Skip to main content
EU Regulation 2024/2847

Cyber Resilience Act.
Is your product ready?

The CRA requires all products with digital elements on the EU market to meet cybersecurity requirements — or face fines up to €15M. The clock is ticking.

---
Days
--
Hours
--
Minutes
--
Seconds

until December 11, 2027

Reporting obligations apply from September 11, 2026

Scan your product now View compliance plans

Does the CRA apply to you?

The CRA applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. If your product contains software or connects to a network, it is likely in scope.

IoT Devices

Default / Critical

Software Products

Default / Critical

Network Equipment

Critical

Smart Home

Default / Critical

Industrial Control Systems

Critical

Mobile Apps

Default

Cloud Services

Default / Critical

Open Source

With obligations

The cost of non-compliance

Essential requirements

€15M

or 2.5% of global annual turnover

whichever is higher

Other obligations

€10M

or 2% of global annual turnover

whichever is higher

Misleading information

€5M

or 1% of global annual turnover

whichever is higher

Non-compliant products can be withdrawn from the EU market by market surveillance authorities.

What the CRA requires — and what SiteGuardian monitors

The CRA defines essential cybersecurity requirements for products with digital elements. SiteGuardian continuously monitors the technical ones.

Art. 6 / Annex I

Secure by Default

Monitored

SiteGuardian monitors HTTPS enforcement, HSTS headers, secure cookie flags, and detects default credentials or insecure configurations exposed to the network. Products must be delivered with secure default settings.

Art. 10(1)

No Known Vulnerabilities

Monitored

SiteGuardian validates TLS versions, detects deprecated protocols (SSLv3, TLS 1.0/1.1), identifies weak cipher suites, and flags known security misconfigurations. Products must be delivered without known exploitable vulnerabilities.

Art. 10(6)

Security Updates

Monitored

SiteGuardian monitors SSL certificate expiry dates, tracks security posture changes over time, and alerts on configuration regressions. Manufacturers must provide timely security updates for the product support period.

Art. 10(9)

Software Bill of Materials (SBOM)

Manufacturers must identify and document components contained in their products, including a Software Bill of Materials. This is an organisational measure that requires internal tooling and processes.

Art. 10(10)

Coordinated Vulnerability Disclosure

Monitored

SiteGuardian detects security.txt files (RFC 9116), verifies vulnerability disclosure policy availability, and checks for proper contact information. Manufacturers must establish a coordinated vulnerability disclosure policy.

Art. 11

Reporting Obligations

Monitored

From September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours. SiteGuardian provides incident detection, classification, and tracks notification deadlines for regulatory compliance.

Art. 13

Conformity Assessment

Products must undergo conformity assessment before being placed on the EU market. Default-category products may self-assess; critical products require third-party audits. This is an organisational measure.

Annex I.2

Security Properties

Monitored

SiteGuardian verifies encryption in transit (TLS 1.2+), validates access control mechanisms, checks data integrity through secure header configurations, and monitors for unauthorized data exposure. Products must protect confidentiality, integrity, and availability.

Start preparing today

Scan your product's web interface to see where you stand. SiteGuardian maps every finding to CRA articles — so you know exactly what to fix.

Free security scan View compliance plans

Free forever for 1 monitor. No credit card required.

Frequently asked questions

What is the Cyber Resilience Act (CRA)?
The CRA (Regulation 2024/2847) is the EU's regulation establishing horizontal cybersecurity requirements for products with digital elements. It covers both hardware and software products placed on the EU market and requires manufacturers to ensure products are secure by design throughout their entire lifecycle.
When does the CRA apply?
The CRA entered into force on December 10, 2024. Reporting obligations for actively exploited vulnerabilities and severe incidents apply from September 11, 2026. The main obligations for manufacturers, importers, and distributors — including conformity assessment and CE marking — apply from December 11, 2027.
Who is affected by the CRA?
The CRA applies to manufacturers, importers, and distributors of products with digital elements placed on the EU market. This includes IoT devices, software applications, operating systems, network equipment, smart home devices, industrial control systems, mobile apps, and cloud service components. Open-source software stewards have specific but lighter obligations.
How is the CRA different from NIS2?
NIS2 focuses on the cybersecurity of organisations — essential and important entities in 18 sectors must implement security measures. The CRA focuses on the cybersecurity of products — manufacturers must build security into their products before placing them on the EU market. Both regulations are complementary: NIS2 secures the operators, CRA secures the products they use.
How does SiteGuardian help with CRA compliance?
SiteGuardian continuously monitors the technical security properties required by the CRA: HTTPS/TLS enforcement, deprecated protocol detection, weak cipher identification, certificate expiry monitoring, security.txt for vulnerability disclosure, encryption in transit, and security header validation. All findings are mapped to CRA articles and Annex I requirements, giving you a clear compliance overview.