No CRA compliance, no CE marking, no EU market.
From 11 December 2027, a product with digital elements can't carry the CE marking — and so can't be sold in the EU — until it meets the CRA's cybersecurity requirements. Setu Innovation joins the advisory that interprets the regulation to the engineering that satisfies it, in one accountable team, so you reach the assessment with evidence that holds — not a binder that hopes.
- In force · Dec 2024
- Reporting · 11 Sep 2026
- Full application · 11 Dec 2027
- Fines up to €15M / 2.5%
If it has digital elements and reaches the EU, the CRA likely applies.
The CRA covers products with digital elements — almost any hardware or software placed on the EU market that can connect to a device or network. It binds manufacturers, importers and distributors alike.
A 20-second self-check
- Do you place hardware or software on the EU market?
- Can the product connect to a device or network, directly or indirectly?
- Does it receive software or security updates?
- Are you the manufacturer, importer, or distributor?
Mostly "yes"? You're almost certainly in scope — and the classification (below) decides how heavy the obligations are. A short call confirms it.
Six things you'll have to prove.
The CRA turns cybersecurity from a policy document into evidence an assessor inspects. These are the obligations behind the CE mark.
Security by design & by default
Products must ship secure out of the box — no known exploitable vulnerabilities, minimal attack surface, secure defaults — and the design choices must be documented.
Vulnerability handling over the lifetime
You must run a vulnerability-handling process and ship security updates for the support period — by default at least five years, or the product's expected lifetime.
Software Bill of Materials (SBOM)
Maintain a machine-readable inventory of the components in your product (at least the top-level dependencies) so you can track and disclose what's inside.
Technical documentation & CE marking
Compile the technical file that evidences conformity, draw up the EU declaration of conformity, and affix the CE marking before placing the product on the market.
Conformity assessment
Demonstrate conformity by the route your product class requires — self-assessment for most products, an accredited notified body for the higher-risk classes.
Incident & vulnerability reporting
Report actively exploited vulnerabilities and severe incidents to your national CSIRT and ENISA — an early warning within 24 hours and a full notification within 72.
Which class is your product?
The CRA scales the conformity route to risk. Misclassifying a product is one of the most expensive early mistakes — it changes whether you can self-assess or must involve a notified body.
Default
The majority of products. Conformity by manufacturer self-assessment against the essential requirements.
Important · Class I
Higher-risk functions. Self-assessment only if harmonised standards are fully applied — otherwise a notified body.
Important · Class II
Security-critical functions. Notified-body involvement is mandatory — no pure self-assessment route.
Critical
The highest tier. Notified body, and the Commission may mandate a European cybersecurity certificate (EUCC).
The CRA is won in the engineering, not the binder.
Your SBOM, vulnerability handling and secure-update mechanism are technical artefacts an assessor inspects — exactly the part an advisory-only firm can't deliver. Setu does both, in one team.
Scope & classify
Confirm whether each product is in scope, settle its class, set the support-period strategy, and map a prioritised gap against Annex I.
Engineer the evidence
Stand up SBOM pipelines, a conformity-grade vulnerability-handling and coordinated-disclosure process, secure update, and the Annex VII technical file.
Reach the marking
Prepare the conformity assessment, rehearse the notified-body interaction where required, and pre-audit the file before it's submitted.
CRA, answered plainly.
When do the CRA rules start to apply?
It entered into force on 10 December 2024. The vulnerability- and incident-reporting duties apply from 11 September 2026, and the full requirements — including CE marking — from 11 December 2027. The engineering lead time is shorter than the date suggests.
Is my product in scope?
If it's hardware or software with digital elements that can connect to a device or network and is placed on the EU market, almost certainly yes. Products already covered by sectoral law — medical devices, motor vehicles, civil aviation, marine equipment — are excluded.
What are the penalties?
Up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher, for breaching the essential requirements — plus the commercial risk of products being withdrawn from the EU market.
Does open-source software count?
Non-commercial open source has a lighter-touch regime, with a tailored role for open-source software stewards. But a commercial product that incorporates open-source components still carries the full manufacturer obligations.
We already work to UNECE R155 or IEC 62443 — does that cover the CRA?
No — the CRA is a separate, horizontal regime. Type-approved vehicles under R155 are largely carved out, but aftermarket and component products often fall under the CRA. Existing R155 or IEC 62443 work gives you a head start on the engineering evidence, not a CRA conformity in itself.
Plan the path to CE marking under the CRA.
A focused review: the products in scope, their classification, the gap against the Annex I essential requirements, and the realistic route to conformity and CE marking before December 2027. Tell us where you are and we'll take it from there — or ask for a call if that's easier.
Talk to our team →