The Cyber Resilience Act (CRA) is a proposed European Union law that establishes cybersecurity requirements for products with digital elements. It aims to improve the security of hardware and software products sold on the EU market by ensuring that they are designed, developed and manufactured securely from the outset. This law seeks to protect consumers and businesses from cyber risks, such as data theft and ransomware attacks. In essence, the CRA shifts responsibility for end-user cybersecurity to manufacturers, forcing them to ensure the security of their products throughout their entire lifecycle.Companies will be required to have all their devices compliant by August 1, 2027. From this date, manufacturers, importers and distributors will be obliged to ensure that their products comply with the new cybersecurity requirements before they can be placed on the EU market.
What devices are affected by the CRA? 
The CRA affects a wide range of products with digital components, from consumer devices to industrial equipment. In general, the law applies to any product that has the capability to connect to a network, either directly or indirectly. Specific examples include:
- Smart home devices: refrigerators, thermostats, lighting systems.
- Entertainment devices: video game consoles, smart TVs, smart speakers.
- Computer hardware: routers, modems, printers, external hard disks.
- Software: operating systems, mobile applications, security software.
- Industrial devices: industrial control systems (ICS), factory robots, sensors.
- Connected health devices: glucose monitors, pacemakers, telemedicine devices.
The law does not affect products that are already covered by other more specific sectoral regulations, such as medical devices or vehicles.
What types of companies will be affected? 
The Cyber Resilience Act will have a significant impact on several types of companies, primarily those that design, manufacture or sell products with digital components in the EU market. These companies include:
- Hardware manufacturers: Companies that produce computers, smartphones, IoT devices and industrial equipment.
- Software developers: Companies that create operating systems, applications, and software in general.
- Importers and distributors: Companies that bring digital products from outside the EU and distribute them within the EU.
- Cloud service providers: Although the law focuses on products, cloud services are often tied to hardware and software devices and may have to comply with certain requirements.
The law imposes obligations on these companies to conduct risk assessments, maintain technical documentation, report serious incidents and ensure that their products receive regular security updates for a specified period of time.
Scud: CRA compliance from the grid 
At Scud Security, we understand the complexity of complying with regulations such as the Cyber Resilience Act.
To help our customers navigate this new landscape, as of September 2025, Scud devices incorporate innovative technology to automatically report which network-connected devices are not compliant with CRA requirements.
Our solution continuously scans the network and connected devices, identifying those that do not have the latest security updates, use insecure default settings, or have other vulnerabilities that would make them non-compliant. This early warning system provides enterprises with the visibility and control needed to mitigate risk, take corrective action and demonstrate compliance. With Scud, companies can stay ahead of CRA requirements, improving their cybersecurity posture and avoiding potential penalties.
In addition, from ScudCompliance.comwe also offer consulting and support services so that companies can become accredited in cybersecurity regulations as relevant as the CRA itself, ISO 27001 or the National Security Scheme (ENS) of INCIBE. Our team of experts will guide you through the entire process to ensure that your company meets the highest standards of security and compliance.