CRA Compliance Hub
EN中文日本語한국어DEFRESIT繁中NLPL

Documents sources

Toutes les obligations, scénarios et résultats d'outils sur ce site sont traçables à ces sources officielles.

Règlements

TitreCELEX / ELIStatutDate de version
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)

Entered into force 11 December 2024. Full application 11 December 2027. Art. 14 vulnerability reporting applies from 11 September 2026.

32024R2847In force2024-11-20
Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2)32022L2555In force2022-12-27
Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)32016R0679In force2016-05-04
Regulation (EU) 2024/1689 — Artificial Intelligence Act

Crosswalk relevant for AI-containing PDEs classified as high-risk AI systems.

32024R1689In force2024-07-12

Annexes

TitreCELEX / ELIStatutDate de version
CRA Annex I — Essential cybersecurity requirements

Part I: security properties. Part II: vulnerability handling.

32024R2847In force2024-11-20
CRA Annex II — Information and instructions to the user32024R2847In force2024-11-20
CRA Annex III — Important products with digital elements (Class I and Class II)32024R2847In force2024-11-20
CRA Annex IV — Critical products with digital elements32024R2847In force2024-11-20
CRA Annex V — EU Declaration of Conformity32024R2847In force2024-11-20
CRA Annex VI — Conformity assessment procedures

Modules A (internal control), B+C (EU type-examination), H (full quality assurance).

32024R2847In force2024-11-20
CRA Annex VII — Technical documentation32024R2847In force2024-11-20
CRA Annex VIII — Information for conformity assessment bodies32024R2847In force2024-11-20

Orientations de la Commission

TitreCELEX / ELIStatutDate de version
Commission Communication — Guidance on the application of Regulation (EU) 2024/2847 (Cyber Resilience Act)

Ares(2026)2319816. Non-binding draft guidance (~70 pages). Not yet adopted. Content tagged with status: draft-guidance in the rules engine until final adoption. Key sections: §3 commercial activity, §6 product classification, §8 RDPS test, substantial modification framework.

Draft2026-03-01
ENISA — Cyber Resilience Act: Guidance for Manufacturers

ENISA landing page; links to individual guidance documents. Hash-watched daily.

In force
ENISA — Single Reporting Platform for CRA Art. 14 vulnerability and incident reports

Reporting platform information; URL subject to change as platform is built out.

In force
The 'Blue Guide' on the implementation of EU product rules 2022

OJ C 247, 29.6.2022. Defines placing on the market, economic operators, conformity assessment, CE marking; all concepts carried into CRA.

In force2022-06-29

Normes harmonisées

TitreCELEX / ELIStatutDate de version
EN 18031-1 — Common criteria for radio equipment cybersecurity (Part 1: general requirements)

CEN-CENELEC. Harmonised standard under RED; relevant crosswalk to CRA Annex I.

In force
EN 18031-2 — Common criteria for radio equipment cybersecurity (Part 2: internet-connected equipment)In force
EN 18031-3 — Common criteria for radio equipment cybersecurity (Part 3: equipment processing personal data)In force
IEC 62443-4-1 — Security for industrial automation and control systems: Secure product development lifecycle requirements

Relevant to CRA Annex I Part I secure development requirements.

In force2018-01-01
IEC 62443-4-2 — Security for industrial automation and control systems: Technical security requirements for IACS componentsIn force2019-02-01
ETSI EN 303 645 — Cyber Security for Consumer Internet of Things: Baseline Requirements

Baseline IoT security standard; relevant crosswalk to CRA Annex I.

In force2020-06-01

Règlements et actes connexes

TitreCELEX / ELIStatutDate de version
Commission Delegated Regulation (EU) 2022/30 supplementing RED Directive with regard to cybersecurity

Art. 3(3)(d)(e)(f) RED cybersecurity requirements. For some radio products, CRA takes precedence; crosswalk documented in Phase 14.

32022R0030In force2022-01-29
Source documents — Hub Conformité CRA