Cyber Resilience Act compliance and product security services

What EY can do for you

The Cyber Resilience Act (CRA) is an EU regulation designed to ensure that hardware and software products with digital elements meet a harmonized level of cybersecurity before they are introduced onto the European market. Its underlying objective is to reduce systemic vulnerabilities, increase consumer trust and strengthen security across digital supply chains.

For many organizations, the CRA represents a significant operational and engineering shift. It impacts product design, development, testing, documentation and long-term maintenance. EY supports clients end-to-end, translating regulatory requirements into practical, achievable steps that fit product lifecycles and organizational maturity levels.
 

Legislative context

The Cyber Resilience Act was approved in March 2024, adopted in October and entered into force in December 2024. Organizations have until 11 December 2027 to ensure full compliance, giving manufacturers, importers and distributors a defined transition period to adapt their product security practices, documentation and lifecycle processes.

Its implementation involves several layers of oversight and responsibility. Oversight sits with the European Commission and national authorities, while manufacturers, importers and distributors are responsible for meeting all regulatory obligations. Consumers and businesses ultimately benefit from the stronger security and transparency the CRA introduces across the digital product ecosystem.
 

Core obligations introduced by the CRA

The CRA establishes requirements that apply throughout the entire lifecycle of a digital product. These include:

Product classification and conformity assessment

The CRA introduces a classification system that determines the level of scrutiny required before a product may enter the EU market:

• Default category:
  The majority of digital products fall here. Manufacturers may perform self assessment using internal controls.
  
  
• Important Class I and Class II products:
  These include technologies with elevated security relevance (e.g., identity management systems, antivirus tools, browsers, certain microprocessors and network equipment). Such products require assessment by a notified body.
  
  
• Critical products:
  Products with the highest security impact (e.g., secure elements, smart meter gateways, hardware security modules) must undergo certification under recognized European cybersecurity schemes, such as EUCC based on Common Criteria.

The classification determines technical documentation requirements, testing depth and third-party involvement. Products explicitly excluded from CRA obligations include medical devices, automotive systems, aviation/maritime systems, and certain SaaS environments regulated under other EU frameworks. The CRA also expands oversight to open‑source software components used in commercial contexts.
 

Compliance measures and market-access conditions

Before being placed on the market, products must undergo the appropriate conformity assessment and display the CE marking, indicating adherence to EU cybersecurity, safety and environmental standards. Market surveillance authorities will verify conformity and may impose corrective actions or sanctions for non‑compliance.

Non‑compliance can result in administrative fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. Additional measures may include market withdrawal, distribution bans or mandatory recalls. The CRA therefore has significant operational, financial and reputational implications for manufacturers and distributors.
 

Impact on organizations

The CRA affects several organizational domains:

By establishing a detailed and uniform cybersecurity baseline, the CRA reshapes how digital products are designed, built, maintained and supported across the EU.

Working with EY gives organizations the clarity and structure needed to navigate these requirements confidently. Our combined regulatory, cybersecurity and product engineering expertise helps teams translate CRA obligations into practical actions, reduce compliance risk and accelerate readiness, ensuring products remain trusted, secure and eligible for the EU market.