Cyber Resilience Act: Your Action Plan - Part I: What You Need to Know and Why You Can’t Wait

This is the first article in our multi-part series: “Cyber Resilience Act: Your Action Plan”.

What’s All the Fuss About CRA?

You’ve probably heard the buzz about the Cyber Resilience Act (CRA) - and if you’re in the software or tech product world, it might make you a little nervous. Officially Regulation (EU) 2024/2847, it entered into force in December 2024 and sets out new cybersecurity requirements for nearly every product with a digital element that is placed in the European Union (EU) market.

Most of the obligations kick in by December 2027, but some key ones take effect earlier in September 2026 and apply to all products already in the EU market - so now is the time to prepare.

Obligations Throughout the Product Lifecycle

The goal of the Cyber Resilience Act (CRA) is clear: to ensure digital products are secure throughout their entire lifecycle - covering design and development, production, and the post-market phase. To achieve this, CRA requirements align with three key stages:

• Design and development: Software producers (manufacturers) must ensure products meet essential security requirements before they are allowed on the market.
• Production: At the time of release, each product must be accompanied by detailed technical documentation and formal compliance declarations.
• Post-market: Once the product is on the market, manufacturers must continue to manage vulnerabilities responsibly, provide free security updates, and report actively exploited issues to the authorities.

Timelines

To support compliance, the EU has tasked the European Committee for Standardisation (CEN), the European Committee for Electrotechnical Standardisation (CENELEC), and the European Telecommunications Standards Institute (ETSI) with developing harmonised standards. These will be voluntary in most cases and are expected to build on widely adopted industry practices, so there’s no need to wait for them to be finalised.

We’ve seen these kinds of requirements before — and so have the methods for addressing them. The core ideas behind these standards are already familiar to many in the industry, rooted in well-known security and development principles. Since the EU has scheduled the publication of harmonised standards close to the CRA’s compliance deadlines, waiting for them to be finalised could leave too little time to fully implement the required changes.

The timeline diagram highlights key milestones for software producers, including both important compliance obligations and the planned finalization dates for the harmonized standards. Notably, from September 2026, software producers must report actively exploited vulnerabilities for products already on the EU market — a requirement that comes well before the full compliance deadline in December 2027. This makes early preparation essential. There’s plenty you can start doing today to get ready—and we’ve got you covered.

We Have Seen This Before, Get Started Today

Yes, the CRA lays out some specific rules - like requiring a CE marking, reporting vulnerabilities to ENISA, and keeping detailed technical documentation for up to 10 years, including exactly what that documentation must contain. But not everything is spelled out in black and white.

Several CRA requirements are intentionally broad or open to interpretation, encouraging manufacturers to adopt secure-by-design principles and demonstrate transparency about product security in ways that fit their context.

The good news? These aren’t unfamiliar ideas. Many well-established frameworks already reflect the core goals of the CRA and offer practical guidance you can apply today. Resources like NIST Secure Software Development Framework (SSDF), OWASP’s Secure Software Development Lifecycle guidance, the BSA Framework for Secure Software, ENISA’s coordinated vulnerability disclosure and software security guidelines, the ETSI EN 303 645 baseline for consumer IoT security, and the NTIA’s Software Bill of Materials (SBOM) framework, among others, are all aligned with the CRA’s direction. And these are just a few - other widely adopted standards like ISO/IEC 27001, CIS Controls, and more can also help you build a strong security foundation.

So even though the harmonised standards are still in development, you can already begin aligning with the CRA by adopting industry-recognized best practices. Platforms like Chainloop are already helping teams operationalize those best practices into trackable, auditable workflows.

It’s also worth noting that, under CRA, not every product needs a third-party check. Many can be self-assessed for conformity. Only if your product falls into the critical or high-risk category, you’ll need a notified body (auditor) to certify compliance and carry out ongoing assessments. This risk-based approach ensures the right level of oversight without burdening every product equally.

Ultimately, the CRA is not just about ticking boxes for compliance - it’s a framework for creating a safer digital environment across Europe.

While best practices give you a head start, getting fully CRA-ready takes planning - so where do you start?

What’s Next

In this article, we unpacked what the Cyber Resilience Act means for software producers, why early preparation is critical, and how existing security standards already align with CRA goals. With deadlines approaching fast, now is the time to act — and tools like Chainloop can help you start building toward compliance today.

In our next article of our multi-part series “Cyber Resilience Act: Your Action Plan”, we will guide you through a practical action plan to tackle CRA compliance step by step — from vulnerability management and secure-by-design practices to CE marking and user transparency requirements.

In the meantime, it’s a great moment to start exploring how Chainloop can support your CRA journey. With CRA now available in preview, our platform is built to help you align with key compliance goals from day one. Check out our CRA Reference and Tracking Compliance Guide or book a demo — we’ll help tailor your path to compliance.

Stay tuned — and get ready to turn strategy into action!

Questions about your CRA strategy? Contact us — we’re here to help.