Skip to main content
Shaping Europe’s digital future

EU Cyber Resilience Act

New EU cybersecurity rules ensure safer hardware and software.

© European Union

From baby-monitors to smart-watches, products and software that contain a digital component are omnipresent in our daily lives. Less apparent to many users is the security risk such products and software may present. 

The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.

The problem addressed by the Regulation is two-fold.

First is the inadequate level of cybersecurity inherent in many products, or inadequate security updates to such products and software.

Second is the inability of consumers and businesses to currently determine which products are cybersecure, or to set them up in a way that ensures their cybersecurity is protected.

The Cyber Resilience Act will guarantee:

  • harmonised rules when bringing to market products or software with a digital component;
  • a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products, with obligations to be met at every stage of the value chain;
  • an obligation to provide duty of care for the entire lifecycle of such products.

When the Regulation enters into force, software and products connected to the internet would bear the CE marking to indicate they comply with the new standards. Requiring manufacturers and retailers to prioritise cybersecurity, customers and businesses would be empowered to make better-informed choices, confident of the cybersecurity credentials of CE-marked products.

The Regulation was announced in the 2020 EU Cybersecurity Strategy, and complements other legislation in this area, specifically the NIS2 Framework.

It will apply to all products connected directly or indirectly to another device or network except for specified exclusions such as open-source software or services that are already covered by existing rules, which is the case for medical devices, aviation and cars.

The Regulation is expected to enter into force in early 2024. Manufacturers will have to apply the rules 36 months after their entry into force. The Commission will then periodically review the Act and report on its functioning.

 

Related Content

Big Picture

Cybersecurity Policies

The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.

See Also

The EU Cyber Solidarity Act

The EU Cyber Solidarity Act will improve the preparedness, detection and response to cybersecurity incidents across the EU.

22 Cybersecurity projects selected to receive €10.9 million

Operators of Essential Services (OES), National Cybersecurity Certification Authorities (NCCAs) and National Competent Authorities (NCAs) for cybersecurity are among the selected applicants that will receive €11 million in funding by the Connecting Europe Facility cybersecurity...

The EU Cybersecurity Act

The Cybersecurity Act strengthens the EU Agency for cybersecurity (ENISA) and establishes a cybersecurity certification framework for products and services.