Jurisdictions / EU CRA
EU Cyber Resilience Act: Cryptography Readiness
The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force in December 2024; reporting obligations start in September 2026 and the main obligations apply from December 2027. For cryptography it demands what Korthex produces: proof that products protect data with state-of-the-art encryption, and documentation that stays current across the product lifecycle.
What the CRA expects from your cryptography
- Essential requirements (Annex I): protection of confidentiality and integrity with state-of-the-art mechanisms, including encryption of data at rest and in transit
- Technical documentation that shows how those requirements are met, kept current across the support period
- Vulnerability handling: knowing what is inside the product, so a broken algorithm is a locatable component, not a research project
What Korthex contributes
The CBOM is the cryptography slice of CRA technical documentation: every algorithm, key size, certificate and protocol in the product with file and line evidence. The state-of-the-art yardstick comes from the EU-relevant baseline channels (BSI and ANSSI, both carrying NIS2 tags), and the CI/CD gate regenerates the evidence on every commit, which is exactly the keep-it-current posture the CRA assumes.
Honest scope: Korthex does not have a dedicated CRA rule channel today, because the act sets outcome requirements rather than an algorithm list. The framework-tagging model is deliberately extensible; when harmonised standards under the CRA name concrete cryptographic requirements, they land as tags without a format change.
Frequently asked questions
When does the CRA actually apply?
It entered into force on 10 December 2024. Vulnerability-reporting obligations apply from September 2026, the main obligations from December 2027. Products placed on the EU market after that date need the documentation in place.
Does a Korthex scan make my product CRA-compliant?
No single tool does. Korthex produces the cryptographic inventory and the state-of-the-art evidence that the technical documentation and vulnerability-handling processes require; conformity assessment covers far more than cryptography.
Which baseline channels serve as the CRA yardstick?
The EU-relevant channels: BSI and ANSSI (both NIS2-tagged), plus NIST for the global algorithm baseline. The overview page lists the recommended activation per profile.