EU Cyber Resilience Act, Explained for Small Hardware Makers

Plain-language guide to Regulation (EU) 2024/2847: who is in scope, the product classes, the SBOM requirement, the 24-hour reporting rule starting 11 September 2026, and penalties up to €15M — every claim with its article citation.

By Rahul Rajelli · updated 2026-07-10 · RSS

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the EU law that makes cybersecurity a condition of market access for nearly every product "with digital elements" — hardware and software alike. If you sell a connected device, firmware, or software into the EU, this law applies to you regardless of where your company sits. Every claim below carries its article citation; this is a summary of the regulation's text, not legal advice.

The dates that matter

DateWhat startsCitation
11 September 2026Reporting obligations: actively exploited vulnerabilities and severe incidents must be reported — including for products already on the marketArt. 71(2); Art. 69(3)
11 December 2027Full application: all design, documentation, and conformity obligations for products placed on the market from this dateArt. 71(2)

Am I in scope?

You're in scope if you make available on the EU market, commercially, a hardware or software product whose intended or reasonably foreseeable use includes a data connection [Art. 2(1), Art. 3(1)]. Key boundaries:

Work through this interactively with the CRA Readiness Checker — it produces a downloadable scoping memo with every branch cited.

Product classes decide your conformity route

ClassExamples (verbatim categories)Assessment route
DefaultMost products — including typical robots, drones, industrial controllers not on the listsSelf-assessment allowed [Art. 32(1)]
Important, Class I (Annex III)Operating systems, routers, password managers, VPNs, smart-home security products (smart locks, cameras, baby monitors), connected toys with tracking, microcontrollers with security functionsSelf-assessment only if harmonised standards applied in full; otherwise third party [Art. 32(2)]
Important, Class II (Annex III)Hypervisors and container runtimes, firewalls/IDS/IPS, tamper-resistant microprocessorsThird party or certification — always [Art. 32(3)]
Critical (Annex IV)Smart-meter gateways, smartcards and secure elements, hardware security boxesEU certification once mandated [Art. 8(1), 32(4)]

The core obligations in one list

What non-compliance costs

Up to €15,000,000 or 2.5% of worldwide annual turnover (whichever is higher) for breaches of the essential requirements or Articles 13/14; €10M/2% for other operator obligations; €5M/1% for misleading authorities [Art. 64(2)–(4)]. Micro and small enterprises are exempt from fines (only) for missing the 24-hour early-warning deadline [Art. 64(10)].

If you're a five-person hardware startup, do these four things now

  1. Run the scoping check — ten minutes tells you your class and route.
  2. Start producing SBOMs as part of every release build — lockfile in, CycloneDX out.
  3. Publish a security contact and a coordinated vulnerability disclosure policy — it's a hard requirement [Annex I Part II(5)–(6)] and costs an afternoon.
  4. Decide your support period and document the reasoning [Art. 13(8)] — it must be shown to buyers at purchase from Dec 2027.

The full documentation pack — vulnerability-handling process templates, the ENISA reporting runbook, Annex VII skeleton — is the kind of setup I do as CRA-readiness consulting. One caveat we state everywhere: classification boundaries await a pending implementing act [Art. 7(4)], and boundary cases need professional review.