⚡ EU Cyber Resilience Act

Achieve EU Cyber Resilience Act Compliance with Confidence

September 2026 vulnerability reporting deadline is 67 days away. Interlynk automates the SBOM, vulnerability management, and documentation requirements you need
NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

NEXT CRA DEADLINE

Mandatory Vulnerability Reporting

Begins September 11, 2026

000DAYS
00HOURS
00MINUTES

until 24-hour reporting obligations take effect

IN SHORT

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the European Union law that makes a software bill of materials mandatory.

If you sell a product with digital elements into the EU, you have to produce a machine-readable SBOM, keep it updated, and hand it over whenever a market surveillance authority asks for it.

Two dates matter. Vulnerability reporting starts on 11 September 2026, and the rest of the obligations, SBOM included, apply from 11 December 2027. The law only requires your top-level dependencies. But that's the same gap that let Log4Shell slip through.

What is the Cyber Resilience Act?

The EU Cyber Resilience Act (CRA) is the first horizontal EU regulation imposing mandatory cybersecurity requirements on hardware and software products with digital elements. It mandates secure-by-design principles, vulnerability handling, and lifecycle transparency for any product sold in the EU market — regardless of where the manufacturer is based.

EURO 15M

Maximum fines for non-compliance
Maximum fines for non compliance

24 Hours

Vulnerability reporting window
Vulnerability reporting window

10 Years

SBOM retention
requirement
SBOM retention
requirement

90%

Products eligible for self-assessment
Products eligible for self-assessment

CRA Compliance Timeline

Who Does the CRA Affect?

Manufacturers

Anyone who develops, manufactures, or has products with digital elements designed and developed under their name or trademark.

Importers

Entities established in the EU that place a product with digital elements bearing a third-country manufacturer's name on the EU market.

Distributors

Any party in the supply chain — other than the manufacturer or importer — who makes a product with digital elements available in the EU market.

Note: An importer or distributor becomes a manufacturer if they place a product under their own name or substantially modify it.

Note: An importer or distributor becomes a manufacturer if they place a product under their

own name or substantially modify it.

Product Classification Under CRA

Default (~90%)

Smart speakers, hard drives, photo editing software
Smart speakers, hard drives, photo editing software

Important Class I

Password managers, antivirus, VPNs, network interfaces
Password managers, antivirus, VPNs, network interfaces

Important Class II

Firewalls, IDS/IPS, hypervisors, container runtimes
Firewalls, IDS/IPS, hypervisors, container runtimes

Critical

Hardware security modules, smart meter gateways, smartcards
Hardware security modules, smart meter gateways, smartcards

SBOM Requirements Under CRA

The Cyber Resilience Act mandates comprehensive Software Bill of Materials documentation. The obligation is set out in Article 13(1)(h) together with Annex I, Part II, point (1) of Regulation (EU) 2024/2847.

Here are the key requirements you need to meet:
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
☑️ Machine-readable SBOM format (CycloneDX or SPDX)
☑️ Include all top-level dependencies
☑️ Accurate version numbers for all components
☑️ Unique identifiers for each component
☑️ 10-year retention requirement for documentation
☑️ Regular updates when components change
☑️ Secure sharing mechanisms with authorized parties
☑️ Integration with vulnerability monitoring systems
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:...",
"version": 1,
"metadata": {
"timestamp": "2026-01-15T10:00:00Z",
"tools": [{
"vendor": "Interlynk",
"name": "SBOM Generator"
}]
},
"components": [
{
"type": "library",
"name": "example-lib",
"version": "2.1.0",
"purl": "pkg:npm/example-lib@2.1.0"
}
]
}

Vulnerability Reporting Obligations

The CRA introduces strict timelines for reporting actively exploited vulnerabilities and severe incidents to ENISA and your CSIRT.

24h

Early warning notification

72 hrs

Full vulnerability notification

14 days

Final report after correction

1 month

Severe incident report

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

Reports must be submitted via the CRA Single Reporting Platform managed by ENISA, with simultaneous notification to your national CSIRT.

NEW • FREE RESOURCE

Choosing an SBOM platform for the CRA?

Choosing an SBOM platform for the CRA?

Use our free evaluation rubric to find the one that fits your needs.

Preview of the SBOM Platform Evaluation Scorecard rubric
A demo and a sales pitch won’t tell you whether an SBOM platform holds up under the CRA. So we built this rubric. It’s a vendor-neutral way to test any platform, including your own, against what the CRA and BSI TR-03183-2 require. There are 66 checks across seven areas, each tied to a specific CRA or BSI requirement, and the summary tab does the math. By the end you can see where each tool is strong and where it falls short. Critical items are flagged, so a dealbreaker can’t slip past.

Generation

Content & Quality

Lifecycle

Vuln & VEX

Format

Integration

Beyond CRA

Get the rubric

Tell us where to send it and we’ll email it over.

How Interlynk Helps?

We map every CRA requirement to a concrete platform capability — so you can demonstrate compliance, not just claim it.
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management
CRA Requirement
Interlynk Capability
SBOM creation & maintenance
Automated SBOM Management
Vulnerability identification
Continuous vulnerability monitoring
Dependency tracking
Open Source Management
Security update management
Supplier monitoring
Technical documentation
SBOM export in CycloneDX / SPDX
10-year retention
SBOM lifecycle management

FAQs

More questions? Contact us now.

The CRA is an EU regulation establishing mandatory cybersecurity requirements for products with digital elements sold in the European Union. It covers hardware and software, requiring secure-by-design development, vulnerability handling, and ongoing security updates throughout the product lifecycle.

The CRA entered into force in December 2024. Vulnerability reporting obligations begin in September 2026, and full application of all requirements starts in December 2027.

Pure SaaS is generally outside the CRA's direct scope, but software components and remote data processing solutions intended to support a product with digital elements are covered. The line is nuanced and depends on whether the software is integral to the product's function.

The CRA requires SBOMs in a commonly used machine-readable format. CycloneDX and SPDX are the two industry-standard formats that meet this requirement and are supported by Interlynk out of the box.

Non-commercial open-source software is exempt. However, open-source components integrated into commercial products are not — manufacturers remain responsible for the security of all components they ship, including open-source dependencies.

Penalties can reach up to €15 million or 2.5% of global annual turnover, whichever is higher, for the most serious violations. Lesser breaches carry lower but still substantial fines.

NIS2 targets operators of essential and important services, focusing on organizational cybersecurity. The CRA targets products themselves, regulating manufacturers of hardware and software placed on the EU market.

Yes. Any company — regardless of headquarters location — that places products with digital elements on the EU market must comply with the CRA. Non-EU manufacturers typically appoint an EU-based authorized representative.

Trusted by 100+ Organizations

Start Your CRA Compliance Journey

Start Your CRA Compliance Journey

Join 100+ organizations already using Interlynk to automate SBOM management and meet EU regulatory requirements.