Cyber Resilience Act

The Cyber Resilience Act sets cybersecurity rules for products with digital elements sold in the EU. Manufacturers must build security in from the start, keep a software bill of materials, handle vulnerabilities in a coordinated way, and report actively exploited flaws on a strict clock before a product can carry the CE mark. turingsecure gives you the SBOM, vulnerability handling and evidence to back those duties.

Who Must Comply

Rules for Products With Digital Elements

The CRA applies to manufacturers, importers and distributors of products with digital elements, meaning hardware and software that can connect to a device or network. If you place such a product on the EU market, its security is now a legal condition of sale, across its whole expected lifetime, not just at launch.

The duties fall into two halves. Before a product ships, it must meet essential cybersecurity requirements and be built secure by design and by default. After it ships, you must keep handling vulnerabilities and supplying security updates for the support period. The obligations below run through both halves.

Cyber Resilience Act rules for products with digital elements

Your Duties

What the CRA Requires of You

Security by Design and Default

Design products to meet the essential cybersecurity requirements, ship them with a secure configuration out of the box, and provide security updates through the support period.

Software Bill of Materials

Maintain a software bill of materials for your product in a common machine-readable format so you can trace every component you ship.

Coordinated Vulnerability Handling

Handle vulnerabilities across the product lifecycle: a disclosure process, remediation, and a duty to report an actively exploited vulnerability to ENISA within 24 hours of becoming aware of it.

CE Marking

Only products that meet the CRA requirements and pass the required conformity assessment may carry the CE mark and be sold in the EU.

Get CRA Ready

Book a personal demo and see how turingsecure covers the SBOM, vulnerability handling and evidence the Cyber Resilience Act demands.