EU Cyber Resilience Act (CRA)

EU rules requiring cybersecurity standards for all digital products sold on the EU market.

Published in the Official Journal in November 2024, the Cyber Resilience Act introduces mandatory cybersecurity requirements for products with digital elements placed on the EU market. This regulation fills a critical gap in the EU's cybersecurity framework: while the NIS2 Directive addresses organisational cybersecurity and DORA covers the financial sector's digital resilience, no horizontal legislation previously required that hardware and software products themselves be secure by design. The CRA changes this by imposing cybersecurity obligations throughout the product lifecycle, from design and development through to end-of-life support.

The CRA applies to manufacturers, importers, and distributors of products with digital elements, encompassing an enormous range of goods from consumer IoT devices and smart home products to enterprise software, operating systems, routers, and industrial control systems. Open-source software developed outside a commercial context is generally excluded, but virtually all commercially marketed digital products fall within scope. Products are categorised based on their cybersecurity risk level, with critical products such as firewalls, intrusion detection systems, and smart meters subject to third-party conformity assessment.

Manufacturers must ensure their products meet essential cybersecurity requirements, including protection against known vulnerabilities, secure default configurations, data protection by design, and the ability to receive security updates. They must conduct cybersecurity risk assessments, maintain technical documentation, and provide users with clear information about the product's security properties and support period. A key obligation is vulnerability handling: manufacturers must actively monitor for and address vulnerabilities throughout the product's expected lifetime, which must be at least five years. Actively exploited vulnerabilities and severe security incidents must be reported to ENISA within 24 hours.

The regulation provides for a transition period, with most obligations applying 36 months after entry into force, meaning from late 2027. Vulnerability reporting obligations take effect earlier, from September 2026. Products placed on the market before the application date are covered only for new vulnerabilities discovered after that date. CE marking will indicate CRA conformity, integrating cybersecurity into the EU's existing product conformity framework.

The CRA interacts with the NIS2 Directive, which covers organisational cybersecurity for essential and important entities, and with DORA for financial sector-specific requirements. It also connects with the EU CE Marking framework, as CRA compliance will become a prerequisite for the CE mark on digital products. For businesses manufacturing or selling digital products in Europe, the CRA represents a fundamental shift: cybersecurity is no longer a competitive differentiator but a legal prerequisite for market access.

Select your company type for tailored compliance guidance.