Robotic hand placing wooden blocks spelling out CRA Cyber Resilience Act.

Cyber Resilience Act (CRA): The Timeline for Digital Product Compliance

Top News06/17/2026

By publishing the Cyber Resilience Act (CRA), Europe is addressing the vulnerability of digital products placed on its market. The objective of this European regulation is both to raise the security level of products right from the design stage and to provide buyers and users with guarantees of trust when choosing a digital product.

For digital products with a high level of criticality, CRA compliance will require a mandatory assessment conducted by an accredited Conformity Assessment Body (CAB) authorized by ANSSI. As a specialized body in conformity assessment against the most stringent cybersecurity frameworks, LSTI has applied for ANSSI accreditation. This accreditation will enable LSTI to assess the CRA compliance of critical digital products.

Published at the end of 2024, the CRA will come into full force at the end of 2027. Here is an overview of the key milestones for the implementation of the CRA to anticipate starting now.

What is the Cyber Resilience Act?

Regulation (EU) No 2024/2847, known as the Cyber Resilience Act (CRA), is a European regulation on the cyber resilience of digital products. Adopted on October 23, 2024, and published in the Official Journal of the European Union (OJEU) on November 20, 2024, it establishes a uniform legal framework for digital products placed on the European market.

The CRA primarily concerns three categories of economic operators: manufacturers, importers, and distributors of products with digital elements.

At the national level, an ecosystem around CRA compliance is currently being structured. It revolves around:

  • ANSSI,
  • Conformity Assessment Bodies (CABs), responsible for conducting the comprehensive product assessment,
  • Laboratories, responsible for technical verification.

What are the CRA requirements?

The CRA sets out both essential cybersecurity requirements and conformity assessment procedures.

The main cybersecurity obligations under the regulation focus on:

  • Integrating security requirements right from the product design stage (Security by Design approach),
  • Vulnerability management throughout the entire product lifecycle,
  • Placing products on the market without any known exploitable vulnerabilities,
  • Providing and updating the SBOM (Software Bill of Materials), i.e., the inventory of integrated software components.

The CRA also mandates mandatory conformity assessments for certain critical digital products. These assessments will be carried out by CABs identified in each Member State. In France, these CABs will be accredited by ANSSI, acting as the Supervisory Body.

Upon completion of the assessment process, products compliant with CRA requirements must bear the CE marking.

Classification of digital products based on their criticality

The Cyber Resilience Act classifies digital products (software or hardware) into four categories based on their level of criticality (ranging from smartwatches to cryptographic components). This categorization determines the applicable level of control, from manufacturer self-assessment to mandatory assessment by a third-party conformity body like LSTI.

  • Standard products (default category): Self-assessment and declaration of conformity by the manufacturer.
  • Class I important products: Self-assessment is possible if harmonized CRA standards have been applied; otherwise, mandatory assessment by a Notified Body.
  • Class II important products: Mandatory assessment by a third-party Notified Body.
  • Critical products: Mandatory assessment by a third-party Notified Body.

Therefore, certain manufacturers will be strictly required to use bodies notified by ANSSI to assess the CRA compliance of their digital products. Around ten bodies are expected to be notified by ANSSI in France.

More informations on ANSSI website.

CRA Compliance: Three key deadlines to know

The CRA will be implemented progressively, following three main milestones.

June 2026: Notification of CABs accredited by ANSSI

Member States must have designated their notifying authority (ANSSI in France) and opened the notification procedure for CABs. In France, ANSSI will publish the list of accredited bodies authorized to conduct CRA conformity assessments in June 2026.

As an ISO 17021 and ISO 17065 accredited body, LSTI has applied to ANSSI to be included in the list of accredited CABs to perform, in partnership with laboratories, CRA conformity assessments for Class II important products and critical products.

September 11, 2026: Mandatory vulnerability notification to ENISA

From this date, manufacturers will be required to notify ENISA (European Union Agency for Cybersecurity) of any actively exploited vulnerability within 24 hours, followed by a comprehensive report within 72 hours, and a final report within 14 days.

December 11, 2027: Full application of the regulation and its obligations

All CRA obligations will come into full force at the end of 2027.

 

Complementing the Machinery Regulation (EU) 2023/1230, the Cyber Resilience Act helps improve the resistance of digital components in industrial equipment against cyberattacks, thereby strengthening the resilience of industrial production chains.

The CRA imposes enhanced obligations on manufacturers throughout the entire lifecycle of digital products. For buyers, the European regulation will provide better visibility into the security level of digital products. In this regard, it will strengthen trust in the digital supply chain.

Need expert support for your CRA compliance project?

Contact us

Discover our news