EU Cyber Resilience Act
essential requirements, vulnerability handling, and incident reporting

The Cyber Resilience Act in context

Regulation (EU) 2024/2847, the Cyber Resilience Act, was adopted in October 2024 and published in the Official Journal in November 2024. It sets a horizontal cybersecurity baseline for products with digital elements (PDE) placed on the EU market. The regulation entered into force in late 2024 and applies fully 36 months later, with selected provisions on incident and vulnerability reporting applying earlier (21 months after entry into force). The vulnerability handling and reporting obligations are the first items most teams need to operationalise; the conformity assessment and CE marking obligations land at full application.

CRA sits alongside other EU cybersecurity instruments without replacing them. The NIS2 Directive governs the cybersecurity risk-management measures of essential and important entities; DORA governs the digital operational resilience of EU financial entities; and GDPR governs personal data protection. CRA addresses a gap none of those filled: the cybersecurity properties of the products themselves. A vendor selling a SIEM into an essential entity may be in scope of CRA as a manufacturer, while the buyer is in scope of NIS2 as an essential entity. The two regimes interlock through supply chain security provisions on the buyer side and product conformity on the seller side.

Product classes: where the conformity route is set

CRA splits PDEs into four classes that determine the conformity assessment route. The product class is the structural feature that drives the cost and the timeline of the conformity work, so classifying each product version correctly before any other CRA work starts is the step that prevents downstream rework.

Annex I Part 1: essential cybersecurity requirements

Annex I Part 1 lists the cybersecurity properties every PDE has to meet on placing on the market. The list below paraphrases the requirements; the authoritative text is the Annex itself. Track each requirement as an open work item against the product version, with the design rationale, the test outcome, and the residual risk recorded so the conformity decision is defensible at market surveillance review.

Annex I Part 2: vulnerability handling across the support period

Annex I Part 2 sets the vulnerability handling obligations that apply across the entire support period, not just at placing on the market. This is the operational core of CRA for any product team: the regulation expects a continuous process for identifying, addressing, disclosing, and patching vulnerabilities, with evidence captured against the product version each step of the way.

The regular tests and reviews requirement is where penetration testing, vulnerability scanning, and code review feed directly into CRA evidence. The penetration testing workflow keeps engagement scope, findings, and remediation tied to the product version, and the continuous penetration testing workflow covers the cadence model that fits CRA support-period expectations rather than a single annual snapshot. For the inbound side of the disclosure policy, the vulnerability disclosure program management workflow covers triage, acknowledgement, and the closed-loop disclosure record that CRA expects. For the international standard the CRA disclosure obligation reads against, the ISO/IEC 29147 vulnerability disclosure framework page covers the five-phase disclosure lifecycle and the audit-grade evidence pack manufacturers produce against the CRA requirement.

Reporting clocks: actively exploited vulnerabilities and severe incidents

CRA introduces a structured reporting timeline through the ENISA single reporting platform. Manufacturers must notify the relevant CSIRT and ENISA when they become aware of an actively exploited vulnerability contained in their product or a severe incident having an impact on the security of the product. The clocks below run from the moment of awareness, not from the moment of confirmation, so the trigger needs to be operational rather than a debate at incident time.

The structural risk in CRA reporting is the gap between the engineering team that detects the vulnerability and the legal or regulatory team that submits the report. Driving the timeline from the same workspace that holds the vulnerability triage and the incident record closes that gap because the early warning, the notification, and the final report all reference the same underlying record. The aging pentest findings research covers the broader operational pattern of how unpatched findings turn into the regulatory risk CRA is designed to surface.

Annex II: technical documentation and the SBOM

Annex II prescribes the technical documentation pack the manufacturer prepares and retains for at least ten years from placing on the market. The pack supports the EU declaration of conformity and is the body of evidence market surveillance authorities review when they check conformity. The list below is the working set of artefacts a CRA documentation pack commonly contains; the exact contents vary by product class and conformity route.

The SBOM is the documentation item most teams underestimate. CRA expects a software bill of materials covering the top-level dependencies, kept current across the support period, and tied to the vulnerability handling process so a new disclosure against a listed component triggers the right downstream actions. The vulnerable dependencies guide covers the detection and triage discipline that pairs with SBOM maintenance, and the hardcoded secrets guide covers a related class of finding that surfaces during code review and secret scanning across the support period.

Supply chain roles: who owns what under CRA

CRA assigns differentiated obligations across the supply chain. The most common misalignment is treating the regulation as a manufacturer-only problem: importers and distributors carry verification duties that turn into liabilities if a non-conformant product is placed on the market through them. Mapping the supply chain relationship per product makes the obligation lines visible.

How SecPortal aligns to CRA work

SecPortal is built for security service providers and internal security teams running regulated assessment cycles. CRA fits the platform model directly: the product classification drives the engagement, the assessor walks the essential requirements on the workspace, the SBOM and findings sit on the product record, and the technical documentation reflects what the workspace already says.

For teams running CRA work alongside other EU obligations, the NIS2 framework page covers the buyer-side risk-management measures and the supply chain security clauses CRA is the natural counterpart to. The DORA framework page covers the financial-sector operational resilience regime that overlaps CRA when a financial entity buys a regulated PDE. The CRA vulnerability handling guide walks through Articles 13 and 14 in operational detail, including the seven Article 13 manufacturer obligations, the 24-hour, 72-hour, and 14-day Article 14 reporting cascade, and the supporting evidence stack a market surveillance authority reads against. For the broader pentest evidence pattern that feeds the CRA testing requirement, the pentest evidence management workflow covers how to keep test artefacts durable across the support period without losing the audit trail.

Practical sequencing: a CRA programme across the product lifecycle

CRA is a lifecycle regulation, not an audit-time event. The sequencing below is the pattern that holds across most PDE manufacturers: classification first, conformity at placing on the market, and continuous obligations across the support period. Treating CRA as a one-time conformity step misses where most of the work actually lives.

Common deviation patterns and how to record them

Most product teams entering their first CRA cycle carry a small number of gaps against the essential requirements. The defensible position is not zero gaps; it is documented gaps with a rationale, a mitigating control, an owner, a remediation plan, and a re-evaluation date. The pattern below is what a market surveillance review reads as a mature programme.

Scope and limitations

The Cyber Resilience Act is the regulation operated by the European Union and enforced by national market surveillance authorities. SecPortal is the workspace that holds the engagement, the controls, the evidence, and the audit trail. Submission to the ENISA single reporting platform and engagement with notified bodies remain actions the manufacturer takes through the relevant authority interfaces; SecPortal holds the supporting record so the submission and the conformity decision are grounded in the evidence pack rather than reconstructed from email and shared drives.

The dates of application, the in-force product class lists, the harmonised standards referenced, and the implementing acts are published by the European Commission and evolve over time. This page describes the structure of the regulation and how a workspace-driven programme plays against it; the authoritative reference for the in-force obligations and the implementation guidance remains the published text of Regulation (EU) 2024/2847 and the Commission acts that follow it.