Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
Home/By vertical/EU Cyber Resilience Act

Regulatory scoping for the EU Cyber Resilience Act

The Cyber Resilience Act regulates the product, not the network: any product with digital elements placed on the EU market carries secure-by-design, vulnerability-handling, and reporting duties. The phased timeline is the trap — reporting obligations land in September 2026, more than a year before the December 2027 main date.

Product securityVulnerability handlingIncident reportingConformity assessment

Regulations Magist tracks for this vertical

  • EU CRA →
  • NIS2 →
  • UK PSTI →

Coverage of these newer regimes is published as draft and reviewed on a rolling basis.

Questions that determine your footprint

  • Is your product a "product with digital elements"?

    Hardware and software whose use involves a data connection to a device or network can fall within CRA scope; standalone distributed software is typically caught while pure remote services are largely carved out.

  • Have you stood up a vulnerability-reporting pipeline?

    The CRA reporting obligation applies from September 2026, ahead of the main 2027 date, so a coordinated vulnerability disclosure process and incident-notification path can be the first thing that needs to exist.

  • Can you commit to a defined support period?

    A published support period and free security updates are binding representations under the CRA essential requirements, so the commitment typically needs to match what the team can actually staff.

See exactly which of 155+ regulations apply to your eu cyber resilience act product.

Run your analysis →

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone.

Magist provides legal information, not legal advice. Consult a licensed attorney.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn