What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA, Regulation EU 2024/2847) introduces for the first time binding cybersecurity requirements for all products with digital elements sold in the EU. It has been in force since December 2024 and takes effect in stages. Put simply: software gets a CE mark — and with it a responsibility that nobody had to bear before.

Who does the CRA affect? #

The CRA affects all manufacturers that make products with digital elements available on the EU market. This includes:

• Software products and applications
• Apps, plugins, games
• Connected devices (IoT) — IT and OT
• Any software component that is commercially distributed

Open source software also falls within scope when it is made available in the course of a commercial activity (Art. 3 No. 14, Recitals 18–20). Purely voluntary development without profit intent remains excluded.

What does the CRA specifically require? #

• CE marking for software: Before placing on the market, conformity must be demonstrated (Art. 29, 30)
• At least 5 years of security support: Security updates must be provided without delay and free of charge (Art. 13(8), Annex I Part II No. 8)
• Free from known exploitable vulnerabilities at the time of placing on the market (Annex I Part I No. 2a)
• SBOM obligation: Vulnerabilities and components must be documented by means of a software bill of materials in machine-readable format (Annex I Part II No. 1, Art. 13(24))
• Reporting obligations: 24-hour early warning, 72-hour notification, 14-day final report after remediation (Art. 14(2))
• Due diligence for FOSS integration: Manufacturers must check open source components against the EU vulnerability database (Art. 13(5), Recital 34)
• Coordinated vulnerability disclosure (Annex I Part II No. 5)
• Security updates provided separately from feature updates (Annex I Part II No. 2)

The steward role #

The CRA creates a new category: the open source software steward (Art. 3 No. 14). A steward is a legal person that systematically and sustainably supports the development of open source products. Stewards are subject to reduced obligations (Art. 24) and are expressly exempt from fines (Art. 64(10b)).

What are the consequences of non-compliance? #

• Highest tier: EUR 15 million or 2.5% of worldwide annual turnover (Art. 64(2))
• Middle tier: EUR 10 million or 2% of annual turnover (Art. 64(3))
• Lowest tier: EUR 5 million or 1% of annual turnover (Art. 64(4))
• Representative actions by consumer protection organisations from 11.12.2027 (Art. 65)
• EU-wide recall and withdrawal from the market by the Commission (Art. 54, 56)

Implementation in Germany #

The CRA is an EU Regulation and applies directly in all Member States — no national transposition is required. Enforcement is carried out by national market surveillance authorities. The key deadlines: from 11.09.2026 the reporting obligations apply (Art. 14), from 11.12.2027 the full application of all provisions (Art. 71). The same deadlines apply in all other EU countries; only the competent supervisory authority differs.

What does this mean for you? #

If you manufacture software or distribute products with software components, you must know, document, and maintain every single open source dependency for at least five years. The 24-hour reporting deadline applies on weekends too. A steward like OTTRIA can take the operational burden off your shoulders while demonstrably fulfilling the due diligence obligation for FOSS integration.

Further reading #

• CRA requirements in detail and how OTTRIA covers them
• The steward role in the CRA
• What is an SBOM and why is it not enough?

Download factsheet: CRA factsheet (in preparation)

Want to know whether your products are CRA-compliant? Have your CRA readiness assessed.