Join waitlist

The EU CRA, in plain English.

The Cyber Resilience Act — Regulation (EU) 2024/2847 — is the law that finally makes SBOMs mandatory for every digital product sold into Europe. This page is what every founder, compliance lead, and engineering manager has to know. It's not legal advice; for that you want a qualified consultant. It is, however, accurate as of the date below.

The dates you can't move

  1. CRA enters into force

    Regulation EU 2024/2847 published in OJEU; the countdown starts.

  2. Conformity assessment bodies operational

    CABs designated to certify in-scope products.

  3. Mandatory ENISA reporting begins

    Article 14: 24-hour notification of actively exploited vulnerabilities for ALL in-scope products, including legacy. SBOM required to comply.

  4. Full CRA enforcement

    SBOM mandatory for every product with digital elements placed on the EU market.

Who it applies to

The CRA applies to manufacturers, importers, and distributors of "products with digital elements" placed on the EU market — regardless of company size or revenue. There is no SME exemption. There is no "but my product is small" exemption.

  • IoT device makers (smart home, industrial, wearables)
  • Industrial / OT equipment with embedded software
  • Software publishers selling commercial software in the EU
  • Non-EU companies (incl. US) selling into the EU market
  • Importers, distributors, and brands re-selling under their name

Some product categories have separate sectoral rules (medical devices under MDR, motor vehicles under UNECE WP.29, etc.). crawin focuses on the general CRA scope. For sectoral overlaps, talk to a specialist.

What you have to produce

Machine-readable SBOM
CycloneDX or SPDX, covering top-level dependencies with name, version, supplier, vulnerability data.
Continuous updates
The SBOM must be kept current as the product changes through its lifecycle.
On-request availability
Available to market surveillance authorities on request. Not necessarily public.
24-hour ENISA notice
For actively exploited vulnerabilities, an initial notification to ENISA within 24 hours of awareness.
72-hour follow-up
Detailed follow-up report within 72 hours.
Final report
Final report within 14 days of remediation / patch release.

What happens if you don't

Non-compliance fines reach up to €15 million or 2.5% of worldwide annual turnover, whichever is higher. Less severe infringements top out at €10M or 2% of turnover. Beyond fines, market surveillance authorities can demand recalls and block placement on the market.

How crawin fits

crawin generates the machine-readable SBOM, keeps it current as your product changes, watches every component for new CVEs against NVD + ENISA's EUVD + CISA KEV, and pre-fills the ENISA Article 14 notification template the moment a CVE matches your bill of materials. The compliance lead signs and submits; the engineer keeps writing code.

Get crawin in your team before Sept 11, 2026

We open access in waves, starting with EU manufacturers on the September 2026 ENISA deadline. Drop your email below and we email you when your wave opens.

One email when your wave opens. No newsletter, no drip. Unsubscribe is one click. We do not share with third parties. Read our privacy notice.

Primary sources