Regulation guide

The Cyber Resilience Act

The Cyber Resilience Act sets EU-wide cybersecurity requirements for products with digital elements — hardware and software alike. This guide explains what the Cyber Resilience Act expects and how to build toward it.

The basics

What is the Cyber Resilience Act?

Secure development is the path to compliance

Meeting the Cyber Resilience Act means embedding secure development, code scanning and vulnerability management into how products are built and maintained.

Products with digital elements

The Cyber Resilience Act covers connected products and software placed on the EU market, from consumer devices to industrial components.

Security across the lifecycle

Manufacturers must build secure by design, handle vulnerabilities and provide updates for the product’s expected lifetime.

Vulnerability handling

Coordinated vulnerability disclosure and timely patching are central obligations under the Cyber Resilience Act.

What the Cyber Resilience Act requires

Secure by design

Security built into products from the start, not added later.

Vulnerability handling

A process to identify, fix and disclose vulnerabilities.

Security updates

Updates provided across the product’s expected lifetime.

Documentation

Technical documentation and conformity assessment.

Where to next

Build the secure-development toolchain

SAST

Static analysis catches flaws before a product ships.

Vulnerability management

The runtime side of CRA vulnerability handling.

Cyber Resilience Act FAQs

What is the Cyber Resilience Act?

An EU regulation setting mandatory cybersecurity requirements for products with digital elements sold in the EU.

Who does it apply to?

Manufacturers, importers and distributors of hardware and software products with digital elements.

How do we prepare?

Adopt secure development, code scanning, vulnerability handling and lifecycle update processes now.

Get ready for the Cyber Resilience Act.

Compare open-source SAST and vulnerability tooling for secure development.