Cyber Resilience Act

From baby-monitors to smart watches, from apps to computer programs, connectable hardware and software are omnipresent in our daily lives. Less apparent to many users is the security risk such products may present.

The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying software or hardware products with digital elements. The CRA addresses the inadequate level of cybersecurity in many products, and the lack of timely security updates. It also tackles the challenges consumers and businesses currently face when trying to determining which products are cybersecure and in setting them up securely, making it easier to identify hardware and software with the proper cybersecurity features.

The CRA introduces mandatory cybersecurity requirements for manufacturers, covering the planning, design, development and maintenance of such products. These obligations must be met at every stage of the value chain. The CRA also requires manufacturers to handle vulnerabilities during the lifecycle of their products. Some products of particular relevance for cybersecurity may need to undergo a third-party assessment by a notified body before they are sold on the EU market.

Products will bear the CE marking to indicate that they comply with the CRA requirements and national market surveillance authorities will ensure enforcement of the rules. 

The CRA entered into force on 10 December 2024. The main obligations introduced by the Act will apply from 11 December 2027, with reporting obligations to apply as of 11 September 2026. 

The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and EU Security Union Strategy. It complements other legislation in this area, specifically the NIS2 Directive.

Find out more about the implementation of the Cyber Resilience Act.