🇪🇺EUArticle 64

Cyber Resilience Act.

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. It mandates security by design, vulnerability disclosure within 24 hours, and ongoing security updates throughout the product lifecycle.

Maximum penalty

€15M or 2.5% global turnover

Source: Article 64

Key requirements

Security by design for digital products

24-hour vulnerability disclosure to ENISA

Security updates throughout product lifecycle

Conformity assessment and CE marking

+2 more requirements in the complete guide.

Get the full CRA compliance guide →

Enforcement examples

Application from 2027

Vulnerability reporting obligations apply from September 2026; full application from 2027

2027

How Tessera automates CRA compliance

24-hour vulnerability disclosure workflow

SBOM generation and tracking

Product security lifecycle monitoring

ENISA reporting automation

CE marking compliance evidence

CRA compliance checklist

Essential steps to achieve and maintain CRA compliance.

Classify digital products by risk category

Implement security-by-design development processes

Establish 24-hour vulnerability disclosure to ENISA

+2 more steps in the full checklist.

Get your complete CRA compliance checklist - free →

Industries affected

Technology & SaaSHealthcare

Calculate your CRA exposure.

See exactly how CRA penalties apply to your revenue and industry profile.

Calculate My Exposure Request Demo