What is Cyber Resilience Act ?
The Cyber Resilience Act (CRA) is a European regulation that defines cybersecurity requirements for products with digital elements (software, connected hardware, components) sold in the European Union. It requires manufacturers, importers, and distributors to ensure product security throughout their lifecycle. The CRA mandates security by design, vulnerability management, provision of an SBOM (Software Bill of Materials), reporting of actively exploited vulnerabilities within 24 hours, and CE marking for market placement.
Key Points
- Security by design requirements and secure by default configuration
- Mandatory vulnerability management throughout the product support period (minimum 5 years)
- Mandatory SBOM (Software Bill of Materials) for each product
- Reporting of actively exploited vulnerabilities to ENISA within 24 hours
- Classification into default, important (class I and II), and critical products, with different conformity assessment procedures
Why Zaxyr
Zaxyr helps digital product manufacturers track their CRA obligations. The platform automates SBOM management, vulnerability tracking, technical documentation, and CE marking preparation. Mapping to ISO 27001 and NIS2 enables a coherent approach between product security and organizational security.