The Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) entered into force on 10 December 2024 and will become fully applicable on 11 December 2027. It imposes on manufacturers of products with digital elements (PDE) — hardware AND software — reinforced cybersecurity obligations backed by sanctions up to €15M or 2.5% of global annual turnover. For any organization that buys, integrates, or resells these products, this means: your supplier contracts must be renegotiated to transfer and document these new obligations.
This article details the 8 clauses to systematically include starting in 2026, with drafting examples and alignment with NIS2 and DORA.
Scope: which products and which suppliers are covered?
The CRA applies to products with digital elements (PDE) placed on the European market. This covers:
- Hardware: IoT sensors, routers, surveillance cameras, connected medical devices, intelligent industrial equipment
- Software: commercial SaaS applications, open-source libraries distributed commercially, firmware, operating systems, embedded components
- Hybrid products: combined hardware + software systems (connected vehicles, smart-home devices, connected elevators)
The CRA distinguishes three categories:
| Category | Examples | Assessment route |
|---|---|---|
| Non-critical (90%) | Consumer apps, connected toys | Manufacturer self-assessment |
| Important (class I) | VPN, password managers, browsers | Self-assessment + harmonised standards |
| Important (class II) | Operating systems, firewalls, hypervisors | Notified body mandatory |
| Critical | HSMs, secure smart meters, industrial routers | EU certification mandatory (EUCC scheme) |
For deeper reading on applicable cyber frameworks, see our guides NIS2 essential vs important entities and DORA 2026.
The 8 mandatory contract clauses
Clause 1 — PDE scope and classification category
Objective: the supplier explicitly declares whether its product is within CRA scope and to which category it belongs.
Sample drafting:
"The Supplier acknowledges that the delivered Product is a 'product with digital elements' within the meaning of Regulation (EU) 2024/2847 and classifies it as [non-critical / important class I / important class II / critical]. Any subsequent reclassification by the European Commission shall be notified to the Client within 30 days and shall give rise to renegotiation of these clauses."
Why it matters: the category determines the conformity assessment route and liability levels. Without explicit declaration, the Client does not know which evidence to request in case of audit.
Clause 2 — "Secure-by-design" and "secure-by-default" obligations
Objective: commit the supplier to meeting the essential cybersecurity requirements of Annex I of the CRA by design.
Sample drafting:
"The Supplier warrants that the Product is designed, developed, and produced in accordance with the essential cybersecurity requirements of Annex I of Regulation (EU) 2024/2847, including: protection against unauthorized access, protection of confidentiality and integrity of processed data, availability of essential functions, minimisation of attack surfaces, and absence of known exploitable vulnerabilities at delivery."
Alignment with NIS2: this requirement feeds the NIS2 measure "security in acquisition and maintenance of information systems" (Art. 21.2.e).
Clause 3 — CE marking and Declaration of Conformity
Objective: obtain the formal conformity documentation to demonstrate cascading compliance.
Sample drafting:
"The Supplier shall provide, no later than delivery of the Product: (i) an EU Declaration of Conformity compliant with Annex V of the Regulation; (ii) the technical documentation of Annex VII upon request; (iii) proof of the CE marking visible on the Product or its packaging. Any substantial modification of the Product rendering the Declaration obsolete shall trigger a new conformity assessment at the Supplier's expense."
Audit value: in case of inspection by a market surveillance authority, the rapid provision of these documents by your suppliers determines your capability to prove your own due diligence.
Clause 4 — Vulnerability management and SBOM
Objective: permanent access to the Software Bill of Materials (SBOM) and coordinated disclosure process.
Sample drafting:
"The Supplier shall maintain and provide the Client with: (i) a Software Bill of Materials (SBOM) in CycloneDX or SPDX format, updated at each version of the Product, covering all software components including open-source; (ii) a coordinated vulnerability disclosure (CVD) policy published and including a security contact point (security.txt); (iii) a commitment to publish patches for any critical vulnerability (CVSS ≥ 7.0) within 30 days of discovery; (iv) a proactive notification system for new vulnerabilities affecting SBOM components."
ResiPlan tooling: our AI contract analysis module automatically detects whether these SBOM clauses are present in the submitted contract.
Clause 5 — Security support period
Objective: impose the minimum security support duration, a critical CRA floor.
Sample drafting:
"The Supplier commits to providing free security updates and vulnerability patches for at least the longest of the following periods: (i) five (5) years from the Product's placing on the market; (ii) the expected lifetime of the Product as published in the documentation; (iii) fifteen (15) years if the Product is classified as 'important class II' or 'critical'. Any early termination of support shall engage the Supplier's liability under CRA essential requirements failure."
Classic trap: SaaS vendors tend to link support duration to the active subscription period. The CRA requires support for exploitable vulnerabilities even after contract expiration, within the legal period.
Clause 6 — Incident and exploited-vulnerability notification to ENISA
Objective: cascade the ENISA notification obligation to the supplier.
Sample drafting:
"The Supplier shall notify the Client, simultaneously with notification to ENISA, of any significant incident or any actively exploited vulnerability affecting the Product, within the following timelines: (i) early warning within 24 hours of awareness; (ii) incident notification within 72 hours; (iii) final report within 14 days of incident end. Each notification shall include: technical description, applicable CVE/CVSS, observed exploitation vectors, available remediation measures."
Alignment with NIS2: CRA timelines mirror NIS2 timelines (see our NIS2 incident notification guide). Integrating the same drafting in both regimes simplifies operations.
Clause 7 — Audit rights and compliance proof
Objective: verify and audit the supplier's CRA compliance.
Sample drafting:
"The Client, directly or through a mandated third-party auditor, shall have the right: (i) to audit annually the Supplier's compliance with CRA obligations with 30 days' notice; (ii) to request CRA technical documentation (Annex VII) within 15 business days; (iii) to demand notified body assessment reports where applicable; (iv) to audit the Supplier's critical subcontractors under the same conditions. Audit costs remain the Client's expense unless substantial non-conformity is discovered, in which case they are rebilled to the Supplier."
Clause 8 — Liability and CRA indemnification
Objective: transfer to the supplier the sanctions incurred due to its non-conformity.
Sample drafting:
"The Supplier shall fully indemnify the Client for any damage, administrative fine, remediation cost, or loss of operations resulting from: (i) non-conformity of the Product with requirements of Regulation (EU) 2024/2847; (ii) absence, delay, or insufficiency of security updates; (iii) late or incomplete notification of incident or vulnerability. This indemnification shall not be capped by general liability limitation clauses of the present contract."
Why this clause matters: CRA fines (up to €15M or 2.5% of global annual turnover) exceed standard contractual liability caps. Without a specific clause, the risk remains with the client-integrator.
Alignment with NIS2 and DORA: avoid redundant clauses
Many of these clauses overlap with NIS2 (supply chain, Art. 21.2.d) and DORA (ICT third parties, Art. 28-30). Our recommendation:
| Contract type | Priority clauses |
|---|---|
| IoT hardware supplier | CRA 1-8 + ISO 22301 RTO/RPO |
| Critical SaaS vendor (NIS2 entity) | NIS2 full + CRA 4-6 (SBOM, support, notification) |
| Critical ICT vendor (financial entity) | DORA Art. 28 full + CRA 2-5 |
| Connected medical device manufacturer | CRA 1-8 + MDR + GDPR |
How ResiPlan automatically detects these 8 clauses
Our AI contract analysis module scans each supplier contract and:
- Identifies the 8 expected CRA clauses based on product type
- Extracts contract passages corresponding to each clause
- Classifies each clause: compliant / partial / non-compliant / absent
- Calculates a specific CRA compliance score (0-100)
- Provides a prioritized list of missing clauses to renegotiate
Combined with DORA, NIS2, ISO 22301 and GDPR modules, you get a multi-framework report in less than 2 minutes per contract.