EU Cyber Resilience Act (CRA) — Software & AI Products: AI Compliance Requirements
The EU Cyber Resilience Act (CRA, Regulation 2024/2847, entered into force December 10, 2024) requires manufacturers and publishers of any software or hardware "product with digital elements" sold or made available in the EU to meet essential cybersecurity requirements. This includes SaaS products, AI applications, connected devices, and any software deployed by EU users. Phase 1 reporting obligations (vulnerability incident reporting) apply from September 11, 2026. Full compliance — including security-by-design requirements — required by December 11, 2027. AI software products are in scope as products with digital elements.
Key Facts
December 10, 2024
September 11, 2026
€15,000,000 or 2.5% of global annual turnover for essential requirement violations
What Your Business Must Do
4 compliance requirements identified. Critical requirements carry the highest risk of enforcement action.
Vulnerability & Incident Reporting (Sep 11, 2026)
CriticalFrom September 11, 2026: Report actively exploited vulnerabilities in your software or AI product within 24 hours of discovery (early warning) and submit a full notification within 72 hours. Final report due within 14 days. Report via ENISA's Single Reporting Platform (SRP) addressed to the CSIRT where you have your main EU establishment.
Deadline: September 11, 2026
Vulnerability Disclosure Policy (VDP)
High PriorityEstablish and publish a Vulnerability Disclosure Policy (VDP) allowing security researchers to responsibly report vulnerabilities in your product. Acknowledge reports promptly and provide remediation timelines. Required before September 2026 reporting obligations take effect.
Deadline: September 11, 2026
Security-by-Design Requirements (Dec 2027)
High PriorityBy December 11, 2027: Design and develop your AI/software product with no known exploitable vulnerabilities, secure default configurations, minimal attack surface, and data protection mechanisms. Maintain a Software Bill of Materials (SBOM) and security architecture documentation.
Deadline: December 11, 2027
Security Update Lifecycle Commitment
Medium PriorityCommit to providing security updates for the expected product lifetime (minimum period to be set by Commission). Notify users of security issues. Publish a clear end-of-life policy so users know when updates will cease.
Deadline: December 11, 2027
Frequently Asked Questions
Does EU Cyber Resilience Act (CRA) — Software & AI Products apply to my business?
The EU Cyber Resilience Act (CRA, Regulation 2024/2847, entered into force December 10, 2024) requires manufacturers and publishers of any software or hardware "product with digital elements" sold or made available in the EU to meet essential cyberse. Use ComplianceIQ's free scanner to get a personalized assessment in under 5 minutes.
What is the penalty for non-compliance?
The maximum penalty under EU Cyber Resilience Act (CRA) — Software & AI Products is: €15,000,000 or 2.5% of global annual turnover for essential requirement violations. Fines are typically scaled by company size, severity of violation, and whether violations were willful or accidental.
How do I comply with EU Cyber Resilience Act (CRA) — Software & AI Products?
The 4 requirements above cover the core obligations. The fastest path to compliance is: (1) conduct an AI risk assessment, (2) document your AI systems, (3) implement transparency disclosures where required. ComplianceIQ generates all required documents automatically.
Official Source
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-actLast updated: 2026-04-12 — verify at source before relying on this information.
Don't leave compliance to chance
ComplianceIQ scans your AI tools, tells you exactly which regulations apply, and generates all required documents — in 30 minutes.
Start your free compliance scan