Question 1

What is the EU Cyber Resilience Act?

Accepted Answer

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

Question 2

When does the CRA take effect?

Accepted Answer

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Question 3

Who does the CRA apply to?

Accepted Answer

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

Question 4

What is an SBOM and why does the CRA require it?

Accepted Answer

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

Question 5

How does Complaro help with CRA compliance?

Accepted Answer

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered.

Blog

What Is the EU Cyber Resilience Act? A Complete Guide for 2026

CRA Compliance Checklist: What You Need Before September 2026

How to Generate an SBOM for CRA Compliance

CRA vs NIS2: What Is the Difference?

Free CRA Readiness Scanner for Open Source Projects

CRA and Open Source: What the Steward Role Means for Foundations and Maintainers

How to Classify Your Product Under the CRA: Default, Important, and Critical

ENISA Vulnerability Reporting Under the CRA: Timelines, Templates, and Process

Does the CRA Apply to SaaS? Scope, Exemptions, and Edge Cases

CRA Penalties and Enforcement: What Happens If You Don't Comply

CRA Secure Development Requirements: What Annex I Section 1 Means for Your Team

CE Marking for Software Under the CRA: A Step-by-Step Guide

How to Create a Vulnerability Disclosure Policy for CRA Compliance

CRA Supply Chain Security: Managing Third-Party Components

CRA Compliance for IoT and Connected Devices

CRA vs GDPR: How Cybersecurity and Data Protection Overlap

Automated Vulnerability Monitoring for CRA Compliance

CRA Conformity Assessment: Self-Assessment vs Third-Party Certification

CRA Technical Documentation Requirements: What You Need to Prepare

How to Calculate Your CRA Compliance Readiness Score