The Cyber Resilience Act (CRA) national guides are country-level initiatives developed by EU Member States to support the implementation of the Cyber Resilience Act (CRA) and to align national practices with the emerging European standards framework. Although the CRA is directly applicable as an EU regulation, it requires supplementary national legislation, particularly regarding market surveillance, nomination of the Notified Bodies that can carry the conformity assessment for the CRA.
The guides offer a consolidated view of how each country is translating the CRA into operational rules and procedures, and clarify how CRA obligations are applied at national level. They explain who does what, where manufacturers must report vulnerabilities and incidents, how conformity assessment is organized, and which authorities are responsible for oversight. In short, they reduce ambiguity between the EU regulation and national execution.
They are intended for manufacturers of products with digital elements, software developers, distributors, and other supply-chain actors. They are also relevant for cybersecurity professionals, and compliance teams that need to operationalize CRA requirements in specific national contexts. For SMEs in particular, the guides act as a translation layer between legal text and real-world implementation.
- Belgium
Guidance in Dutch, French and German prepared by the Centre for Cybersecurity Belgium (CCB).
- Finland
Guidance in English prepared by the Finnish Transport and Communications Agency Traficom.
- France
Guidance in French prepared by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI).
- Germany
Guidance in German (including a technical guideline) and in English (including a technical guideline) prepared by the Federal Office for Information Security.
- Netherlands
Guidance in Dutch prepared by the Rijksinspectie Digitale Infrastructuur (RDI).
- Poland
Guidance in Polish prepared by the Krajowy organ ds. certyfikacji cyberbezpieczeństwa.