The Cyber Resilience Act (CRA), introduced under Regulation (EU) 2024/2847, represents a significant step in strengthening cybersecurity across all products with digital elements in the European Union. This landmark legislation sets comprehensive security requirements for manufacturers, distributors, and importers, aiming to protect both businesses and consumers from the increasing threat of cyberattacks.
The CRA covers a wide range of digital products, including connected devices, software applications, and critical network tools. It mandates the following requirements:
- Products must be designed with security in mind, ensuring their protection throughout their lifecycle.
- Manufacturers must clearly communicate cybersecurity risks and the timelines for security updates.
- Manufacturers must address vulnerabilities in a timely manner, providing updates and communicating with users to ensure their safety.
By establishing a unified regulatory framework across EU member states, the CRA reduces legal inconsistencies and simplifies compliance for businesses, while improving the overall security of digital ecosystems.
The CRA establishes specific timelines to help manufacturers transition smoothly:
- Entry into Force: November 20, 2024, following its publication in the EU Official Journal.
- Application Date: Full implementation of the CRA provisions will be required 24 months after the entry into force (November 20, 2026).
- Transitional Period for CE Marking: Products already on the market before the application date can continue to be sold until December 31, 2027, as long as they meet the minimum cybersecurity standards.
Manufacturers are encouraged to use this transitional period to align their products and processes with the new requirements, including necessary documentation and conformity assessments.
The CRA is a crucial step toward building a secure and resilient digital future in the EU, paving the way for safer digital environments across industries.