Every product with digital elements needs cybersecurity. CRA makes it law.
Do you make anything with software, firmware or network connectivity? Then CRA applies to you. Reporting requirements from September 2026, full compliance December 2027. ISO 27001 gives you the foundation β AmpliFlow gives you the tools.
What counts as "digital elements"?
Short answer: almost everything modern. If your product contains software, firmware or can connect to a network β it falls under CRA. This creates entirely new requirements for manufacturers.
Mandatory security for all digital products
CRA applies to all products with digital elements sold on the EU market. From consumer products to industrial software β no one is exempt.
Vulnerability handling throughout the lifecycle
Manufacturers must manage security flaws throughout the entire product lifetime. A minimum of five years of security updates is required.
Reporting to ENISA within 24 hours
Actively exploited vulnerabilities must be reported to ENISA within 24 hours. You need processes that can keep up with that pace.
SBOM for the entire supply chain
Software Bill of Materials becomes mandatory. Every third-party component in your products must be documented and tracked.
What CRA demands from manufacturers
The most important obligations that manufacturers of digital products must fulfil.
Security by design
Products must be designed with cybersecurity as a fundamental principle. Security requirements are integrated from the design phase β not as an afterthought.
Vulnerability handling
Identify and remediate vulnerabilities throughout the entire product lifetime with coordinated vulnerability handling.
Incident reporting
Actively exploited vulnerabilities must be reported to ENISA within 24 hours. A complete report is required within 72 hours.
Software Bill of Materials (SBOM)
Every product shall have a machine-readable SBOM documenting all components, libraries and dependencies.
CE marking for cybersecurity
CE marking is extended to cover cybersecurity requirements. Without CE marking β no sales on the EU market.
Five-year support obligation
Manufacturers shall provide security updates for a minimum of five years or throughout the expected lifetime of the product.
ISO 27001 covers the majority of CRA requirements
A structured information security management system gives you the foundation for CRA compliance. Risk assessment, incident management, supplier control and documented policies β everything CRA requires already exists in the ISO 27001 framework.
- Risk assessment of information assets including product security
- Incident management with defined roles and deadlines
- Supplier control and requirements for third-party components
- Documented security policies gathered in one place
- Internal audits verifying that controls are working
CRA
Products with digital elements
Regulates hardware and software sold on the EU market. Requires security by design, SBOM and vulnerability reporting.
NIS2
Organisations and services
Regulates organisations delivering essential services. Requires risk management, incident reporting and management accountability.
They complement each other. Many companies need to comply with both.
How AmpliFlow supports your CRA journey
Existing modules that help you build the foundation for CRA compliance.
Pages (wiki)
Collect security policies, SBOM documentation and technical documentation in one place. Your developers generate SBOM files β AmpliFlow ensures the right version is approved, published and accessible at audit time.
Risk Assessment
Map product risks, link them to concrete actions and follow up to verify the actions actually reduce the risk. CRA demands risk-based security β that starts with a process that holds the entire chain together from identification to verification.
Deviation Management
When a vulnerability is discovered, you need to track it from report to root cause analysis to verified fix β with timestamps every step of the way. That is exactly what auditors and ENISA want to see.
Supplier Register
Keep track of which third-party components are in your products and which suppliers stand behind them. Set requirements, follow up and document β CRA makes you responsible for the entire supply chain.
Audit Management
Plan conformity assessments, document results and follow up with actions. When the notified body comes to visit, you have the evidence ready.
Legal Requirements Register
Link CRA requirements to your processes and controls. See which requirements are met, where there are gaps and who is responsible for closing them.
What you gain from structured CRA preparation
Concrete advantages of preparing systematically.
Structured security lifecycle
Build a systematic process for product security β from design to decommissioning. Documented and traceable.
Traceable vulnerability handling
Every vulnerability is documented with a timeline, actions and verification. Full traceability for auditors.
Documented compliance
All evidence gathered in one place. Demonstrate that you meet CRA requirements with structured documentation.
Planned assessments
Schedule conformity assessments in a structured way. Be prepared when it is time for review.
Questions and answers about the CRA
What is the Cyber Resilience Act (CRA)?
The CRA (Regulation (EU) 2024/2847) is the EU regulation for cybersecurity in products with digital elements. It sets requirements for manufacturers, importers and distributors of hardware and software sold on the EU market. The purpose is to ensure that digital products are secure throughout their entire lifecycle.
Which products are covered by the CRA?
The CRA applies to all products with digital elements placed on the EU market β both hardware and software. This includes everything from IoT devices and network equipment to operating systems and mobile apps. Products are categorised into: Default products (self-assessment), Important Class I and II (third-party assessment may be required) and Critical products (EU certification).
What penalties do companies face for non-compliance?
Non-compliance can result in fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher. In addition, products can be withdrawn from the EU market.
How does ISO 27001 help with CRA compliance?
ISO 27001 provides a structured framework for information security that overlaps with many CRA requirements: risk assessment, incident management, security policies and supplier control. A certified ISMS demonstrates that you work systematically with security, which significantly facilitates CRA compliance.
How is open source affected by the CRA?
The CRA includes a limited exemption for open source developed without commercial purpose. However, if open source is integrated into a commercial product, the manufacturer of the final product is responsible for meeting the CRA requirements. Commercial open source companies are fully covered by the regulation.
What is the timeline for the CRA?
The CRA entered into force on 10 December 2024. Vulnerability reporting requirements apply from September 2026. Requirements for conformity assessment bodies apply from September 2026. Full application of all requirements takes effect on 11 December 2027. Manufacturers should begin preparations now.
What is the difference between CRA and NIS2?
CRA regulates products with digital elements β hardware and software sold on the market. NIS2 regulates organisations that deliver essential services. They complement each other: CRA ensures products are secure, NIS2 ensures organisations using them have the right processes. Many companies need to comply with both.
Start preparing for the CRA now
Book a demo and we will show you how AmpliFlow can help you build the foundation for CRA compliance with ISO 27001.