IoT
Cyber Resilience Act (CRA)
Cyber Resilience Act (CRA) is the new regulation setting the cybersecurity requirements for products commercialized in the European Union (EU). This regulation marks a decisive step toward enhancing digital security and safety across Europe. It requires manufacturers to integrate security by design, manage vulnerabilities proactively, and provide transparent support throughout the product lifecycle.
As cyber threats grow more complex, the CRA sets the foundation for protecting users, strengthening trust, and shaping a resilient digital future.
As cyber threats grow more complex, the CRA sets the foundation for protecting users, strengthening trust, and shaping a resilient digital future.
Cyber Resilience Act Key Benefits
-
Stronger Digital Trust
-
Lower Cyber Risks
-
Clearer Regulatory Compliance
Is Your Product in Scope for CRA?
In Scope
- Hardware products: including components placed on the market (laptops, smart appliances, mobile phones, network equipment or CPUs), including their remote data processing.
- Software products: including components placed on the market (operating systems, word processing, games or mobile apps, software libraries), including their remote data processing.
Out of Scope
- Non-commercial products (hobby products) add FOSS.
- Services, in particular standalones SaaS (covered by NIS2) (websites, purely web-based offerings).
- Explicit exclusions (cars, medical and in-vitro devices, certified aeronautical equipment, marine equipment.
How to Prepare for Cyber Resilience Act Compliance?
CRA covers not only the product itself but spans the full lifecycle of the product including planning, design, development, production, delivery and maintenance with an emphasis on assessment of security risks and continuous monitoring and improvement.
Understand the Cybersecurity Requirements
Understand the Cybersecurity Requirements
- Product Requirements: according to Annex I, Part I of the regulation.
- Risk Assessment & Secure Development Lifecycle: according to Annex I, Part I of the regulation.
- Vulnerability Handling: according to Annex I, Part II of the regulation.
Categorize the Product and Develop Necessary Documentation
- Categorization: evaluate if the product fits into one of the special categories - Important Class I, Important Class II, or Critical - as defined in Annex III and Annex IV. If it doesn’t fall into these, it it belongs to the Default category.
- Document and Procedure Development: create the necessary documents and establish procedures related to risk assessment, secure development lifecycle and vulnerability handling.
Complete the Conformity Assurance Procedure
Based on the product’s category, manufacturers must choose the appropriate conformity assurance procedure:
- Self-Assessment (Module A): for products in the Default category or Important Class I (if Harmonized Standards are used), manufacturers can conduct a self-assessment.
- Conformity Assessment Body: for Important Class II products or Important Class I products (if harmonized standards are not used), the involvement of a third-party Conformity Assessment Body (CAB) is required.
- Certification: critical products must obtain certification under a European Cybersecurity Certification Scheme (e.g., EUCC certification), which ensures full compliance with CRA cybersecurity requirements.
DEKRA Services
Training
Tailored training and turnkey projects designed to support you in developing your Cyber Resilience Act Certification readiness strategy.
Evaluation
Tailored training and turnkey projects designed to support you in developing your Cyber Resilience Act Certification readiness strategy.
Evaluation
- Evaluation services based on draft versions of the standards, or built on other reference standards mapped with the essential requirements of the regulation.
- Evaluation services according to the Harmonized Standards.
3rd Party Assessment and Certification
DEKRA will be a Notified Body for CRA to support manufacturers get their certificates. We will leverage our experience as Notified Body for RED Delegated Act and as Certification Body for EUCC. Notification of Conformity Assessment Body starts in June 2026.
EUCC Certification
DEKRA is accredited ITSEF and CB for EUCC. You can obtain your EUCC certificate while also complying with CRA.
" This conformity assessment must be finalized by December 2027 to ensure compliance with the CRA. However, please note that vulnerability reporting obligations start in September 2026. "
Empower Your Product Security with DEKRA
DEKRA offers one of the most comprehensive portfolios in the industry, spanning Common Criteria, FIPS 140-3, ETSI EN 303 645, IEC 62443, SESIP, EN 18031, and more.
We have already supported hundreds of manufacturers in meeting EU requirements for RED Delegated Act. Now, we are ready to support you through CRA compliance with the same precision, reliability and independence.
With DEKRA, you ensure product security, build market trust and stay ahead of regulation.
We have already supported hundreds of manufacturers in meeting EU requirements for RED Delegated Act. Now, we are ready to support you through CRA compliance with the same precision, reliability and independence.
With DEKRA, you ensure product security, build market trust and stay ahead of regulation.
