EU Regulation 2024/2847 — Cyber Resilience Act. OneComply supports product-security evidence for products with digital elements, from SBOM management and vulnerability handling to conformity-assessment preparation and ENISA reporting workflows.
The Cyber Resilience Act (EU 2024/2847) is the EU's landmark regulation establishing horizontal cybersecurity requirements for products with digital elements. It applies to all hardware and software products placed on the EU market, from IoT devices to enterprise software.
The CRA requires manufacturers to implement security by design, maintain a Software Bill of Materials (SBOM), handle vulnerabilities throughout the product lifecycle, and report actively exploited vulnerabilities to ENISA within 24 hours.
Products are classified as Default, Class I (Important), or Class II (Critical) based on their risk profile. The CRA entered into force on 10 December 2024, with most obligations applying from 11 December 2027.
24h
ENISA Report
5yr
Min Support
3
Product Classes
Example improvements when SBOM evidence, vulnerability records, and conformity-assessment preparation are connected. Actual timelines depend on customer data quality and review process.
| Workflow | Manual Process | With OneComply | Time Saved |
|---|---|---|---|
| SBOM Generation | 1–2 weeks per product | 5 minutes (auto-scan) | 99% |
| Vulnerability Monitoring | Ongoing manual checks | Real-time automated scanning | 95% |
| ENISA Reporting (24h/72h/14d) | 4–8 hours scramble | 15 minutes (auto-generated) | 95% |
| Conformity Assessment Prep | 2–4 weeks | 2 hours (guided workflow) | 90% |
| Technical Documentation | 3–6 weeks | Guided template drafting | Faster first draft |
| Product Classification | 1–2 days (legal analysis) | Instant (automated engine) | 100% |
Comprehensive CRA coverage across all six compliance areas with 44 pre-mapped controls.
10 mapped controls
8 mapped controls
5 mapped controls
8 mapped controls
5 mapped controls
4 mapped controls
The CRA mandates strict timelines for reporting actively exploited vulnerabilities and severe incidents to ENISA.
Early Warning
24 hours
Notify ENISA of any actively exploited vulnerability or severe security incident within 24 hours of awareness.
Follow-up
72 hours
Submit follow-up notification with updated information on the vulnerability, corrective measures taken or planned.
Final Report
14 days
Submit final report with detailed description, severity assessment, root cause analysis, and remediation measures.
The CRA introduces significant penalties with tiered enforcement based on the type of non-compliance.
Essential Requirements
€15M / 2.5%
Up to €15 million or 2.5% of total annual worldwide turnover for violations of essential cybersecurity requirements.
Other Obligations
€10M / 2%
Up to €10 million or 2% of total annual worldwide turnover for other CRA obligation violations.
Incorrect Information
€5M / 1%
Up to €5 million or 1% of turnover for supplying incorrect, incomplete, or misleading information to authorities.
Default Products
Products with limited cybersecurity risk. Self-assessment conformity procedure (Module A). Covers ~90% of products.
Class I — Important
Products with heightened risk: password managers, VPNs, firewalls, microcontrollers. Self-assessment or EU-type examination.
Class II — Critical
High-criticality products: hardware security modules, smartcards, operating systems. Mandatory third-party conformity assessment.
2027
Obligations apply
5yr+
Min support period
10yr
Record retention
The CRA has overlap with NIS2 for vulnerability reporting and DORA for ICT risk management. OneComply maps reusable evidence from those workflows, but product-specific conformity assessment remains a separate review step.
~45%
NIS2 overlap
~35%
DORA overlap
~40%
ISO 27001 overlap
Get ahead of the CRA timeline with product-security readiness mapping, SBOM evidence, vulnerability handling, and technical-documentation workflows.