Skarp
Understanding the EU Cyber Resilience Act: What Software Manufacturers Need to Do
This learning path explains how the EU Cyber Resilience Act (CRA) changes the rules for software manufacturers placing products on the EU market. You will learn which products are in scope, what new security, documentation, and reporting duties you face, and how to adapt your development and support processes to comply.
Course Content
12 modules · 3h total
Module 1: Cyber Resilience Act Essentials for Software Manufacturers
Introduces the Cyber Resilience Act, why it was created, and its high-level impact on software manufacturers placing products on the EU market.
Module 2: CRA Timelines and Transition Periods (2024–2027)
Explains when the CRA entered into force, when different obligations start to apply, and what this means for planning software product roadmaps.
Module 3: Scope and Product Classification Under the CRA
Covers which software products are in scope, notable exclusions, and how products are classified by risk level (standard, important, critical).
Module 4: Essential Cybersecurity Requirements for Software Manufacturers
Introduces the core security-by-design and security-by-default requirements that software manufacturers must meet throughout the product lifecycle.
Module 5: Risk Assessment and Lifecycle Security Management
Focuses on the obligation for manufacturers to conduct risk assessments and manage cybersecurity risks at all stages of the software lifecycle.
Module 6: Vulnerability Management and Continuous Monitoring
Details requirements for continuous monitoring of software, handling vulnerabilities (including in third-party and open-source components), and providing security updates.
Module 7: Incident and Vulnerability Reporting to ENISA and CSIRTs
Explains the early reporting obligations, three-stage reporting framework, and strict timelines for notifying ENISA and national CSIRTs about exploited vulnerabilities and severe incidents.
Module 8: Technical Documentation, SBOM, and Transparency Duties
Covers what documentation software manufacturers must maintain, including technical files, risk documentation, and software bill of materials (SBOM), and what must be communicated to users.
Module 9: Conformity Assessment, CE Marking, and Market Access
Explains how software manufacturers demonstrate compliance via conformity assessment, how this differs by product category, and how it links to CE marking and EU market access.
Module 10: Governance, Contracts, and Supply Chain Responsibilities
Looks at how CRA obligations affect internal governance, supplier contracts, and responsibilities when using third-party software or acting as importer/distributor.
Module 11: Enforcement, Penalties, and Risk of Non-Compliance
Summarizes enforcement mechanisms, potential fines, and other regulatory actions if software manufacturers fail to meet CRA requirements.
Module 12: Building a CRA Compliance Roadmap for Software Organizations
Brings everything together into a practical, phased roadmap for software manufacturers to become CRA-ready before early reporting and full applicability dates.
Read the Textbook
Read every chapter for free, right here in your browser.
The **Cyber Resilience Act (CRA)** is a new EU Regulation that sets **cybersecurity requirements for products with digital elements (PDEs)**.
**Current status (late 2024)** - The CRA was **formally adopted in 2024** as an EU Regulation. - It will apply after a **transition period** (expected around 2027 for most obligations, with some earlier reporting duties). - As a Regulation, it is **directly applicable** in all EU Member States (unlike older Directives that needed national implementation).
**Why it was created** - Software and connected devices often reach the market with **weak security by design**. - Security updates are inconsistent or stop too early. - Users (including companies and public bodies) struggle to **assess and compare security** of digital products.