Does the Cyber Resilience Act (CRA) apply to your product?

A simple 5-step self-check

This quick check is designed to help you understand whether the EU Cyber Resilience Act (CRA) is likely to apply to your product.

Step 1 – Does your product contain software or firmware?

Step 2 – Can your product communicate with anything else?

Step 3 – Can that communication affect behaviour or configuration?

Step 5 – Can you update or support the product after shipment?

Have you answered mostly “YES?” then CRA almost certainly applies.
You should assess applicable requirements and plan accordingly.

A final, important note – The CRA is risk-based, not technology-based.

You don’t comply by ticking boxes.
You comply by understanding:

– What your product does
– How it communicates
– What could realistically go wrong
– How you’ve designed to manage that risk

If you’re unsure how to interpret the requirements, standards such as EN 18031-1 exist to help translate CRA into engineering decisions.

We’ve put together a plain-English guide for teams who don’t want to wade through standards documents.