Key data
| Regulation | Regulation (EU) 2024/2847 — Cyber Resilience Act (CRA) |
|---|---|
| Corrigendum publication | 25 March 2026 |
| Entry into force | 20 November 2024 |
| Affected parties | Manufacturers, importers and distributors of products with digital elements in the EU |
| Maximum penalty | €15,000,000 or 2.5% of annual global turnover |
| Category | European Regulation |
| Official reference | CELEX:32024R2847R(06) |
Manufacturers of IoT devices, software and any product with digital components operating in the EU have been subject to Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), since 20 November 2024. The corrigendum published on 25 March 2026 corrects technical and translation errors in the original text, but does not modify any substantive obligations. If your company manufactures, imports or distributes digital products and has not yet begun the adaptation process, the risk of sanctions is real and immediate.
What does this regulation establish?
The Cyber Resilience Act establishes horizontal cybersecurity requirements for all products with digital elements placed on the market in the European Union. The term "horizontal" means it applies regardless of sector: it is not a regulation for telecommunications or banking, but for any company that places a product with digital components on the market.
The three main obligations imposed by the regulation are:
- Vulnerability management: Companies must identify, document and remediate security vulnerabilities throughout the entire product lifecycle, not only at the time of launch.
- Technical documentation: It is mandatory to maintain complete technical documentation demonstrating compliance with cybersecurity requirements.
- CE cybersecurity marking: Products must obtain and display the CE marking certifying their conformity with the security standards required by the CRA.
The regulation also amends Regulations (EU) No 168/2013 and (EU) 2019/1020, as well as Directive (EU) 2020/1828, adapting the existing regulatory framework to the new cybersecurity requirements.
The corrigendum published on 25 March 2026 (CELEX:32024R2847R(06)) is limited to correcting technical or translation errors identified in the original text. It does not introduce any changes to obligations, deadlines or penalties. Its practical relevance is that it consolidates the official text and eliminates possible interpretive ambiguities arising from formal errors.
Economic and operational impact
The economic impact of the CRA has two dimensions: the cost of adaptation and the cost of non-compliance.
Cost of non-compliance: Penalties can reach €15 million or 2.5% of annual global turnover, whichever is higher. For a company with €200 million in global turnover, 2.5% amounts to €5 million. For a company with €800 million, it already exceeds €15 million as a reference figure.
Operational cost of adaptation: Companies must invest in three main areas:
- Implementation of continuous vulnerability management processes (this is not a one-off audit, but a permanent system).
- Preparation and maintenance of cybersecurity technical documentation for each product.
- Certification process to obtain the CE cybersecurity marking.
The operational impact is particularly significant for companies managing large portfolios of digital products, as each product requires its own compliance and documentation process.
Who is affected?
The Cyber Resilience Act affects all companies participating in the value chain of products with digital elements placed on the market in the EU:
- Manufacturers of IoT devices (connected home appliances, industrial devices, wearables, medical equipment with connectivity, etc.).
- Manufacturers of software marketed as a product (applications, operating systems, firmware, video games).
- Importers who introduce into the European market digital products manufactured outside the EU.
- Distributors who make available on the European market products with digital elements.
The regulation applies regardless of company size. There is no general exemption for SMEs, although the regulation may provide for specific conditions depending on the product category.
Practical example
A Spanish company that manufactures and distributes smart locks with WiFi connectivity for the European market is directly affected by the CRA since 20 November 2024.
Its specific obligations are:
- Establishing an internal process to detect and remediate security vulnerabilities in the firmware of its locks throughout the entire useful life of the product, not only at the time of launch.
- Preparing and keeping up to date the cybersecurity technical documentation for each marketed model.
- Obtaining the CE cybersecurity marking before placing new models on the market or updating existing ones.
If this company has a global turnover of €60 million and does not comply with the CRA, the maximum applicable penalty would be €1.5 million (2.5% of €60M), since this figure is lower than the absolute ceiling of €15 million. If its turnover were €700 million, 2.5% would amount to €17.5 million, but the penalty would be capped at the ceiling of €15 million.
What should companies do now?
- Audit the product catalogue: Identify all products with digital elements that the company manufactures, imports or distributes in the EU to determine the scope of the obligation.
- Assess the current level of compliance: Review whether vulnerability management processes exist and whether cybersecurity technical documentation is available and up to date for each product.
- Initiate the CE cybersecurity marking process: Contact the relevant notified body to begin certification of products that do not yet have it.
- Implement a continuous vulnerability management system: A one-off review is not sufficient. The CRA requires a permanent process throughout the entire product lifecycle.
- Review contracts with suppliers and distributors: The CRA obligations affect the entire chain. It is necessary to verify that contractual agreements cover the responsibilities of each party with regard to cybersecurity.
- Review the consolidated text following the corrigendum: The correction published on 25 March 2026 may have clarified aspects of the text that affect the interpretation of specific obligations. Review the updated text with the legal team.
Frequently asked questions
How much can companies be fined for non-compliance with the Cyber Resilience Act?
Penalties for non-compliance with the Cyber Resilience Act can reach €15 million or 2.5% of the company's annual global turnover, whichever is higher.
Which products are required to comply with the Cyber Resilience Act?
All products with digital elements placed on the market in the EU: from IoT devices to software. It affects manufacturers, importers and distributors regardless of sector or company size.
When does the Cyber Resilience Act enter into force?
Regulation (EU) 2024/2847 entered into force on 20 November 2024. The corrigendum correcting technical errors in the text was published on 25 March 2026, but does not modify the date of application or the obligations.
What specific obligations does the Cyber Resilience Act impose on companies?
Companies must fulfil three main obligations: active vulnerability management throughout the entire product lifecycle, preparation of complete technical documentation, and obtaining the CE cybersecurity marking.
What does the March 2026 corrigendum change with respect to the original CRA text?
The corrigendum published on 25 March 2026 corrects only technical or translation errors in the original text. It does not alter the substantive content or the obligations of Regulation (EU) 2024/2847.
Official source
View full regulation at the official sourceDisclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, please consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=CELEX:32024R2847R(06)