Who it applies to
The CRA sets cybersecurity essential requirements (Annex I) for any product with digital elements placed on the EU market, with mandatory vulnerability handling (Annex II) and reporting obligations to ENISA. The first obligations apply from 2026, with full applicability in 2027.
What it requires
- Annex I: cybersecurity essential requirements (secure by default, exploitable vulnerability handling, secure update mechanism)
- Annex II: vulnerability handling — coordinated disclosure, software bill of materials, security update support window
- Article 14: vulnerability and incident reporting to ENISA within strict timelines
How Sandline helps
- Pre-market product security assessment against CRA Annex I
- Coordinated vulnerability disclosure programme stand-up
- Software bill of materials (SBOM) generation and gap analysis
- Vulnerability handling SLA design and audit