Cyber Resilience Act
The Cyber Resilience Act sets cybersecurity rules for products with digital elements sold in the EU. Manufacturers must build security in from the start, keep a software bill of materials, handle vulnerabilities in a coordinated way, and report actively exploited flaws on a strict clock before a product can carry the CE mark. turingsecure gives you the SBOM, vulnerability handling and evidence to back those duties.
Who Must Comply
Rules for Products With Digital Elements
The CRA applies to manufacturers, importers and distributors of products with digital elements, meaning hardware and software that can connect to a device or network. If you place such a product on the EU market, its security is now a legal condition of sale, across its whole expected lifetime, not just at launch.
The duties fall into two halves. Before a product ships, it must meet essential cybersecurity requirements and be built secure by design and by default. After it ships, you must keep handling vulnerabilities and supplying security updates for the support period. The obligations below run through both halves.
Your Duties
What the CRA Requires of You
- Security by Design and Default
Design products to meet the essential cybersecurity requirements, ship them with a secure configuration out of the box, and provide security updates through the support period.
- Software Bill of Materials
Maintain a software bill of materials for your product in a common machine-readable format so you can trace every component you ship.
- Coordinated Vulnerability Handling
Handle vulnerabilities across the product lifecycle: a disclosure process, remediation, and a duty to report an actively exploited vulnerability to ENISA within 24 hours of becoming aware of it.
- CE Marking
Only products that meet the CRA requirements and pass the required conformity assessment may carry the CE mark and be sold in the EU.
Related
How turingsecure Supports the CRA
The Act sets the duties. These modules produce the SBOM, vulnerability handling and evidence behind them.
- SBOM Analysis
Build and monitor the software bill of materials the CRA requires, and match every component against known vulnerabilities.
- Vulnerability Management
Run the coordinated vulnerability handling the Act expects, tracking each flaw from discovery to a shipped fix.
- Penetration Testing
Test products before release to show they meet the essential requirements and are secure by design.
- Incident Response
Manage disclosure and the 24 hour ENISA report for an actively exploited vulnerability with a documented workflow.
Get CRA Ready
Book a personal demo and see how turingsecure covers the SBOM, vulnerability handling and evidence the Cyber Resilience Act demands.