Understand your EU Cyber Resilience Act obligations
Free, traceable guidance for manufacturers, importers, and distributors placing products with digital elements on the EU market. Every claim cites the regulation.
Start with your role
The CRA assigns different obligations depending on your position in the supply chain.
Manufacturer
You design, develop, or produce products with digital elements placed on the EU market.
Importer
You place products from non-EU manufacturers on the EU market under your own name.
Distributor
You make products with digital elements available on the EU market without altering them.
Open-source steward
You systematically provide free/open-source software intended for commercial use.
Regulatory deadlines
Art. 14 vulnerability reporting & notification
Conformity assessment body notification obligations
Full regulation applies to all in-scope products
Traceable. Independent.
Every obligation, classification, and scenario on this site traces back to the regulation text or official guidance. No vendor sponsors influence how we interpret the law.
Article-level citations
Every obligation links to the exact regulation article. No unverified summaries.
Confidence badges
Content is tagged Binding, Draft guidance, or Interpretive — so you know what is law.
Legal + tech review
Obligation pages require sign-off from a named legal reviewer and a named technical reviewer.