Cyber Resilience Act (CRA): The key points in brief

On 10.10.2024, the Council of EU Home Affairs Ministers adopted the Cyber Resilience Act (CRA). As a result, manufacturers of networked devices will be subject to new minimum requirements in terms of cyber security in the future. We have summarized the most important aspects of the CRA for you.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) sets out binding requirements for the cyber security of networked devices that are placed on the market within the EU. Its aim is to create a uniform security standard for digital hardware and software products on the European market.

 

Who is affected?

The CRA affects manufacturers or developers of networked digital devices. Under the CRA, they are obliged to ensure that a device functions safely throughout its entire life cycle. However, only a few product types are exempt from the CRA. These include, for example, non-commercial open source software products. 

 

What does the CRA imply?

The CRA contains new minimum requirements for the security of networked devices. In future, all connected products that are placed on the market within the EU must bear the CE mark. This visibly proves to the outside world that the labeled product meets the requirements of the CRA.

The requirements that manufacturers must meet include:

  • Consideration & implementation of cyber security over the entire product life cycle (planning, development, production, operation)
  • Documentation of all cybersecurity risks
  • Reporting cybersecurity incidents to both ENISA and affected users
  • Ensuring that potential vulnerabilities are effectively addressed over the expected product life cycle (maximum 5 years)
  • Provision of security updates for at least 5 years 
  • Clear & understandable operating instructions for products with digital elements
     

What is the current status? 

The CRA was adopted by the Council of EU Home Affairs Ministers on 10.10.2024 and published in the Official Journal of the European Union on 20.11.2024 as Regulation (EU) 2024/2847. The deadlines for implementation have thus been set: 

  • December 10, 2024: Entry into force of the CRA
  • June 11, 2026: Chapter IV (Notification of conformity assessment bodies) enters into force.
  • September 11, 2026: Manufacturers are obliged to inform national authorities and ENISA about actively exploited vulnerabilities in their products (notification obligations).  
  • December 11, 2027: From this date, all requirements of the CRA apply. This means that all connected products placed on the market within the EU must bear a CE marking. 
Back
Recommend this page: