Your portfolio, ready for the CRA
Add each product once — CRA Cockpit works out its class under Regulation (EU) 2024/2847, the 11 September 2026 reporting sprint, and a full plan through December 2027. Runs entirely in your browser — no account, nothing is uploaded.
Next deadline
of actively exploited vulnerabilities
- 10 Dec 2024CRA entered into force
- 11 Jun 2026Notified-body provisions apply
- 11 Sep 2026Article 14: 24-hour reporting of actively exploited vulnerabilities & severe incidents
- 11 Dec 2027Full application: security-by-design, SBOM, CE marking, support period
Portfolio by CRA class
Products
No products yet
Add your first product to see its CRA class and September 2026 sprint plan.
CRA guide — the short version
The essentials of Regulation (EU) 2024/2847 for product teams. This is a plain-language summary, not legal advice.
What counts as an “actively exploited vulnerability”?
An actively exploited vulnerability is a security flaw in a shipped product that threat actors are currently using in real-world attacks — not a theoretical weakness, a lab proof-of-concept, or a disclosed-but-unweaponised CVE.
The 24-hour clock in Article 14 starts only when you become aware that (a) a vulnerability exists in your product and (b) exploitation in the wild is confirmed — for example via ENISA advisories, CISA’s Known Exploited Vulnerabilities (KEV) catalog, credible threat intelligence, or evidence from your own incident response.
Routine CVE scanning alone does not trigger Article 14. Confirmed in-the-wild exploitation does. That is why your sprint plan includes standing up exploitation monitoring and defining your “awareness” trigger.
Once aware, manufacturers submit an early warning within 24 hours, a vulnerability notification within 72 hours, and a final report within 14 days of a corrective measure being available — to the coordinating CSIRT and ENISA via the single reporting platform. Severe incidents follow a parallel 24 h / 72 h / 1-month track.
Does the CRA apply to B2C, B2B, or both?
Both. The scope test is not who buys the product — it is whether a “product with digital elements” is placed or made available on the EU market. A manufacturer selling exclusively to business customers is fully in scope.
| Scenario | CRA in scope? |
|---|---|
| Software sold or licensed to EU consumers (B2C) | Yes |
| Software sold or licensed to EU businesses (B2B), runs on customer systems | Yes |
| Pure SaaS / cloud service with no downloadable component | Generally no — Recital 10 excludes SaaS as such (NIS2 may apply instead) |
| SaaS with a downloadable agent, app, CLI, or on-premise component | Yes — the downloadable component is the product with digital elements |
| Open-source software with no commercial activity | No — Article 2 exclusion |
| Open-source software with commercial activity (dual licensing, paid support) | Yes |
| Product made outside the EU but made available to EU users | In scope if “made available” on the EU market |
The onboarding wizard asks about downloadable components specifically to flag the SaaS boundary — the most common reason B2B software vendors wrongly assume they are exempt.
What is a “product with digital elements”?
Any software or hardware product — and its remote data processing solutions — whose intended or reasonably foreseeable use includes a direct or indirect data connection to a device or network. That covers consumer IoT, industrial devices, embedded firmware, desktop and mobile applications, and downloadable components of cloud products.
Out of scope: pure SaaS with no downloadable component (Recital 10), non-commercial open source (Article 2), and products already covered by sectoral rules — medical devices (MDR/IVDR), motor vehicles, civil aviation, marine equipment, and products for national security or defence.
The four CRA classes — and what each one requires
| Class | Examples | Conformity route |
|---|---|---|
| Default | ~90% of products: most apps, IoT devices and firmware without a listed security function | Self-assessment (Module A) |
| Important — Class I | Identity management, browsers, password managers, VPNs, operating systems, routers, smart-home security devices, connected toys, health wearables | Self-assessment only if harmonised standards are fully applied; otherwise third-party assessment |
| Important — Class II | Hypervisors & container runtimes, firewalls, intrusion detection / prevention systems, tamper-resistant microprocessors | Third-party assessment — mandatory |
| Critical | Hardware security modules (security boxes), smart meter gateways, smartcards & secure elements | European cybersecurity certification (EUCC) where mandated |
Mis-classifying a Class I product as Default can expose you to market withdrawal and fines up to €15 million or 2.5% of worldwide annual turnover.
Key dates and the Article 14 reporting clock
- 10 Dec 2024 — CRA entered into force.
- 11 Jun 2026 — provisions on notified bodies apply.
- 11 Sep 2026 — Article 14 applies to all in-scope products, including those shipped earlier: early warning within 24 h, notification within 72 h, final report within 14 days (vulnerabilities) or 1 month (severe incidents).
- 11 Dec 2027 — full application: Annex I essential requirements, SBOM, technical documentation, conformity assessment, CE marking, and a defined support period (normally at least 5 years).
ENISA’s single reporting platform is not yet live — you must still be ready to report from day one, which is why the September sprint focuses on process, people and templates rather than tooling.
Penalties
- Up to €15 M or 2.5% of worldwide annual turnover — breaches of essential requirements or Articles 13/14.
- Up to €10 M or 2% — breaches of other obligations.
- Up to €5 M or 1% — supplying misleading information to authorities.
- Plus corrective orders, restriction, or withdrawal of the product from the EU market.
Sources & disclaimer
- Regulation (EU) 2024/2847 — full text on EUR-Lex
- ENISA — Cyber Resilience Act
- European Commission — CRA policy page
This tool is an educational demo. Classifications and task lists are a plain-language summary of the regulation and do not constitute legal advice — confirm your obligations with qualified counsel.