The Cyber Resilience Act: an overview

The CRA aims to enhance the security of hardware and software products by setting uniform standards across the EU.Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), establishes comprehensive cybersecurity requirements for products with digital elements within the European Union. The regulation was published on 20 November 2024 and came into force on 11 December 2024.

How the CRA Will Protect Your Digital Experience

The CRA applies to all products with digital elements, including both hardware and software
that are designed to connect to other devices or networks, either directly or indirectly. Its main
goals are to:

  • Ensure that products placed on the EU market are designed, developed, and produced to meet stringent cybersecurity standards.
  • Mandate that manufacturers implement vulnerability handling processes throughout a product's lifecycle.
  • Enhance transparency regarding cybersecurity aspects of products for consumers and users
CRA
Requirements

Main Points You Need to Know

  1. Essential Cybersecurity Requirements: Manufacturers must ensure that products are designed and developed in accordance with essential cybersecurity requirements, which include:
    • Protection against unauthorized access.
    • Safeguarding the availability, authenticity, integrity, and confidentiality of data.
    • Minimizing the impact of potential incidents.
  2. Vulnerability Handling: Manufacturers are required to establish and maintain processes to manage vulnerabilities, including:
    • Providing security updates for a defined period.
    • Informing users about vulnerabilities and available remedies.
  3. Obligations for Economic Operators: The CRA outlines specific responsibilities for various economic operators:
    • Manufacturers: Ensure compliance with cybersecurity requirements and maintain technical documentation.
    • Importers and Distributors: Verify that products comply with the CRA before placing them on the market.
  4. Market Surveillance and Enforcement: The regulation empowers authorities to conduct market surveillance to ensure compliance and to take corrective actions when necessary.

The Cyber Resilience Act (CRA) was published in the EU Official Journal on 20 November 2024 and officially came into force on 10 December 2024. However, businesses and organisations must fully comply with its requirements starting from 11 December 2027. That said, certain provisions will take effect earlier: manufacturers’ reporting obligations will apply from 11 September 2026, and Member States must notify Conformity Assessment Bodies by 11 June 2026.

For the full text of the regulation, please refer to the official publication: EUR-Lex

  • 20 November 2024

    CRA published in the EU official journal

  • 10 December 2024

    CRA Came into force

  • We are here 11 June 2026

    EU Member States must notify Conformity assessment bodies

  • 11 September 2026

    Manufacturers’ must report obbligations

  • 11 December 2027

    Business and organisations must fully comply with CRA requirements