Regulation guide
The Cyber Resilience Act
The Cyber Resilience Act sets EU-wide cybersecurity requirements for products with digital elements — hardware and software alike. This guide explains what the Cyber Resilience Act expects and how to build toward it.
The basics
What is the Cyber Resilience Act?
Secure development is the path to compliance
Meeting the Cyber Resilience Act means embedding secure development, code scanning and vulnerability management into how products are built and maintained.Products with digital elements
The Cyber Resilience Act covers connected products and software placed on the EU market, from consumer devices to industrial components.
Security across the lifecycle
Manufacturers must build secure by design, handle vulnerabilities and provide updates for the product’s expected lifetime.
Vulnerability handling
Coordinated vulnerability disclosure and timely patching are central obligations under the Cyber Resilience Act.
What the Cyber Resilience Act requires
Secure by design
Security built into products from the start, not added later.
Vulnerability handling
A process to identify, fix and disclose vulnerabilities.
Security updates
Updates provided across the product’s expected lifetime.
Documentation
Technical documentation and conformity assessment.
Where to next
Build the secure-development toolchain
SAST
Static analysis catches flaws before a product ships.
Vulnerability management
The runtime side of CRA vulnerability handling.
Cyber Resilience Act FAQs
What is the Cyber Resilience Act?
An EU regulation setting mandatory cybersecurity requirements for products with digital elements sold in the EU.
Who does it apply to?
Manufacturers, importers and distributors of hardware and software products with digital elements.
How do we prepare?
Adopt secure development, code scanning, vulnerability handling and lifecycle update processes now.
Get ready for the Cyber Resilience Act.
Compare open-source SAST and vulnerability tooling for secure development.