A foundational regulation with global implications, the EU CRA emphasizes cybersecurity compliance in the development and lifecycle management of secured digital products within the EU single market.

On October 10, 2024, the EU Council officially adopted the Cyber Resilience Act (EU CRA). Shortly after, on November 20, 2024, the legislation was published in the European Union’s Official Journal, marking a significant milestone in cybersecurity compliance. The EU CRA is a groundbreaking regulation designed to enhance the security of connected devices across the EU single market, enabling that cybersecurity and compliance are embedded from the initial design phase.

The Act will be fully implemented by December 11, 2027, mandating that all products meet strict security-by-design requirements to obtain CE marking. However, some key provisions take effect earlier:

• June 11, 2026 – Notification of Conformity Assessment Bodies (Chapter IV, Articles 35-51)
• September 11, 2026 – Mandatory cybersecurity incident reporting (Article 14)

What is the EU Cyber Resilience Act?

The EU CRA is a regulatory framework that establishes essential cybersecurity requirements for IoT security standards, smart home devices, and all connected digital products within the EU single market. It enforces security by design and by default, facilitating products remain appropriately secure throughout their lifecycle.

This legislation applies to all hardware and software products with digital elements, except:

• Non-commercial projects and services
• Cloud services without physical components
• Industries already covered by existing regulations, such as automotive, healthcare, and aviation

Compliance in Cybersecurity: Key Requirements

Manufacturers must take care their products are free from known vulnerabilities at launch and actively manage cybersecurity risks throughout the product's lifecycle. Failure to comply with the EU CRA may result in fines of up to 2.5% of annual worldwide revenue.