Open platform →
UK PSTI Act 2022 EU Regulation 2024/2847

EU Cyber Resilience Act
for UK manufacturers

UK manufacturers exporting to the EU market must comply with Regulation (EU) 2024/2847 — in addition to the UK PSTI Act already in force. This guide explains both regimes and where they overlap.

Automate your CRA compliance →

CRA vs PSTI Act — side by side

Both regimes share common principles but differ significantly in scope, documentation, and enforcement.

Topic 🇬🇧 UK PSTI Act 2022 🇪🇺 EU CRA 2024/2847
In force 29 April 2024 Applied 11 December 2027 (full) Upcoming
Scope Consumer connectable products sold in the UK Consumer only All products with digital elements on EU market, including B2B Broader
Key requirements No default passwords; vulnerability disclosure; security update period Full cybersecurity risk assessment; Annex I essential requirements; SBOM; CE marking; EU DoC
Conformity Statement of compliance (manufacturer self-declaration) EU Declaration of Conformity + CE marking; third-party assessment for Important/Critical products
Documentation Compliance statement with product info and support period Full technical documentation per Annex VII; retained for 10 years (Article 31)
Vulnerability reporting Publish a vulnerability disclosure process Active reporting to ENISA via Single Reporting Platform from 11 September 2026 (Article 14)
Penalties Up to £10,000,000 or 4% of global turnover Up to €15,000,000 or 2.5% of global turnover (Article 64)
Enforcer UK Office for Product Safety and Standards (OPSS) National market surveillance authorities in each EU Member State
Common ground Shared No default passwords   Shared Vulnerability disclosure process   Shared Security update support period   Shared ETSI EN 303 645 alignment

Sources: PSTI Act 2022 and Security Regulations 2023/1007 (legislation.gov.uk); Regulation (EU) 2024/2847 (EUR-Lex).

Key dates for UK manufacturers

Combined timeline covering both regimes.

29 April 2024
UK PSTI Act in force Done UK
All UK consumer connectable products must comply with the PSTI Security Regulations 2023/1007. Enforced by OPSS.
10 December 2024
EU CRA enters into force Done
Regulation (EU) 2024/2847 entered into force. UK manufacturers exporting to the EU must begin compliance preparation.
11 September 2026
EU vulnerability reporting begins
Article 14 of Regulation (EU) 2024/2847 applies. UK manufacturers with products on the EU market must report actively exploited vulnerabilities via ENISA's Single Reporting Platform.
11 December 2027
EU CRA full application
All CRA requirements apply. UK manufacturers must have CE marking, EU Declaration of Conformity, and technical documentation in place before placing products on the EU market.

Frequently asked questions

For UK manufacturers navigating both the PSTI Act and the EU CRA.

Does the EU CRA apply to UK manufacturers?
Yes. Regulation (EU) 2024/2847 applies to all products with digital elements made available on the EU market, regardless of where the manufacturer is based. A UK manufacturer selling into Germany, France, or any other EU Member State must comply with the CRA from 11 December 2027, and with vulnerability reporting obligations from 11 September 2026.
Source: Regulation (EU) 2024/2847, Article 1 and Article 13 — EUR-Lex
Does PSTI compliance count towards CRA compliance?
Partially. Both regimes share three core requirements: no default or easily guessable passwords, a published vulnerability disclosure process, and a defined security update support period. Manufacturers compliant with PSTI and ETSI EN 303 645 have a foundation for CRA compliance. However, the CRA requires additional steps: a full cybersecurity risk assessment, technical documentation per Annex VII, an SBOM, CE marking, and an EU Declaration of Conformity. PSTI compliance alone is not sufficient for CRA.
Sources: PSTI Security Regulations 2023/1007; Regulation (EU) 2024/2847, Annex I and Annex VII
Is the CRA scope wider than the PSTI Act?
Yes, significantly. The PSTI Act applies only to consumer connectable products — it does not cover purely business-to-business products where it is not reasonably foreseeable that consumers would purchase them. The EU CRA applies to all products with digital elements placed on the EU market, including industrial hardware, software components, and B2B products. The CRA also covers software products separately placed on the market — not only physical connected devices.
Sources: PSTI Act 2022, Section 54; Regulation (EU) 2024/2847, Article 2
What is the EU authorised representative requirement for UK manufacturers?
Under Article 15 of Regulation (EU) 2024/2847, a manufacturer not established in the EU must appoint an EU-based authorised representative before placing products on the EU market. The authorised representative acts on behalf of the manufacturer and must be named in the EU Declaration of Conformity and technical documentation. This is a key practical step for UK manufacturers exporting to the EU post-Brexit.
Source: Regulation (EU) 2024/2847, Article 15

Manage CRA compliance from one platform

CRA Ready is purpose-built for manufacturers selling into the EU market. Technical documentation, CE marking workflow, vulnerability management, SBOM — covering all CRA requirements in one place.

Open platform →
Legal disclaimer: This page is an informational resource for UK manufacturers. Content on the EU CRA references Regulation (EU) 2024/2847 as published in the EU Official Journal (EUR-Lex). Content on the UK PSTI Act references the Product Security and Telecommunications Infrastructure Act 2022 and Security Regulations 2023/1007 (legislation.gov.uk). This page does not constitute legal advice. Always refer to the official legislative texts for binding interpretation.
CRA Ready GmbH Investment Opportunity