Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

Meet your Cyber Resilience Act requirements with Canonical

Build your products and device software with Ubuntu and Canonical's trusted open source portfolio. Fast-track your pathway to CRA compliance.

Contact our team

What is the
Cyber Resilience Act (CRA)?

The CRA is a European Union legislation that aims to make Products with Digital Elements (PDEs) safer by requiring developers, manufacturers, distributors and retailers to follow mandatory cybersecurity, documentation, and vulnerability reporting requirements. The CRA extends this protection throughout the product life cycle.

Read our CISO's full breakdown of the CRA  ›

What products and devices
does the CRA regulate?

The CRA will cover all products or devices available in the EU market that are connected to any other device or network to exchange data. This includes PDEs that use:

  • Direct/indirect connection
  • Physical, wireless/radio or virtual
  • Remote data processing

The CRA will cover all PDEs made available in the EU market regardless of:

  • Where you are located
  • Where the product has been developed/produced

The exceptions are:

  • Solutions used for internal purposes are not considered PDEs
  • Pure SaaS solutions will be excluded
  • PDEs that are already regulated by sector-specific regulations will be excluded

The Cyber Resilience Act requirements in a nutshell

Vulnerability management

Manufacturers must maintain security throughout the product lifecycle through:

  • Security patching and maintenance
  • Incident response

Risk assessment

Manufacturers must ensure that PDEs:

  • Have no known exploitable vulnerabilities
  • Are secure by default with minimal attack surface
  • Minimize processing of data

Documentation

Manufacturers must deliver documentation to address:

  • Have no known exploitable vulnerabilities
  • Are secure by default with minimal attack surface
  • Minimize processing of data

Conformity assessment

Manufacturers must provide a declaration of conformity, either though:

  • Self assessment
  • Independent third party auditors

How the CRA classifies products

The CRA is wide-reaching and its effects will vary depending on how your device or software is categorized. Devices and software are placed into four categories, based on their cybersecurity risk factor and their level of access authority or connection to sensitive infrastructure, networks, or systems.
Product classification Product examples Declaration of conformity
Default Products
  • Hard drives
  • Smart speakers
 Self assessment - Complete a checklist of requirements and issue a statement of compliance yourself.
Important Products Class I
  • Password managers
  • Operating systems
  • Wearable devices
 Independent Body Assessment or EU Certification - Your compliance efforts must be assessed by an accredited 3rd party for formal EU CRA certification.
Important Products Class II
  • Hypervisors
  • Firewalls
  • Intrusion detection systems
 Independent Body Assessment or EU Certification
Critical Products
  • Smartcards
  • Hardware Security Modules
  • Smart meter gateways
 Independent Body Assessment or EU Certification

Who does the Cyber Resilience Act apply to?

Manufacturers

Entities that produce and deliver PDEs to consumers in the EU market.

Providers

Entities that provide components or software (whether open source or proprietary) used by manufacturers.

Importers

Entities that import or distribute PDEs marketed in the EU.

Canonical's commitment
to the CRA

We are focusing on making CRA compliance as easy as possible on our entire range of products and services.

Canonical has chosen to meet the challenges and requirements of the CRA head-on, allowing all of our customers who consume open source through us to benefit from our commitments to the CRA and focus on building future-proof products.

Canonical has committed to:

  • Ensuring our operating systems are compliant
  • Completing certification on relevant products
  • Performing attestation for non-critical products
  • Assuming “manufacturer” duties under the CRA.

Need help with your CRA roadmap? Contact our experts  ›

How the Cyber Resilience Act
will impact device manufacturers

Get comprehensive information on how the CRA will affect device manufacturers in our webinar. Watch to learn:

  • The vulnerability management obligations mandated by the CRA
  • The new requirements for long-term device management and support
  • How a hardened attack surface can help you minimize threats and simplify compliance

Fast-track compliance
with Ubuntu Pro for Devices

Canonical offers device manufacturers a convenient subscription to access security maintenance for over 36,000 packages, and harness automation tools for compliance with multiple standards. With Ubuntu Pro for Devices, you can simplify your vulnerability management efforts to comply with the CRA.

Discover Pro for Devices  ›

Frequently asked questions

What EU Certification do I need under the CRA?

EU Cybersecurity Certification Scheme on Common Criteria (EUCC): ENISA aims to provide a EU-wide certification scheme for companies to certify and be able to claim compliance to different regulations based on the Assurance Level and/or Protection Profile they chose to be in-scope of the certification.

When will the CRA come into force?

The European Parliament formally approved the CRA in March 2024, and it was adopted by the Council on October 10, 2024. The Cyber Resilience Act entered into force on December 10, 2024. Manufacturers will need to follow CRA reporting obligations as of June 11, 2026.

How long until manufacturers and other groups have to follow the CRA?

Manufacturers, importers and distributors of hardware and software products will have 36 months from the CRA’s official publication to adapt to the new requirements. However, there is only a 21-month grace period for manufacturers to adopt reporting obligations for incidents and vulnerabilities.

What does the CRA require manufacturers to document?

Under the CRA, manufacturers must provide a record of all their technical documentation, a Software Bill of Materials, an EU Declaration of Conformity, and clear user information and instructions, for a period of 10 years or the support period (whichever is longer) after the product enters the market.

What are manufacturer reporting requirements under the CRA?

Under the CRA, manufacturers must:

  • Inform CSIRT of product vulnerabilities within 24 hours. Details of the vulnerability and any corrective actions taken should be included.
  • Notify CSIRT of incidents impacting product security within 24 hours. Information on severity, impact, and suspected unlawful acts should be included.
  • Inform users about incidents and provide mitigation measures within a reasonable timeframe.
  • Report vulnerabilities in integrated components to the respective maintainers within a reasonable timeframe.

Dive deep into the CRA
with our free resources

Cyber Resilience Act: Yocto or Ubuntu Core for embedded devices?

Explore the critical considerations for device manufacturers, developers, and relevant stakeholders when choosing between custom-built Linux distributions using the Yocto Project and commercially supported solutions like Ubuntu Core.

Understand IoT security and IoT compliance across global markets

Get a comprehensive guide to understanding the new global compliance landscape for IoT devices and manufacturers, and meet compliance in every regional market with our Ubuntu blueprint for secure devices.

What the CRA means for IoT manufacturers

Get a blueprint for cybersecurity that will help you to secure your PDEs and processes in order to meet CRA compliance.

Explore the impacts of the CRA on open source

Find out about the CRA and its wider implications for the open source community.