CECIMO Guide on Reporting Obligations Under the Cyber Resilience Act (CRA)

10 January 2025

The CECIMO Guide offers a comprehensive overview of the EU Cyber Resilience Act (CRA), a landmark regulation aimed at enhancing the cybersecurity of products with digital elements (PDEs) across their lifecycle. The guide details essential requirements for secure product design, development, and maintenance, alongside reporting obligations for vulnerabilities and incidents.

Key Highlights:

  1. Scope & Timeline:
    • By December 2027, all products entering the market must comply with CRA standards, covering secure design, vulnerability management, and long-term software support.
    • Critical deadlines include reporting obligations starting in September 2026.
  2. Core Requirements:
    • Products must adhere to security-by-design principles, protect data integrity, and provide free security updates for at least five years.
    • Manufacturers are responsible for assessing third-party components' cybersecurity compliance.
  3. Reporting Obligations:
    • Vulnerabilities and incidents must be reported to national CSIRTs and ENISA within strict timeframes (24 hours for initial warnings, 72 hours for detailed reports).
  4. Compliance Assessment:
    • Products are categorized by risk level (default, important, or critical), with corresponding requirements for self-assessment or third-party certification.
  5. Non-Compliance Penalties:
    • Fines of up to €15 million or 2.5% of global turnover, alongside potential market restrictions or product recalls.

+DOWNLOAD THE FULL GUIDE+