The EU Cyber Resilience Act, in practice
The CRA attaches cybersecurity obligations to products with digital elements sold in the EU market: hardware and software alike. Manufacturers must build securely, know their components, handle vulnerabilities throughout the support period, and be able to prove all three. Its main obligations take full effect on a fixed, published timeline, which makes now the preparation window.
Tools do not make you compliant; they make compliance provable. SecuNexa and BOMNexa supply the technical evidence described on this page. Governance, process, and legal interpretation belong to your compliance function, and this page is not legal advice.
When do CRA obligations actually apply?
The regulation is in force with a phased timeline: reporting obligations arrive first, and the main obligations follow on a fixed deadline. Check the official timeline for the current dates. Preparation, especially SBOM and vulnerability-handling capability, is a present-tense project.
We sell software, not devices. Are we in scope?
Very likely yes: the CRA covers products with digital elements broadly, including standalone software placed on the EU market, with limited exclusions. Confirm your product classification with counsel.