The Cyber Resilience Act (CRA) is a landmark regulation introduced by the European Union to strengthen cybersecurity across digital products and services. Aimed at protecting consumers and businesses alike, the CRA sets out clear requirements for manufacturers to ensure built-in security from the design phase through the product lifecycle. By enforcing accountability and transparency, the Act marks a critical step toward a more secure digital landscape, helping to reduce vulnerabilities and enhance trust in connected technologies across the European Union. The legislation includes:

• Transparency in the use of third-party open source components
• Software Bill of Materials (SBOM) mandatory
• Process for remediation mandatory
• Fines EUR 5-15m or 1-2.5% of the worldwide turnover

Manufacturers shall, upon identifying a vulnerability in a component, including in an open source component, which is integrated in the product with digital elements, report the vulnerability to the person or entity maintaining the component in order to facilitate vulnerability analysis, manufacturers should identify and document components contained in the products with digital elements, including by drawing up a software bill of materials. A software bill of materials can provide those who manufacture, purchase, and operate software with information that enhances their understanding of the supply chain, which has multiple benefits, most notably it helps manufacturers and users to track known newly emerged vulnerabilities and risks. It is of particular importance for manufacturers to ensure that their products do not contain vulnerable components developed by third parties

In order to understand whether your organisation needs to conform with the CRA and requirments that are needed, try our Cyber Resilience Act (CRA) Self assessment