EU Cyber Resilience Act, Explained for Small Hardware Makers
Plain-language guide to Regulation (EU) 2024/2847: who is in scope, the product classes, the SBOM requirement, the 24-hour reporting rule starting 11 September 2026, and penalties up to €15M — every claim with its article citation.
The Cyber Resilience Act (Regulation (EU) 2024/2847) is the EU law that makes cybersecurity a condition of market access for nearly every product "with digital elements" — hardware and software alike. If you sell a connected device, firmware, or software into the EU, this law applies to you regardless of where your company sits. Every claim below carries its article citation; this is a summary of the regulation's text, not legal advice.
The dates that matter
| Date | What starts | Citation |
|---|---|---|
| 11 September 2026 | Reporting obligations: actively exploited vulnerabilities and severe incidents must be reported — including for products already on the market | Art. 71(2); Art. 69(3) |
| 11 December 2027 | Full application: all design, documentation, and conformity obligations for products placed on the market from this date | Art. 71(2) |
Am I in scope?
You're in scope if you make available on the EU market, commercially, a hardware or software product whose intended or reasonably foreseeable use includes a data connection [Art. 2(1), Art. 3(1)]. Key boundaries:
- Non-monetised open source is out — providing FOSS without monetising it is not a commercial activity [Recital 18], and hosting on a package repository alone doesn't count as making available [Recital 20]. Monetise it (paid hosting, dual licence, support beyond cost) and you're a manufacturer.
- Pure services (SaaS) are out; integral cloud backends are in — remote data processing that a product's function depends on is part of the product [Art. 3(1)–(2)].
- Sectoral carve-outs: medical devices, vehicles, civil aviation, marine equipment have their own regimes [Art. 2(2)–(4)].
- White-labelling makes you the manufacturer — importers/distributors selling under their own brand, or anyone substantially modifying a product, take on full manufacturer obligations [Art. 21–22].
Work through this interactively with the CRA Readiness Checker — it produces a downloadable scoping memo with every branch cited.
Product classes decide your conformity route
| Class | Examples (verbatim categories) | Assessment route |
|---|---|---|
| Default | Most products — including typical robots, drones, industrial controllers not on the lists | Self-assessment allowed [Art. 32(1)] |
| Important, Class I (Annex III) | Operating systems, routers, password managers, VPNs, smart-home security products (smart locks, cameras, baby monitors), connected toys with tracking, microcontrollers with security functions | Self-assessment only if harmonised standards applied in full; otherwise third party [Art. 32(2)] |
| Important, Class II (Annex III) | Hypervisors and container runtimes, firewalls/IDS/IPS, tamper-resistant microprocessors | Third party or certification — always [Art. 32(3)] |
| Critical (Annex IV) | Smart-meter gateways, smartcards and secure elements, hardware security boxes | EU certification once mandated [Art. 8(1), 32(4)] |
The core obligations in one list
- Security by design — documented risk assessment across the lifecycle; no known exploitable vulnerabilities at release; secure defaults; encryption of data at rest and in transit [Art. 13(2)–(4); Annex I Part I]
- SBOM — a software bill of materials "in a commonly used and machine-readable format covering at the very least the top-level dependencies" [Annex I Part II(1)] — generate one from your lockfile in seconds with the free SBOM generator
- Vulnerability handling — coordinated disclosure policy, security updates free of charge, a support period of at least 5 years [Art. 13(8); Annex I Part II]
- Reporting — actively exploited vulnerability: early warning within 24 hours, notification within 72 hours, final report 14 days after a fix; severe incidents on the same clock but final report within 1 month [Art. 14]
- Paperwork — technical documentation (Annex VII), EU Declaration of Conformity, CE marking, user instructions with a support end-date shown at purchase [Art. 13, 28, 30]
What non-compliance costs
Up to €15,000,000 or 2.5% of worldwide annual turnover (whichever is higher) for breaches of the essential requirements or Articles 13/14; €10M/2% for other operator obligations; €5M/1% for misleading authorities [Art. 64(2)–(4)]. Micro and small enterprises are exempt from fines (only) for missing the 24-hour early-warning deadline [Art. 64(10)].
If you're a five-person hardware startup, do these four things now
- Run the scoping check — ten minutes tells you your class and route.
- Start producing SBOMs as part of every release build — lockfile in, CycloneDX out.
- Publish a security contact and a coordinated vulnerability disclosure policy — it's a hard requirement [Annex I Part II(5)–(6)] and costs an afternoon.
- Decide your support period and document the reasoning [Art. 13(8)] — it must be shown to buyers at purchase from Dec 2027.
The full documentation pack — vulnerability-handling process templates, the ENISA reporting runbook, Annex VII skeleton — is the kind of setup I do as CRA-readiness consulting. One caveat we state everywhere: classification boundaries await a pending implementing act [Art. 7(4)], and boundary cases need professional review.