Regulation (EU) 2024/2847

The CRA makes cybersecurity a condition of the CE mark. Rizzqo builds the proof into how you ship.

The Cyber Resilience Act holds every product with digital elements to essential requirements β€” secure by design, no known exploitable vulnerabilities, and vulnerability handling across a defined support period. Rizzqo turns those requirements into conformity you can prove, kept ready as you build β€” not reconstructed before assessment.

24hearly warning for an actively exploited vulnerability
5 yrsminimum support period for security updates
Dec 2027full obligations from 11 December
What is in scope

Products with digital elements

The CRA applies to products with digital elements β€” any hardware or software placed on the EU market whose intended use includes a data connection. Conformity effort scales with risk: most products self-assess, while important and critical products face third-party assessment. Select a class to see what it means for you.

Higher assurance

Important & critical products

Third-party assessment or certification

Products whose core function is security-relevant β€” listed in Annex III (important, Class I and II) and Annex IV (critical). The higher the class, the more independent the conformity assessment.

What this class means
  • Password managers, VPNs, firewalls, network and identity management
  • Class II and critical products need a notified body or certification
  • Smart meter gateways, hardware security modules and smartcards are critical
  • Held to the same essential requirements, verified with more assurance

Products covered

The CRA reads more clearly in two buckets. Default products self-assess against the essential requirements; important and critical products meet the same bar but with independent conformity assessment or certification. Products already governed by sectoral rules β€” medical devices, cars, aviation β€” are carved out.

Default products

The majority β€” self-assessed against the essential requirements.

Connected consumer devicesBusiness & productivity softwareMobile & desktop appsSmart home devicesConnected sensorsGames & media devicesDevelopment tools

Important & critical products

Security-relevant products with independent assessment or certification.

Password managersVPNs & firewallsNetwork managementIdentity managementOperating systemsMicrocontrollersHardware security modulesSmart meter gateways
Annex I essential requirements

What secure by design has to mean

Annex I sets essential requirements: product security properties in Part I and vulnerability handling in Part II. Every product must be delivered and maintained against them. With Rizzqo, conformity to each is something you can evidence, not assert.

Annex I, 1

Secure by design & default

Products are designed, developed and delivered with an appropriate level of cybersecurity and a secure-by-default configuration.

Annex I, 2(a)

No known exploitable flaws

Products are placed on the market without known exploitable vulnerabilities, with a secure state to fall back on.

Annex I, 2(e)

Confidentiality & encryption

Protect the confidentiality of stored, transmitted and processed data, using state-of-the-art encryption where relevant.

Annex I, 2(f)

Integrity protection

Protect the integrity of stored, transmitted and processed data, commands, configuration and the product’s own code.

Annex I, 2(g)

Data minimisation

Process only the data that is adequate, relevant and limited to what the product’s intended use requires.

Annex I, 2(h)

Availability & resilience

Protect availability of essential functions and resilience against denial-of-service, including for connected devices.

Annex I, 2(j/k)

Minimised attack surface

Limit attack surfaces, including external interfaces, and design in mitigations to reduce the impact of an incident.

Annex I, 2(l)

Security logging

Record and monitor relevant internal activity, including access to and modification of data and functions.

Annex I, 2(m)

Secure updates

Provide security updates, where possible automatically, that can be installed promptly across the support period.

Annex I, Part II

Vulnerability handling

Maintain an SBOM, a coordinated disclosure policy and timely, free security updates throughout the support period.

Article 14 reporting

An actively exploited flaw starts a 24-hour clock to ENISA

For an actively exploited vulnerability or a severe incident, the CRA sets a staged notification to the coordinating CSIRT and ENISA. Rizzqo keeps you ready to hit every stage on time, with the affected products and evidence already to hand.

On awarenessFirst
Detection

Detect & confirm

Become aware of an actively exploited vulnerability in the product, or a severe incident affecting its security, and confirm the impact.

24 hoursThen
Early warning

Early warning

Within 24 hours of becoming aware, an early warning to the coordinating CSIRT and ENISA via the single reporting platform.

72 hoursFinally
Notification

Vulnerability notification

Within 72 hours, a fuller notification with the nature of the flaw, its severity and any corrective or mitigating measures taken.

14 daysFinally
Final report

Final report

Once a corrective measure is available, and no later than 14 days after, a final report describing the vulnerability and the fix.

The CRA, tracked on what you ship

On the products and components you ship

The essential requirements belong on the product, not in a binder. Rizzqo keeps each one owned, tracked and evidenced as engineering happens β€” so the conformity file builds itself as you build.

01

Requirements linked to real products

The CRA lands on the products and components you actually ship β€” not a generic checklist β€” so your scope reflects your real product, not a paper exercise.

  • Grounded in your real products
  • A scope you can defend, not a checklist
  • Risk priced in real money, not a heat-map colour
02

Clear ownership, evidence for the file

Every requirement has a clear owner and evidence that accrues as teams build β€” so the technical documentation stays conformity-ready instead of being reconstructed the week before assessment.

  • Clear ownership, nothing unassigned
  • Evidence that stays current, not stale
  • Technical documentation and SBOM ready for assessment
03

A reporting workflow against the clock

When a vulnerability is actively exploited, the Article 14 clock starts. Rizzqo keeps the 24-hour, 72-hour and 14-day stages and the affected products in view β€” so each report is assembled from what you already have, not improvised under pressure.

  • 24h, 72h and 14-day deadlines never missed
  • Affected products in view from the start
  • Every stage assembled, not improvised

The secure-development work you already do, counted

Secure development, access control, encryption, vulnerability management β€” the CRA leans on practices an ISO 27001 ISMS already asks of you. Rizzqo counts that work toward the CRA on the same assets, so only the genuinely product-specific duties remain: secure-by-default delivery, an SBOM, support-period updates and CE conformity.

Ship it CRA-conformant, with the proof built in.

Turn the Annex I essential requirements into conformity you can prove on your real products β€” and be ready for the Article 14 clock before it starts.

Essential requirements mappedProof on your real productsReady for Article 14 reporting

CRA questions, answered