Skip to content
Vectel
Support/Compliance and regulations

We build software or smart devices, does the Cyber Resilience Act hit us?

The Cyber Resilience Act (CRA) is EU product law for products with digital elements. It targets manufacturers, importers and distributors of hardware and software, with phased obligations.

Try this first

  1. 1Determine if your product is in CRA scope. Software you place on the market commercially and hardware with digital elements typically fall within it.
  2. 2Build a security-by-design dossier: threat analysis, vulnerability handling, secure update mechanism, and an SBOM for your components.
  3. 3Set up a coordinated vulnerability disclosure process with a clear contact channel and an internal SLA for follow-up.
  4. 4Plan product security across the product lifetime. Deliver updates during the support window and clearly inform users when support ends.
  5. 5Track the official timeline via the European Commission. CRA entered into force in December 2024; reporting duty for actively exploited vulnerabilities applies from 11 September 2026, full application from 11 December 2027.

When to bring us in

Security and critical products carry stricter requirements. If yours is one, get a specialist to run the conformity assessment.

See also

None of the above fits?

Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.

Who are you?

For the AI question we need your email and company, so we can follow up if the AI gets stuck, and to prevent abuse.

Limited to 2 questions per hour and 5 per day, kept lean so the AI stays useful. For more, contacting us directly works better for you and us.

Or skip the DIY entirely

Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.

Bring us inHow Managed IT works