CVD Portal
CRA Guide

EU Cyber Resilience Act — Article by Article

Plain-English explanations of every CRA obligation relevant to manufacturers of products with digital elements. Effective September 2026.

CVD & Incident Reporting

Article 13

Obligations of Manufacturers

Article 13 is the master obligations article for manufacturers under the Cyber Resilience Act. It is one of the longest and most operationally significant provisions in the regulation, covering the full lifecycle of a product's security: initial design and risk assessment (paragraphs 1–5), SBOM and component due diligence (paragraphs 6–8), security updates and support periods (paragraphs 9–11), post-market monitoring and vulnerability handling (paragraphs 12–14), coordinated vulnerability disclosure (paragraphs 15–17), and cooperation with market surveillance authorities and users (paragraphs 18–20). Manufacturers must meet all of these obligations — not just the CVD provisions — for products placed on the EU market from 11 December 2027.

Read →
Article 14

Active Exploitation and Incident Reporting - 24h, 72h, and 14-Day Obligations

Article 14 introduces the most time-sensitive obligations in the Cyber Resilience Act. When a manufacturer becomes aware that a vulnerability in their product is being actively exploited, or when a severe security incident occurs, they must notify their designated coordinator CSIRT and ENISA within strict deadlines - 24 hours for an early warning, 72 hours for a full notification, and 14 days for a final report.

Read →
Article 15

Voluntary Reporting of Vulnerabilities and Incidents

Article 15 creates a voluntary reporting pathway alongside the mandatory reporting requirements of Article 14. Manufacturers may voluntarily notify their national CSIRT of vulnerabilities discovered in their products that are not yet actively exploited, near-misses, and security-relevant information that could benefit the broader cybersecurity community. Voluntary notifications under Article 15 are encouraged and acknowledge reporters' good-faith cooperation with EU cybersecurity objectives.

Read →
Article 16

Establishment of the Single Reporting Platform and ENISA's Vulnerability Coordination Role

Article 16 establishes ENISA's mandate to create and operate the single reporting platform through which manufacturers submit Article 14 vulnerability and incident notifications. It also covers ENISA's role in establishing the European Vulnerability Database (EVDB) as the EU's authoritative registry for vulnerabilities in CRA-regulated products, and ENISA's coordination function across national CSIRTs for cross-border vulnerability disclosure.

Read →

Product & Manufacturer Obligations

Article 3

Definitions: Key Terms in the Cyber Resilience Act

Article 3 contains the statutory definitions that underpin the entire Cyber Resilience Act. The most consequential definition is 'product with digital elements' — any hardware or software product capable of connecting, directly or indirectly, to a device or network. Other defined terms establish who bears obligations (manufacturer, importer, distributor, authorised representative) and what types of activity are regulated (placing on the market, making available, substantial modification). Correctly applying these definitions is the essential first step in CRA compliance planning.

Read →
Article 6

Essential Cybersecurity Requirements for Products with Digital Elements

Article 6 is the pivotal compliance provision of the CRA: it requires manufacturers to ensure their products with digital elements satisfy the essential requirements set out in Annex I. Annex I is divided into two parts - Part I covers the security properties products must have at the point of design and manufacture, and Part II covers the vulnerability handling processes manufacturers must maintain after placing products on the market. Compliance with Article 6 is the condition for bearing the CE marking and accessing the EU single market.

Read →
Article 20

Distributor Obligations Under the Cyber Resilience Act

Article 20 addresses distributors - entities in the supply chain that make products with digital elements available on the EU market but who are not the manufacturer or importer. Distributors have lighter obligations than manufacturers and importers, but they still have a duty to verify that products are compliant before making them available and to cooperate with authorities when issues arise. Distributors who modify products or sell them under their own name take on manufacturer-level obligations.

Read →

Annexes — Product Classification

Other Articles

Annex II

Information and Instructions to Users Required Under the CRA

Annex II defines the minimum information and instructions that manufacturers must provide to users of products with digital elements. This user-facing information package is a legally required element of CRA compliance - it enables users to assess the security properties of a product before purchase and to take appropriate action throughout the product's lifetime. Failure to provide the required information is a CRA violation subject to penalties under Article 32.

Read →
Annex IX

Simplified EU Declaration of Conformity for Space-Constrained Products

Annex IX provides a simplified format for the EU Declaration of Conformity intended for products where space, form factor, or product type makes it impractical to include the full Annex V declaration in the packaging or product documentation. The simplified declaration contains a short statement and a URL pointing to the full online declaration. It is most commonly used for miniaturised hardware products, embedded components, and digital products distributed without physical packaging.

Read →
Annex VII

Technical Documentation Requirements Under the CRA

Annex VII specifies the content of the technical documentation that manufacturers must prepare and maintain to support CRA compliance. The technical file is the complete evidence base demonstrating that a product meets the essential requirements - it includes product design documentation, cybersecurity risk assessments, software bills of materials, test results, and references to the CVD policy. This documentation must be available to market surveillance authorities on request and must be maintained for 10 years after the last product is placed on the market.

Read →
Annex VIII

Information to Be Submitted for EU Product Database Registration

Annex VIII sets out the specific information fields that must be submitted to the EU product database (operated under Regulation (EU) 2019/1020) when registering products with digital elements classified as Important (Annex III) or Critical (Annex IV) before they are placed on the EU market. Manufacturers established in the EU and importers of non-EU products are responsible for completing this registration. The fields cover product identification, conformity assessment details, the applicable EU declaration of conformity, and contact information for market surveillance purposes.

Read →
Article 1

Subject Matter and Purpose of the Cyber Resilience Act

Article 1 establishes the overarching purpose of the EU Cyber Resilience Act: to ensure that products with digital elements placed on the EU market meet baseline cybersecurity requirements throughout their lifecycle. It sets the foundation for all subsequent obligations by defining what the regulation aims to achieve and why. Manufacturers, importers, and distributors operating in the EU single market must understand Article 1 as the lens through which all other provisions are interpreted.

Read →
Article 18

Authorised Representatives: EU Presence for Non-EU Manufacturers

Article 18 requires manufacturers established outside the European Union who place products with digital elements on the EU market to appoint an authorised representative established within the EU. The authorised representative is the legal point of contact for national market surveillance authorities, ENISA, and other competent bodies. This provision ensures that there is always an EU-based entity accountable for CRA compliance, regardless of where the manufacturer is located.

Read →
Article 19

Importer Obligations Under the Cyber Resilience Act

Article 19 places specific obligations on importers - entities that bring products with digital elements manufactured outside the EU into the EU market for the first time. Importers must verify that manufacturers have met their CRA obligations before placing products on the market, and they bear personal liability for non-compliant products they import. This provision creates a compliance gateway role for importers within the EU supply chain.

Read →
Article 2

Scope and Exclusions Under the Cyber Resilience Act

Article 2 defines the scope of the CRA - which products and economic operators are covered - and sets out important exclusions for sectors already regulated under other EU frameworks. Understanding the scope boundaries is critical for manufacturers who operate across multiple product categories or who supply products to regulated industries such as medical devices, aviation, or automotive. Where exclusions apply, the CRA does not impose additional obligations, but the underlying sector regulation typically has its own cybersecurity requirements.

Read →
Article 21

When Importers and Distributors Are Treated as Manufacturers

Article 21 closes a potential compliance gap by treating importers and distributors as manufacturers - with the full weight of manufacturer obligations - in two key scenarios: when they place a product on the market under their own name or brand, and when they modify a product in a way that could affect its compliance with CRA requirements. This provision prevents companies from avoiding CRA obligations by acting as intermediaries while substantively behaving as manufacturers.

Read →
Article 24

Obligations of Open-Source Software Stewards Under the CRA

Article 24 introduces the concept of 'open-source software steward' — an entity that provides a platform or support for the ongoing development of open-source software used in products with digital elements, without placing a product on the market itself. Open-source stewards are not manufacturers and are not subject to CE marking or EU Declaration of Conformity obligations. However, they must put a cybersecurity policy in place, publish a vulnerability disclosure process, and cooperate with market surveillance authorities — recognising their structural role in the supply chain.

Read →
Article 25

Security Attestation of Free and Open-Source Software

Article 25 establishes a voluntary security attestation programme for free and open-source software (FOSS). ENISA runs the programme, which enables open-source components to undergo a structured security assessment and receive an attestation certificate. Manufacturers integrating attested FOSS components into their products can reference the attestation as evidence of component due diligence under Article 13. The programme bridges the gap between the CRA's manufacturer obligations and the open-source ecosystem's development model.

Read →
Article 27

Presumption of Conformity, Harmonised Standards, and Common Specifications

Article 27 governs how harmonised European standards and common specifications create a legal presumption of conformity with the CRA's essential cybersecurity requirements. When a manufacturer applies a harmonised standard published in the EU Official Journal, their product is presumed to meet the essential requirements that standard covers. Article 27 also governs the Commission's power to object to harmonised standards that do not adequately cover the essential requirements.

Read →
Article 28

EU Declaration of Conformity: Content, Structure, and Requirements

Article 28 requires manufacturers to draw up an EU Declaration of Conformity (DoC) before placing a product with digital elements on the EU market. The DoC is the formal document in which the manufacturer declares that the product meets all applicable CRA essential requirements. Article 28 specifies exactly what information the DoC must contain, making it a legally binding compliance statement that supports the CE marking.

Read →
Article 30

Rules and Conditions for Affixing the CE Marking

Article 30 is the technical 'how-to' provision for the CE marking under the Cyber Resilience Act. It tells manufacturers where the CE marking must physically appear (on the product, packaging, EU Declaration of Conformity, or accompanying website for software), how visible and legible it must be, when it must be affixed (before the product is placed on the market), and what must follow it (a pictogram, a notified body identification number for Module H assessments, or markings from other applicable Union harmonisation legislation). It also empowers the Commission to specify additional technical labelling rules through implementing acts and obliges Member States to act against improper CE marking use.

Read →
Article 32

Conformity Assessment Procedures: Module A vs Third-Party Assessment

Article 32 specifies which conformity assessment procedure applies to different categories of products with digital elements. Default-class products can use Module A (manufacturer self-assessment and declaration), while higher-risk Class I and Class II products listed in Annex III require third-party involvement through a notified body. Understanding which procedure applies to your product is the starting point for planning your CRA conformity pathway.

Read →
Article 35

Notification of Conformity Assessment Bodies to the European Commission

Article 35 establishes the process by which member states notify the European Commission of conformity assessment bodies authorised to perform third-party CRA assessments. Notified bodies are the organisations that conduct mandatory third-party conformity assessments for Class I and Class II products listed in Annex III. Understanding the notified body framework is essential for manufacturers of higher-risk products who require third-party certification rather than self-declaration.

Read →
Article 39

Notification of Conformity Assessment Bodies

Article 39 specifies the requirements that conformity assessment bodies must meet before a member state can notify them to the European Commission for CRA purposes. It establishes the competence, independence, and impartiality criteria that notified bodies must demonstrate, and the ongoing obligations they bear once notified. For manufacturers, understanding Article 39 helps in evaluating whether a potential assessment body genuinely qualifies to conduct CRA conformity assessments.

Read →
Article 4

Free Movement of CRA-Compliant Products in the EU Single Market

Article 4 is the market access provision at the heart of the CRA's regulatory logic: products that satisfy the essential cybersecurity requirements and bear the CE marking are entitled to free movement throughout the EU single market. Member states cannot impose additional national cybersecurity requirements on CE-marked products without specific EU authorisation. This provision benefits manufacturers by creating a single compliance pathway for the entire EU market rather than requiring country-by-country certification.

Read →
Article 5

Procurement and Professional Use of Products with Digital Elements

Article 5 addresses the obligations of organisations that procure or professionally deploy products with digital elements — particularly public sector bodies and operators of critical infrastructure. While most CRA obligations fall on manufacturers, Article 5 ensures that buyers and users of CRA-regulated products also play a role in maintaining cybersecurity, including applying security updates, considering cybersecurity in procurement decisions, and cooperating with manufacturers on security issues.

Read →
Article 52

Market Surveillance Coordination Between EU Member States

Article 52 establishes the framework for coordinating market surveillance activities across EU member states. Because the EU single market means products flow freely across borders, a non-compliant product identified in one member state may be on sale in 26 others. Article 52 ensures national surveillance authorities share information, coordinate investigations, and apply consistent enforcement standards so that manufacturers cannot exploit differences in national enforcement capacity.

Read →
Article 59

Joint Activities of Market Surveillance Authorities

Article 59 establishes the legal framework for national market surveillance authorities (MSAs) to carry out joint activities — principally joint investigations and coordinated enforcement actions — when addressing CRA non-compliance that has cross-border implications. Joint activities allow multiple national authorities to pool investigative resources, share evidence, and issue coordinated corrective measures against manufacturers whose products are sold across more than one EU member state. ENISA can participate in a technical advisory capacity and the Commission can support coordination. Joint activities under Article 59 are a significant escalation tool because their cross-border reach makes them much harder for manufacturers to outmanoeuvre than unilateral national enforcement.

Read →
Article 64

Administrative Fines for CRA Non-Compliance

Article 64 sets out the administrative fine regime for CRA violations. It creates a graduated penalty structure calibrated to the seriousness of the infringement: the most severe fines apply to products that fail the essential cybersecurity requirements or lack vulnerability handling processes; lower tiers apply to other obligation breaches; and a separate tier covers the provision of incorrect or misleading information to authorities. Member state market surveillance authorities apply these fines, subject to national procedural law.

Read →
Article 7

Important Products with Digital Elements - Annex III Classification

Article 7 designates certain products with digital elements as 'important' because their cybersecurity properties are critical to other systems or pose elevated risks. Products listed in Annex III fall into two classes: Class I (significant cybersecurity functions) and Class II (higher-risk products performing critical security roles). Important products face stricter conformity assessment — self-certification alone is not sufficient; Class I requires third-party documentation review and Class II requires full EU-type examination or quality assurance assessment.

Read →
Article 8

Critical Products with Digital Elements - Annex IV Classification

Article 8 designates a narrow category of products with digital elements as 'critical' — those whose compromise could have the most severe systemic impact on cybersecurity. Products listed in Annex IV must use an EU cybersecurity certification scheme under the EUCS (EU Cybersecurity Certification Scheme) for their conformity assessment, rather than the notified body routes available to Annex III products. This makes critical products the only CRA product category linked directly to ENISA's certification framework.

Read →

Deadline · 11 September 2026

Only three of these articles are legally required by September 2026.

EN 18031 §5.3.3.4, §5.3.2.4, §5.4.3.4 — intake channel, triage playbook, paper trail.

See what's required →

Ready to meet your CRA obligations?

CVD Portal provides a complete vulnerability disclosure programme — free for Article 14 compliance, for all manufacturers placing products with digital elements on the EU market.

Set up your free portal