Key obligations
CE marking and conformity assessment
The CRA requires CE marking and a conformity assessment as evidence that the product meets the essential requirements; request this at procurement.
Secure-by-default configuration
The CRA requires secure default settings on delivery and products free of known exploitable vulnerabilities (security by design).
Security updates and vulnerability management
The CRA mandates vulnerability management and security updates throughout the lifecycle; set out responsibility for and the period of updates in the contract.
Technical documentation and user information
The CRA requires technical documentation and user information, and where applicable insight into the product's software components.
Reporting duty for vulnerabilities and incidents
From 11 September 2026 there is a duty to report actively exploited vulnerabilities and serious incidents to ENISA and the CSIRT; ensure your suppliers inform you without delay.
Interplay with the AI Act
For high-risk AI, the AI Act (Art. 15) requires an appropriate level of cybersecurity alongside the CRA; combine both in a single risk assessment (incl. data poisoning, adversarial attacks).