of exploited vulnerabilities and severe incidents related to PDE: September 2026
- Full enforcement: December 2027
What Are the Consequences of Non-Compliance?
Non compliance can result in fines of up to €15 million or 2.5% of global turnover.
Speak to a Cyber Security Expert
URM can leverage nearly 2 decades of experience assisting organisations to comply with applicable information security, business continuity, data protection and cyber security regulations and standards to help you identify where your organisation is and is not meeting requirements of the Cyber Resilience Act, and how to close any compliance gaps.
What Are the Key Requirements?
The CRA sets out essential cybersecurity requirements that all PDEs must meet. These include:
- No known exploitable vulnerabilities
- Secure by default configuration
- Processes for deploying security updates
- Protection against unauthorised access
- Safeguards for confidentiality and integrity of data
- Measures to limit attack surfaces and minimise impact on other networks
- Appropriate event logging
- Functionality for users to delete or transfer their data
Manufacturers must also implement robust vulnerability handling processes, including:
- Maintaining an inventory of components and vulnerabilities
- Remediating vulnerabilities “without delay”
- Regular security reviews and testing
- Communicating vulnerabilities to consumers
- Securely distributing updates
In addition, organisations must produce technical documentation and an EU Declaration of Conformity and apply CE marking to all in scope products.
How URM Can Help
Many organisations find the CRA’s requirements complex and resource intensive, particularly the technical documentation, vulnerability handling expectations, and conformity assessment obligations. URM is able to provide you with end to end support to ensure you are fulfilling all these requirements.
URM's support includes:
Determining Whether Your Products Are PDEs and in Scope
Many organisations are unsure whether the CRA applies to them, especially given the broad definition of a product with digital elements. The Act covers everything from smart home devices and connected toys to operating systems, microcontrollers and security software.
URM helps you cut through the ambiguity by reviewing your full product set, mapping each product against the CRA definition, and confirming whether it falls within scope. This ensures you don’t overlook products that may trigger regulatory obligations.
Determining Your Products’ CRA Classification
The CRA uses a risk based classification model (Default, Important Class 1, Important Class 2, Critical), each with different assessment requirements. Some products can be self assessed, while others require third party assessment or mandatory certification.
URM works with you to classify each in scope product accurately, using the CRA’s definitions and examples. This avoids misclassification which could lead to non compliance, delays, or unnecessary cost.
Ensuring Your Products Meet the Essential Cybersecurity Requirements
The CRA sets out a detailed list of essential cybersecurity requirements, including secure by default configuration, vulnerability management, event logging, data protection, and measures to limit attack surfaces. It also requires manufacturers to have processes for ‘remediating identified vulnerabilities without delay’ and maintaining inventories of components and vulnerabilities.
URM reviews your products and supporting processes to identify gaps against these requirements. We help you understand what needs to change i.e., whether that’s secure development practices, product update mechanisms, access controls, or data handling measures. We then support you in implementing the necessary improvements.
Conducting the Conformity Assessment
For many organisations, the conformity assessment is the most daunting part of the Cyber Resilience Act (CRA). Even for products that qualify for self assessment, the CRA requires manufacturers to “ensure and declare on [their] sole responsibility” that all essential cybersecurity requirements have been met.
URM can complete the conformity self assessment on your behalf, providing an independent, expert evaluation of your product’s compliance. We produce a formal assessment report that can be used as evidence for regulators, customers, and internal assurance processes.
If your product requires a formal third party assessment or certification, we can also support you in identifying an appropriate Notified Body and navigating the relevant EU certification requirements.
Creating or Reviewing the Required Technical Documentation
The CRA requires extensive technical documentation, including:
- Product descriptions and intended purpose
- System architecture diagrams
- Vulnerability handling processes
- SBOMs
- Coordinated vulnerability disclosure policies
- Risk assessments
- Test reports
- Support period justification.
URM can support the creation of this documentation from scratch or conduct an independent review to ensure it meets CRA expectations and will stand up to regulatory scrutiny.
Creating the EU Declaration of Conformity
Every in scope product must have an EU Declaration of Conformity containing specific mandatory information, including product identification, harmonised standards used, and details of any notified body involvement.
URM helps you draft or review these declarations to ensure they are complete, accurate, and aligned with the CRA’s requirements. While the organisation must ultimately sign the declaration, we ensure the content is correct and defensible.
Register your interest below
Please note, we can only process business email addresses.
Webinars & Events
URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations looking to improve their information security, risk management, data protection etc. The webinars are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR. All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.
As a licensed DCC certification body URM explains how the scheme works and what it means for defence suppliers.
We will explain the Cyber Essentials and Cyber Essentials Plus scheme, its requirements, what the upcoming in April 2026 changes mean in practice.
URM as a licensed Cyber Essentials certification body will help you understand the scheme, how best to prepare and maintain certification.
Cyber Security and the Board: A Sign of What’s to Come
URM’s blog explains recent amendments to the Cyber Security and Resilience Bill, how they align with broader regulatory shifts, & practical steps to prepare.
URM’s blog explains the recent open letter to suppliers issued by the NHS, what it means, why it matters, and the practical steps you can take to prepare.
URM’s blog unpacks the Identify Function of the NIST CSF, providing a detailed breakdown of its requirements and what you need to do to meet them.
URM’s blog explores the importance of cyber resilience & the steps organisations can take to prepare for and mitigate the impact of a cyber incident.
Our team will contact you shortly.