Non-Classified
Basic cybersecurity. Standard products without critical security functions. Conformity via self-assessment (Module A) possible. Lifecycle obligations apply, but reduced assessment requirements.
Cyber Resilience Act
EU-Wide Cybersecurity Standards
What is the Cyber Resilience Act?
The CRA is the EU cross-cutting regulation for “Products with Digital Elements” (PDE) – hardware, software and remote processing components. It applies as soon as a product connects to other devices or networks. From firmware to operating systems to developer tools: The CRA requires essential cybersecurity requirements across the entire product lifecycle.
Risk-Based Classification
The CRA distinguishes between non-classified, Important (Class I/II) and Critical products. The classification determines conformity paths, depth of assessment and potential certification requirements.
Important Class I
Enhanced requirements. Products with core cybersecurity functions (e.g. authentication, endpoint security, network protection). Module A possible with harmonized standards, otherwise third-party assessment (Module B/C/H).
Important Class II
High damage potential. More critical security functions (e.g. intrusion detection/prevention, central system functions). Mandatory third-party assessment. Stricter conformity evidence required.
Critical Products
Highest tier. Via Delegated Act, Critical products can be mandated for EU certification (e.g. EUCC, Assurance Level “substantial”). Comprehensive security evaluation necessary.
Lifecycle Obligations: Design to End-of-Support
The CRA requires essential cybersecurity requirements across the entire product lifecycle – from conception to decommissioning. These obligations are not optional, but the foundation of conformity.
Secure by Design
Security from the start. Risk analysis in design, threat modeling, secure architecture patterns, zero-trust principles. Security requirements must be defined and documented before development begins.
Secure Development & Build
Supply chain security. SBOM creation, CVE scanning, signed artifacts, reproducible builds. Secure CI/CD chains with policy gates. Traceability of dependencies (including open source components).
Secure Deployment & Updates
Update capability guaranteed. Secure update mechanisms, separate security and feature updates (where possible). Rollback capability, signed packages, secure delivery channels. No forced feature upgrades for security fixes.
Vulnerability Management
CVD processes mandatory. Coordinated Vulnerability Disclosure Policy, systematic CVE handling, documentation, assessment (CVSS), remediation. Integration with third-party/OSS maintainers. Transparent communication to users.
Support Periods
At least 5 years. Support period based on expected usage duration – at least five years, longer for products with longer lifespans. Security updates must be kept available for at least 10 years.
End-of-Support Communication
Clear user information. Timely announcement of end-of-support, showing migration paths, communicating security risks. No abrupt support terminations without warning.
Reporting Obligations: Incidents & Vulnerabilities
The CRA establishes a Europe-wide Single Reporting Portal (operated by ENISA) with strict reporting deadlines. Manufacturers must report actively exploited vulnerabilities and severe security incidents in a structured manner.
Early Warning: 24 Hours
Initial notification within 24h. As soon as knowledge of a severe incident or actively exploited vulnerability exists, an early warning must be submitted to the ENISA portal – within 24 hours of awareness.
Incident Report: 72 Hours
Structured report within 72h. Detailed description of the incident, affected systems, potential impacts, initial countermeasures. Coordination via the Coordinator CSIRT of the headquarters member state.
Final Report: 1 Month
Final report within 30 days. Root cause analysis, implemented countermeasures, lessons learned, preventive measures. Structured documentation for regulatory traceability.
Vulnerability Follow-up: 14 Days
After fix availability. For actively exploited vulnerabilities: follow-up report within 14 days after patch/workaround availability. Status updates until complete remediation.
Conformity Assessment by Modules
The CRA uses a modular conformity system (aligned with Decision 768/2008/EC). Depending on product class, self-assessment or mandatory third-party assessments are prescribed.
Module A: Self-Assessment
For non-classified and Important Class I products (with harmonized standards). Manufacturer documents conformity themselves. Technical documentation, test results, risk analysis must be demonstrable.
Module B/C/H: Third-Party
Mandatory for Important Class II. Notified Body reviews product and/or production process. Includes technical documentation, tests, quality management system. Module H: ongoing surveillance.
EU Certification (EUCC)
Possible for Critical Products. Via Delegated Act, Critical categories can be mandated for EU certification (European Common Criteria, Assurance Level “substantial” or higher).
Supply Chain & Sovereignty Risks
The CRA allows non-technical risk factors to be included in cybersecurity assessment – jurisdiction, state access, “high-risk vendors”. A bridge to digital sovereignty and supply chain security.
Jurisdictional Risks
Dependencies on non-EU jurisdictions can be evaluated as a risk factor – especially with extraterritorial access possibilities (e.g. CLOUD Act, FISA). EU-based alternatives preferred.
High-Risk Vendors
Economic security and state influence on suppliers flow into risk assessment. Multi-sourcing, EU preference and transparency about sub-suppliers are regulatorily strengthened.
Supply Chain Transparency
SBOM obligation, traceability of dependencies, licenses, update sources. For vulnerabilities in components: obligation to inform maintainers and conduct own risk assessment. Audit rights along the chain.
ayedo and the Cyber Resilience Act
Our Software Delivery Platform and Managed Services are designed for CRA compliance – from SBOM generation to CVE scanning to 24/7 incident response. We systematically support you with all lifecycle requirements.
SBOM & CVE Management
Automated supply chain security. Integrated SBOM generation, continuous CVE scanning, signed artifacts. Traceability of all dependencies – from open source to proprietary. Policy gates for critical vulnerabilities.
Signed Builds & Reproducibility
Trustworthy artifacts. Signature verification for container images and Helm charts. Reproducible builds, GitOps traceability. Artifact management with complete provenance chain.
GitOps & CI/CD Security
Secure delivery chains. Git-to-prod with audit trail, policy enforcement, automated security gates. Separation of security and feature updates via release branches. Rollback capability by default.
Update Strategy & Archiving
CRA-compliant update processes. Secure, signed updates, separate security patches (where possible). Update archiving for ≥10 years. No forced coupling of security fixes to feature upgrades.
24/7 Vulnerability Response
Incident & CVE handling around the clock. ISO 27001-based ISMS with documented CVD processes. 24/7 support for security hotfixes. Integration into ENISA/CSIRT reporting chains. Structured incident reports.
Support Roadmaps & Lifecycle
Long-term support commitments. Support periods ≥5 years (adapted to usage duration). End-of-support communication with advance notice. Transparent lifecycle policies. Update archive available ≥10 years.
Conformity Support
ISO 27001-certified processes. Audit trails, change management, incident tracking. Prepared for Module A evidence and third-party assessments. Complete technical documentation.
EU Sourcing & Jurisdiction
Minimizing non-technical risks. EU-based operations, provider independence, GDPR compliance. Dedicated sovereign stacks available. Transparency about sub-suppliers and their jurisdiction.
CRA Enablement Packages
Structured conformity roadmaps. Classification assessment (Important I/II/Critical), conformity path planning, CVD policy templates, ENISA reporting playbooks, SBOM/signature stack setup. Turnkey implementation of all lifecycle requirements.
CRA Requirements in Detail
What does the CRA mean concretely for your products and processes? From secure-by-design to vulnerability management to reporting obligations – here are the core obligations structured.
Secure Development
Threat modeling, security requirements, risk analysis before development. Secure coding standards, code reviews, SAST/DAST. Supply chain security: SBOM, signed dependencies, vulnerability scanning in CI/CD.
Technical Documentation
Comprehensive documentation for conformity evidence: architecture, data flows, security controls, test results, risk analysis. Lifecycle processes documented. Update mechanisms described. For audits and Notified Bodies.
CVD & Vulnerability Response
Coordinated Vulnerability Disclosure Policy (public). CVE handling process: intake, triage, assessment (CVSS), remediation, disclosure. Maintainer coordination for third-party/OSS components. Status tracking and user communication.
Update Management
Secure, signed update mechanisms. Where possible, separate security patches from feature releases. Rollback capability. Update archive ≥10 years. Clear communication about updates (security vs. feature). No forced coupling.
Incident Response
24h early warning for severe incidents. 72h incident report to ENISA portal. 30-day final report. Structured reporting chains, Coordinator CSIRT integration. Internal thresholds for “severe incidents” defined.
Conformity Evidence
Module A (self-assessment) for non-classified / Important I with standards. Module B/C/H (third-party) for Important II. EUCC preparation for Critical products. Technical documentation, test reports, QMS evidence.
CRA in Regulatory Context
The CRA is part of the comprehensive EU digital/cybersecurity ecosystem. It integrates with NIS2, DORA, Cloud Sovereignty Framework, Data Act, GDPR and other EU regulations.
CRA & NIS-2
Complementary at product/operations level. NIS-2 requires organizational and technical measures for critical infrastructures. CRA adds product-side cybersecurity requirements. Together: resilient systems from supply chain to operations. More about NIS-2.
CRA & DORA
Product security for financial sector. DORA targets digital operational resilience in the financial sector. CRA ensures that deployed products (ICT third-party providers, software) meet basic cybersecurity standards. Security by Design (CRA) supports DORA ICT risk management. More about DORA.
CRA & Cloud Sovereignty
Secure, sovereign products. Cloud Sovereignty Framework evaluates independence and control. CRA requires security across product lifecycle. Together: secure EU products with open standards, transparency (SBOM), exit capability – without lock-in. More about the Framework.
CRA & Data Act
Secure, interoperable products. CRA requires security across product lifecycle. Data Act requires interoperability and data portability. Together: secure products with open interfaces – without lock-in. Vulnerability management (CRA) protects data flows (Data Act). More about Data Act.
CRA & GDPR
Security by Design meets Privacy by Design. CRA requires secure products (software, hardware), GDPR requires data protection in their use. Privacy by Design (GDPR Art. 25) ↔ Security by Design (CRA). Vulnerability management (CRA) supports Art. 32 GDPR (security of processing). More about GDPR.
EUCC & Certification
European Common Criteria for Critical products. EUCC becomes relevant for Critical CRA products. Assurance Level “substantial” or higher. Comprehensive security evaluation according to harmonized standards. Notified Bodies conduct assessments. Coherent EU cybersecurity certification.
Supply Chain Sovereignty
Non-technical risk factors. CRA allows consideration of jurisdiction and vendor control. Integration with European sovereignty initiatives. Multi-sourcing, EU preference, transparency (SBOM, CVD) are regulatorily strengthened.
ayedo Compliance Overview
Comprehensive compliance approach. How ayedo systematically addresses CRA, NIS-2, DORA, Data Act, GDPR, ISO 27001 and other standards. Certifications, processes, technical measures and audit readiness – find our complete compliance roadmap here. To overview.