On 10^th October 2024, the EU council adopted the Cyber Resilience Act (EU CRA), and on 20^th November, the EU CRA has been officially published in the European Union's Official Journal paving the way for its full implementation by 11^th December 2027. This is a landmark legislation aimed at enhancing the security of connected devices across the EU single market. The EU CRA sets a new standard for cybersecurity in the region, taking care that devices are designed and manufactured with security in mind from the outset. After it comes into effect in 2027, EU CRA makes it mandatory for products to fulfill its security essential requirements for getting a CE label. But that is not all – some of the key provisions, such as Chapter IV (Art. 35-51) on Notification of Conformity Assessment Bodies will become applicable on 11^th June 2026. Also, the reporting obligations under Art. 14 will become applicable from 11^th September 2026.

What is the EU Cyber Resilience Act?

The EU CRA is a regulatory framework that establishes essential requirements for the security of connected devices, including Internet of Things (IoT) devices, smart home devices, and other networked products in the European Market. The Act focuses on these devices to be appropriately secure by design, by default, and throughout their entire lifecycle.

The scope of CRA includes all hardware and software products with digital elements sold within the EU single market except non-commercial projects and services, cloud services without product components, and products that already have sufficient regulations, such as automotive, healthcare, and aviation.

It applies to digital products and includes essential requirements for incident and vulnerability management. Manufacturers need to take care their products are introduced in the EU market free of known vulnerabilities, manage security risks throughout the product's lifecycle to comply with the regulation or face fines up-to 2.5% of their annual world-wide revenue.