Meet your Cyber Resilience Act requirements with Canonical
Understand CRA requirements and fast-track your pathway to CRA compliance. Build your products and device software with Ubuntu and Canonical's trusted open source portfolio.
Canonical has committed to meet the requirements of the CRA, providing compliant software, performing attestation on our non-critical software, and meeting manufacturer’s requirements for the software our customers consume through us.
What is the Cyber Resilience Act (CRA)?
The CRA is a European Union legislation that aims to make Products with Digital Elements (PDEs) safer by requiring developers, manufacturers, distributors, and retailers to follow mandatory cybersecurity, documentation, and vulnerability reporting requirements. The CRA extends this protection throughout the product life cycle.
Failing to meet the CRA's requirements carries penalties and fines, of up to €15 million or 2.5% of your worldwide annual turnover (whichever is highest) depending on the seriousness of your violation
The CRA will be fully enforced by 2027.
Read our CISO's full breakdown of the CRA ›
The Cyber Resilience Act requirements in a nutshell
Vulnerability management
Manufacturers must maintain security throughout the product lifecycle through:
- Security patching and maintenance
- Incident response
Risk assessment
Manufacturers must ensure that PDEs:
- Have no known exploitable vulnerabilities
- Are secure by default with minimal attack surface
- Minimize processing of data
Documentation
Manufacturers must deliver documentation to address:
- Product design, delivery and vulnerability management
- Risk assessment and conformity declaration
- Software Bill of Materials (SBOM)
- Manuals covering system hardening and operation
Conformity assessment
Manufacturers must provide a declaration of conformity, either though:
- Self assessment
- Independent third party auditors
What products and devices does the CRA regulate?
The CRA will regulate all manufacturers and developers who want to put products on the EU market, regardless of their location. The CRA will cover all products or devices available in the EU market that are connected to any other device or network to exchange data. This includes PDEs that use:
- Direct/indirect connection
- Physical, wireless/radio or virtual
- Remote data processing
The CRA will cover all PDEs made available in the EU market regardless of:
- Where you are located
- Where the product has been developed/produced
The exceptions are:
- Solutions used for internal purposes are not considered PDEs
- Pure SaaS solutions will be excluded
- PDEs that are already regulated by sector-specific regulations will be excluded
How the CRA classifies products
| Product classification | Product examples | Declaration of conformity | |
|---|---|---|---|
| Default Products |
|
Self assessment - Complete a checklist of requirements and issue a statement of compliance yourself. | |
| Important Products Class I |
|
Independent Body Assessment or EU Certification - Your compliance efforts must be assessed by an accredited 3rd party for formal EU CRA certification. | |
| Important Products Class II |
|
Independent Body Assessment or EU Certification | |
| Critical Products |
|
Independent Body Assessment or EU Certification | |
Who does the Cyber Resilience Act apply to?
Manufacturers
Entities that produce and deliver PDEs to consumers in the EU market.
Providers
Entities that provide components or software (whether open source or proprietary) used by manufacturers.
Importers
Entities that import or distribute PDEs marketed in the EU.
Canonical's commitment to the CRA
We are focusing on making CRA compliance as easy as possible on our entire range of products and services.
Canonical has chosen to meet the challenges and requirements of the CRA head-on, allowing all of our customers who consume open source through us to benefit from our commitments to the CRA and focus on building future-proof products.
Canonical has committed to:
- Ensuring our operating systems are compliant
- Completing certification on relevant products
- Performing attestation for non-critical products
- Assuming “manufacturer” duties under the CRA.
How the Cyber Resilience Act will impact device manufacturers
Get comprehensive information on how the CRA will affect device manufacturers in our webinar. Watch to learn:
- The vulnerability management obligations mandated by the CRA
- The new requirements for long-term device management and support
- How a hardened attack surface can help you minimize threats and simplify compliance
Fast-track compliance with Ubuntu Pro for Devices
Canonical offers device manufacturers a convenient subscription to access security maintenance for over 36,000 packages, and harness automation tools for compliance with multiple standards. With Ubuntu Pro for Devices, you can simplify your vulnerability management and long term support efforts to comply with the CRA.
See Ubuntu Pro in action
Get long term support and automated vulnerability management for all your devices, and streamline your patchway to compliance with Ubuntu Pro, the proven way to meet major compliance requirements.
Airlock Digital meets stricter security and compliance requirements with UBuntu Pro – with up to 40% cost savings and performance increases.
Lucid Software meet FedRAMP compliance for government contracts through Ubuntu Pro
LaunchDarkly becomes the first FedRAMP-authorised feature management platform thanks to Ubuntu Pro
Frequently asked questions
What EU Certification do I need under the CRA?
EU Cybersecurity Certification Scheme on Common Criteria (EUCC): ENISA aims to provide a EU-wide certification scheme for companies to certify and be able to claim compliance to different regulations based on the Assurance Level and/or Protection Profile they chose to be in-scope of the certification.
When will the CRA come into force?
The European Parliament formally approved the CRA in March 2024, and it was adopted by the Council on October 10, 2024. The Cyber Resilience Act entered into force on December 10, 2024. Manufacturers will need to follow CRA reporting obligations as of June 11, 2026.
How long until manufacturers and other groups have to follow the CRA?
Manufacturers, importers and distributors of hardware and software products will have 36 months from the CRA’s official publication to adapt to the new requirements. However, there is only a 21-month grace period for manufacturers to adopt reporting obligations for incidents and vulnerabilities.
What does the CRA require manufacturers to document?
Under the CRA, manufacturers must provide a record of all their technical documentation, a Software Bill of Materials, an EU Declaration of Conformity, and clear user information and instructions, for a period of 10 years or the support period (whichever is longer) after the product enters the market.
What are manufacturer reporting requirements under the CRA?
Under the CRA, manufacturers must:
- Inform CSIRT of product vulnerabilities within 24 hours. Details of the vulnerability and any corrective actions taken should be included.
- Notify CSIRT of incidents impacting product security within 24 hours. Information on severity, impact, and suspected unlawful acts should be included.
- Inform users about incidents and provide mitigation measures within a reasonable timeframe.
- Report vulnerabilities in integrated components to the respective maintainers within a reasonable timeframe.
What is an SBOM or Software Bill of Materials?
An SBOM is a detailed and accessible list of all the components that make up your PDE or software and in-depth information about the source, publishers, and dependencies (and more) about those components. You can learn more about SBOMs, what they include, and how to create them by reading our blog that explores SBOMs in depth.
Dive deep into the CRA with our free resources
Things IoT manufacturers can no longer do under the CRA (and what to do instead)
Get a thorough overview of common IoT manufacturer and PDE developer practices that need immediate attention in order to meet full CRA compliance.
Cyber Resilience Act: Yocto or Ubuntu Core for embedded devices?
Explore the critical considerations for device manufacturers, developers, and relevant stakeholders when choosing between custom-built Linux distributions using the Yocto Project and commercially supported solutions like Ubuntu Core.
Understand IoT security and IoT compliance across global markets
Get a comprehensive guide to understanding the new global compliance landscape for IoT devices and manufacturers, and meet compliance in every regional market with our Ubuntu blueprint for secure devices.
What the CRA means for IoT manufacturers
Get a blueprint for cybersecurity that will help you to secure your PDEs and processes in order to meet CRA compliance.
What is SBOM? Software bill of materials explained
Learn what an SBOM is, what information it must include, and the approaches that developers and manufacturers should consider as they start building their SBOM.
Explore the impacts of the CRA on open source
Find out about the CRA and its wider implications for the open source community.