Cyber Resilience Act Enters Into Force!  Learn More

EU Cyber Resilience Act (CRA) Guide

Learn What The CRA Means For You

The new EU cybersecurity legislation impacts all products with digital elements, including both hardware and software. We offer an easy-to-follow guide to help you understand the CRA and what it means for you.

Stay Up-To-Date With The CRA

What Is The EU Cyber Resilience Act?

The European Cyber Resilience Act (EU CRA) is a newly enacted law by the European Union Parliament, focusing on products with digital elements. This legislation is part of a larger EU movement to establish cybersecurity standards. Other standards and regulations include the EU Cybersecurity Act, the NIS Directive, and in particular the NIS2 Directive, which it will complement.

Why Was The EU Cyber Resilience Act Created?

EUR 8 Trillion Annually Cyber Crime Costs

The Cyber Resilience Act (CRA) aims to reduce these damages. While compliance costs for manufacturers are estimated at EUR 29 billion*, this investment is minimal compared to the cost for users and the economy in the European Union.

Missing Market Incentives

It’s challenging for consumers to assess product cybersecurity, so manufacturers can't charge a premium for secure devices, leading to underinvestment in this critical area. The CRA includes both concrete product requirements to raise the level of cybersecurity and obligations to inform consumers about the cybersecurity of products.

Complexity and Cost

In a survey of device manufacturers, all agreed cybersecurity is very important. However, when stack ranked against price, time-to-market, and ease of development, cybersecurity ranked lower. The CRA establishes a level playing field, mandating cybersecurity baseline for all device makers or risking severe penalties, including multi-million euro fines and product recalls.

*EU Cyber Resilience Act - Impact Assessment

Toradex AG Survey

Which Products Will Be Affected?


Almost all digital products
  • Devices with any interface or connection that enables data exchange with other devices, either directly or indirectly
  • All Commercial Software

Products already subject to certain other EU cybersecurity regulations are exempt, as these regulations already address the primary requirements.
  • Medical Devices
  • Automotive
  • Avionics
  • National Defense

Open-Source contributors are protected
  • Hobbyists to contribute to Open-Source Projects are protected
  • However, companies offering a piece of open-source software as a part of their own commercial offering are still affected-simply making software open source does not exempt it
Default and High-Risk Category

Products with higher cybersecurity risks will belong either to Class I or Class II.

Learn More

How to Comply with the CRA: Key Requirements

Product-related Essential Requirements

Vulnerability Handling Requirements

Information & Instruction

Learn More

Timeline Of The CRA

The Cyber Resilience Act Enters Into Force Today

As of today, the Cyber Resilience Act (CRA) officially enters into force, ushering in new regulatory requirements for manufacturers of embedded devices and critical software.

Learn More

 days to go

 days to go

How Does Torizon Help?

We help with SBOMs, OTA updates, Vulnerability Monitoring, Automotive-grade Security and Partner Network

Learn More