Cyber Resilience Act & EUCC Explained: Key Differences, Overlaps and Compliance Pathways
Understanding the Cyber Resilience Act (CRA)
What the CRA aims to achieve
As highlighted in our article, “The CRA as the Cornerstone of the EU Cybersecurity Ecosystem", the Cyber Resilience Act primarily aims to secure Europe's digital sovereignty and boost the cyber-resilience of European companies. The regulation establishes a comprehensive framework to ensure products with digital elements meet essential security requirements throughout their lifecycle. The CRA pursues two fundamental objectives. First, it works to enhance the cybersecurity of products with digital elements by establishing horizontal requirements for hardware and software sold in the EU market. Second, it creates conditions enabling users to make informed choices by requiring transparent information about security features. Furthermore, the CRA promotes responsibility by holding manufacturers accountable for identifying and correcting security risks. This approach reinforces consumer trust and increases market incentives for secure product development.
What Products Fall Under the CRA?
The regulation applies to a broad category known as "products with digital elements." This is defined as any software or hardware product (and its remote data processing solutions) that connects directly or indirectly to a device or network. To make it easier to understand, the CRA encompasses a wide variety of items we use daily:
Consumer devices: Smart home products, connected toys, wearables, and IoT devices.
Network equipment: Routers, modems, switches, and VPNs.
Security products: Password managers, malware removal tools, and firewalls.
Computing components: Microprocessors, microcontrollers, and operating systems.
As explained in our article, “Beyond 2025: Why RED is the Blueprint for CRA Success”, a significant portion of these products, especially wireless devices, are already subject to strict cybersecurity regulations through the Radio Equipment Directive (RED). Since the requirements of RED and CRA are strategically aligned, preparing for the 2025 RED-DA deadline is not merely a transitional task, but a cornerstone of CRA compliance as well.
The CRA does not apply a "one-size-fits-all" approach. Instead, it categorizes products by risk level to ensure that security obligations are proportionate to the potential impact of a vulnerability. The regulation specifically identifies "important" and "critical" products, which are subject to much stricter obligations than standard consumer software. These categories are formally defined in the regulation’s technical annexes:
Default Products (Uncritical): This includes the vast majority of digital products (around 90%), which are subject to standard security requirements and often rely on manufacturer self-assessment.
Important Products (Annex III): Split into Class I and Class II, these include products that perform vital security functions, such as browsers, password managers, and network interfaces.
Critical Products (Annex IV): This category is reserved for high-risk components like hardware security modules (HSMs) and smartcards, requiring the highest level of scrutiny.
By referencing Annex III and Annex IV, manufacturers can pinpoint exactly where their product stands and determine whether they must undergo a mandatory third-party assessment.
Pro Tip: As the digital landscape evolves, the European Commission has the power to update the lists in Annex III and Annex IV. Manufacturers should regularly review these annexes and keep track of the upcoming reporting obligations starting 11 September 2026 to ensure their product’s classification remains compliant as new delegated acts are adopted.
Who needs to comply: manufacturers, importers, distributors
The CRA places compliance obligations on all economic operators in the digital product supply chain:
Manufacturers bear the heaviest responsibilities, including conducting cybersecurity risk assessments, implementing essential security requirements, preparing technical documentation, affixing CE marking, and maintaining products throughout their support period.
Importers must verify manufacturers' compliance with CRA requirements before placing products on the EU market. This includes checking that appropriate conformity assessments have been completed and technical documentation is available.
Distributors must act with due care, verifying CE marking and proper documentation. Upon becoming aware of vulnerabilities, they must immediately inform manufacturers and, if necessary, market surveillance authorities.
The goal is to establish a comprehensive and unified framework that enhances cybersecurity standards. Source: Canva
What is EUCC and Why It Matters
The European Union Cybersecurity Certification, drafted by ENISA (European Union Agency for Cybersecurity), is a monumental leap forward in certifying Information and Communication Technology (ICT) products within the European landscape and at the EU level.
Conceived under the EU Cybersecurity Act, enacted in 2019, this groundbreaking scheme is designed to revolutionize the cybersecurity certification process for a wide spectrum of ICT products, covering hardware, software, and services. The overarching goal is to establish a comprehensive and unified framework that enhances cybersecurity standards, creates a safer digital environment for consumers, and fosters smoother trade across the European Union.
For a more detailed overview of the EUCC framework, refer to our blog post “EUCC: A New Cybersecurity Scheme for Evaluating and Certifying Products in Europe.”
Key Differences and Overlaps between CRA and EUCC
The CRA operates as a horizontal regulation applying to all products with digital elements in the EU market, whereas EUCC functions as a voluntary certification scheme based on Common Criteria. Moreover, CRA categorizes products into "important" and "critical" classifications subject to stricter obligations, yet EUCC applies its own "substantial" and "high" assurance levels for security certification.
Both frameworks address vulnerability management, patch deployment, and security assessments. In essence, many EUCC security functional requirements align naturally with CRA's essential cybersecurity requirements, creating a foundation for compatibility between the two systems.
Despite overlapping goals, the CRA is legally binding with potential penalties, whereas EUCC remains voluntary. The CRA mandates conformity assessment processes that vary based on product criticality, although EUCC certification offers one pathway toward demonstrating this conformity.
EUCC certification establishes a "presumption of conformity" with CRA requirements. As a result, ENISA launched pilot projects to test this interplay, aiming to:
Validate technical mappings between CRA essential security requirements and EUCC security functions
Identify gaps requiring additional compliance methods
Develop recommendations for manufacturers seeking CRA compliance through EUCC certification
Compliance Pathways and Strategic Considerations
For manufacturers facing CRA implementation, multiple compliance pathways exist to demonstrate product conformity.
Using EUCC to demonstrate CRA conformity
Manufacturers of critical products can leverage EUCC certification at the substantial level to demonstrate CRA compliance. The EUCC scheme's security functional requirements (SFRs) and security assurance requirements (SARs) align with many CRA requirements, creating a valuable compliance pathway. Through established equivalence between frameworks, EUCC certification can provide presumption of conformity with essential CRA requirements.
Alternative pathways: harmonized standards and assessments
Products complying with harmonized standards automatically benefit from presumption of conformity with CRA essential requirements. The European Commission has adopted standardization request M/606, encompassing 41 standards supporting CRA implementation. This systematic alignment further illustrates why we consider RED as the blueprint for CRA success; the technical groundwork and standardization efforts currently securing wireless devices are directly paving the way for these broader CRA norms. These include both horizontal standards (providing common frameworks) and vertical standards (offering product-specific guidance).
Choosing the right compliance pathway is critical for market access. For a comprehensive overview of the conformity procedures and technical documentation required under the CRA, refer to our EU Cyber Resilience Act Infographics.
Timeline for CRA compliance and reporting obligations
Key deadlines include:
11 September 2026: Reporting obligations for actively exploited vulnerabilities and severe incidents become effective
11 December 2026: Member States must ensure sufficient notified bodies for conformity assessment
11 December 2027: Full application of CRA requirements
Conclusion
As European cybersecurity regulations continue to evolve, organizations now face critical deadlines for CRA compliance. September 2026 marks the start of mandatory vulnerability reporting, followed by full implementation in December 2027. Companies preparing today rather than waiting until the last minute will gain significant competitive advantages while strengthening their overall security posture.
The relationship between CRA and EUCC creates both challenges and opportunities for manufacturers. Although these frameworks differ in scope and enforcement, CRA being mandatory while EUCC remains voluntary, they share fundamental cybersecurity objectives. Therefore, organizations can strategically use EUCC certification as a viable pathway toward demonstrating CRA conformity, particularly for critical products requiring third-party assessment.
Regardless of which compliance pathway organizations choose, certain actions deserve immediate attention. First, manufacturers should categorize their products according to CRA risk classifications. Subsequently, they must develop robust vulnerability management processes to meet the 24-hour notification requirements for actively exploited vulnerabilities. Additionally, examining applicable harmonized standards will provide clearer direction for implementation strategies.
The convergence of these regulatory frameworks ultimately serves a greater purpose, creating a more secure digital ecosystem throughout Europe. By establishing consistent cybersecurity requirements and certification pathways, both CRA and EUCC work together to protect consumers, strengthen market confidence, and raise the security baseline for all products with digital elements. Businesses that embrace these requirements now will undoubtedly find themselves better positioned for success in tomorrow's increasingly regulated digital marketplace.
How QIMA CCLab Supports CRA Compliance
As an accredited cybersecurity laboratory with extensive experience in the evaluation of digital products and security standards, QIMA CCLab provides comprehensive support to manufacturers preparing for CRA compliance.
Our services include:
CRA Gap Analysis – assessing the current state of product cybersecurity compared to CRA standards.
Conformity Assessment Support – guiding manufacturers through Module A documentation, internal controls, and lifecycle processes.
Testing and Consulting Based on hEN Development – aligning security practices with emerging standards from CEN/CENELEC/ETSI.
Lifecycle and Vulnerability Management Assessment – evaluating patching processes, incident response workflows, and secure update mechanisms.
Training and Capacity Building – helping teams understand CRA requirements and integrate them into secure design and development workflows.
QIMA CCLab acts not only as a testing laboratory but also as a strategic partner, supporting companies from early design stages through final evaluation, enabling them to create secure, compliant, and resilient products.
Ready to start your compliance journey? Explore our full range of CRA Compliance Services or contact our experts today for a personalized consultation.
FAQ
What is the EUCC?
EUCC is the European Union Cybersecurity Certification Scheme based on Common Criteria. Developed under the EU Cybersecurity Act, it provides an EU-wide CC-based certification framework. Once fully operational, the EUCC will harmonize and replace certain national arrangements within the EU, offering a standardized recognition path for CC-based evaluations across all EU Member States.
What is “Module A” and how does it relate to the CRA?
“Module A” refers to the Internal Production Control conformity assessment procedure. Under the CRA, it allows manufacturers to self-declare conformity if they fully implement relevant harmonised standards. Manufacturers using Module A must implement internal processes ensuring their product meets all essential cybersecurity requirements, then issue an EU Declaration of Conformity, taking full legal responsibility.
Can all products achieve full Presumption of Conformity (PoC) under Module A?
No. Under the CRA, only Class I products listed in Annex III (“important products with digital elements”) can achieve full PoC by applying harmonised standards. For other product classes, only partial PoC will be possible.
Important note: No harmonised standards have yet been published under the CRA. Therefore, full Presumption of Conformity is currently impossible, and manufacturers must rely on alternative assessment methods until standards are finalised.
Related Articles
