The European Union's Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for products with digital elements. To assist stakeholders in understanding and complying with the CRA, several supporting documents have been published. Below is a curated list of these documents, along with links for direct access:
- Cyber Resilience Act – Official EU Commission Page
- Description: Provides an overview of the CRA, its objectives, and its impact on digital products.
- Resource: Cyber Resilience Act – Shaping Europe's digital future
- European Cyber Resilience Act (CRA) – Regulation (EU) 2024/2847
- Description: The full text of the regulation detailing the cybersecurity requirements for hardware and software products with digital elements.
- Resource: Regulation (EU) 2024/2847
- Cyber Resilience Act Requirements Standards Mapping – ENISA
- Description: A report by the European Union Agency for Cybersecurity (ENISA) mapping the CRA's requirements to existing standards, aiding in compliance efforts.
- Resource: European Network and Information Security Agency (ENISA)
- Annexes of the Cyber Resilience Act
- Description: Detailed annexes providing technical specifications and additional requirements under the CRA.
- Resource: Read the annexes of the Cyber Resilience Act (EU)
- Cyber Resilience Requirements for Manufacturers and Products - German Federal Office for Information Security
- Description: An official document from the German regulatory agency, currently in draft status as of 13/02/2025, mapping the CRA’s directives to specific, actionable requirements. It also offers guidance on how the agencies that will have to asses compliance with the CRA for critical-class products should interpret these requirements.
- Resource: BSI TR-03183: Cyber Resilience Requirements for Manufacturers and Products
- Open Regulatory Compliance Working Group - FAQ and inventory of standards and resources
- Description: The ORC-WG is a group sponsored by the Eclipse Foundation, aiming to help actors in the open source ecosystem understand regulatory compliance duties related to the use and stewardship of open source software. It offers a number of useful informational resources:
- Resource:
- – Main website
- – Cyber Resilience Act Hub on GitHub: FAQ and Inventory of resources and standards
- Open Source Security Foundation Global Cyber Policy Working Group
- Description: This OpenSSF working group is a Linux Foundation-sponsored working group with a number of resources on the CRA. It’s primarily focused on open source stewards and compliance, and a bit less on the product development side, but still has a number of useful publications and resources.
- Resource:
- European Parliament Legislative Resolution on the Cyber Resilience Act
- Description: The resolution adopted by the European Parliament on 12 March 2024, detailing its position on the CRA.
- Resource: European Parliament Legislative Resolution
- Council of the European Union Press Release on the Cyber Resilience Act
- Description: Press release detailing the Council's adoption of the CRA on 10 October 2024.
- Resource: Council Press Release on Cyber Resilience Act
- European Commission Questions and Answers on the Cyber Resilience Act
- Description: A Q&A document providing insights into the CRA's provisions and objectives.
- Resource: Commission Q&A on Cyber Resilience Act
- European Commission Impact Assessment Report on the Cyber Resilience Act
- Description: An assessment report evaluating the potential impacts of the CRA.
- Resource: Impact Assessment Report
Get in touch with our experts to learn more