The Cyber Resilience Act enhances cybersecurity standards of products that contain a digital component, requiring manufacturers and retailers to ensure cybersecurity throughout the lifecycle of their products.
From baby-monitors to smart-watches, products and software that contain a digital component are omnipresent in our daily lives. Less apparent to many users is the security risk such products and software may present.
The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying software or hardware products with a digital component. The CRA addresses the inadequate level of cybersecurity in many products, and the lack of timely security updates for products and software. It also tackles the challenges consumers and businesses currently face when trying to determining which products are cybersecure and in setting them up securely. The new requirements will make it easier to take cybersecurity into account when selecting and using products that contain digital elements. It will be more straightforward to identify hardware and software products with the proper cybersecurity features.
The CRA introduces mandatory cybersecurity requirements for manufacturers and retailers, governing the planning, design, development, and maintenance of such products. These obligations must be met at every stage of the value chain. The act also requires manufacturers to provide care during the lifecycle of their products. Some critical products of particular relevance for cybersecurity will also need to undergo a third-party assessment by an authorised body before they are sold in the EU market.
The regulation applies to all products connected directly or indirectly to another device or network except for specified exclusions such as certain open-source software or services products that are already covered by existing rules, which is the case for medical devices, aviation and cars. Products will bear the CE marking to indicate that they comply with the CRA requirements. The new rules will rebalance responsibility towards manufacturers, who must ensure their products with digital elements meet cybersecurity standards for the EU market. This will allow buyers to make more informed decisions, trusting the cybersecurity of CE-marked products.
The Cyber Resilience Act entered into force on 10 December 2024. The main obligations introduced by the CRA will apply from 11 December 2027.
Additionally, the Cyber Resilience Act Expert Group (CRA Expert Group) is being set up. The expert group will assist and advise the Commission on issues relevant to the implementation of the Cyber Resilience Act (CRA).
The CRA builds on the 2020 EU Cybersecurity Strategy and EU Security Union Strategy. It complements other legislation in this area, specifically the NIS2 Directive.
Related Content
Big Picture