Question 1

What is the EU Cyber Resilience Act?

Accepted Answer

The CRA (Regulation 2024/2847) is an EU regulation requiring manufacturers of products with digital elements to meet cybersecurity requirements throughout the product lifecycle. It covers vulnerability handling, SBOM provision, and incident reporting to ENISA.

Question 2

When does the CRA take effect?

Accepted Answer

Reporting obligations start 11 September 2026. All other requirements (vulnerability handling, SBOM, documentation, conformity assessment) apply from 11 December 2027.

Question 3

Who does the CRA apply to?

Accepted Answer

Any manufacturer placing a product with digital elements on the EU market, including commercial software, IoT devices, and open-source projects with a commercial activity. SaaS is generally out of scope unless it involves embedded or downloadable components.

Question 4

What is an SBOM and why does the CRA require it?

Accepted Answer

A Software Bill of Materials is a machine-readable inventory of all components in your software. The CRA requires it under Article 13(5) and Annex I Part II(1) so that downstream users and market surveillance authorities can identify vulnerable components.

Question 5

How does Complaro help with CRA compliance?

Accepted Answer

Complaro helps automate the three hardest parts: classifying your products under CRA Annex III/IV, continuously scanning for known vulnerabilities, and generating pre-filled ENISA-format incident reports when actively exploited vulnerabilities are discovered.

Blog

What Is the EU Cyber Resilience Act? A Complete Guide for 2026

CRA Compliance Checklist: What You Need Before September 2026

How to Generate an SBOM for CRA Compliance

CRA vs NIS2: What Is the Difference?

Free CRA Readiness Scanner for Open Source Projects