What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the European market. It applies from December 11, 2027.

Who Does It Affect?

The CRA applies to manufacturers of products with digital elements — any software or hardware product that can connect to a device or network. This includes:

• Desktop and mobile applications
• Server software and SaaS backends
• IoT devices and firmware
• Libraries and frameworks (when distributed commercially)
• CLI tools and developer utilities

Tip

If your product has a CE mark, a user manual, or is sold/distributed in the EU — the CRA likely applies to you.

Product Classifications

Class	Examples	Assessment
Default	Most software products	Module A (self-assessment)
Important (Class I)	Password managers, VPNs, firewalls	Module A or harmonised standard
Important (Class II)	Operating systems, hypervisors, PKI	Third-party assessment (Module H)
Critical	Smart meter gateways, hardware security modules	European cybersecurity certification

Fleet CRA targets Default and Important (Class I) products — those that can use Module A self-assessment.

Key Obligations

1. Design with security in mind — secure by default, minimal attack surface
2. No known exploitable vulnerabilities at time of placing on market
3. Provide security updates for the support period (minimum 5 years)
4. Handle vulnerabilities — intake, triage, fix, notify, report to ENISA
5. Technical documentation — prove compliance with documented evidence
6. CE marking — declare conformity via EU Declaration of Conformity

The Timeline

Date	Milestone
Dec 2024	CRA enters into force
Sep 2026	Vulnerability reporting obligations apply
Dec 2027	All obligations apply, CE marking required

How Fleet CRA Helps

Fleet automates the most labor-intensive parts of CRA compliance:

• Risk identification: 11 detectors scan code for security patterns mapped to Annex I
• Evidence generation: Automated and LLM-powered evidence for technical documentation
• Continuous assessment: CI/CD integration produces timestamped evidence on every commit
• Gap analysis: Dashboard shows exactly which requirements are met, missing, or failing
• SBOM/CBOM: Dependency and cryptographic inventory for vulnerability tracking

Note

Fleet CRA is based on the methodology from Risk, Evidence and Conformity: The Cyber Resilience Act for Default Products by Daniel Thompson-Yvetot (2026).