Brussels,

DIGITAL EUROPE

Cyber Resilience Act

The Cyber Resilience Act (CRA) Regulation has been in force since December 2024​
The Cyber Resilience Act enhances cybersecurity standards for any hardware or software (i.e., products with a digital component) that can connect—directly or indirectly—to another device or network. It entered into force on 10 December 2024, with its main obligations applying from 11 December 2027. This law places mandatory cybersecurity requirements on manufacturers and retailers at every stage of the product lifecycle, aiming to make all connected products—from baby monitors to smart watches—safer.
Key Objectives​
  1. Strengthening Cybersecurity of Digital Products
    • Covers devices, software, and services that include a digital element.
    • Introduces mandatory rules for planning, design, development, and maintenance of such products.
    • Requires timely security updates and ongoing duty of care.
  2. Better Consumer and Business Protection
    • Addresses insufficient cybersecurity in many consumer products.
    • Simplifies identifying secure devices and setting them up securely.
    • CE Marking will indicate products meet EU cybersecurity standards.
  3. Rebalancing Responsibility
    • Holds manufacturers accountable for ensuring secure product design and implementation.
    • Some critical products must undergo third-party assessment before being sold in the EU.
    • Shifts the burden away from users, who often lack technical means to verify cybersecurity.
  4. Scope and Exclusions
    • Applies to nearly all connected devices, but excludes certain categories, such as:
      • Specific open-source software.
      • Products already covered under other EU rules (e.g., medical devices, aviation, cars).
Picture
Click to read
​Integration with Broader EU Cybersecurity Efforts

  • EU Cyber Security Strategy: The CRA builds on the EU Cyber Security Strategy to protect both essential services (hospitals, energy grids, railways) and the increasing number of connected devices in homes and workplaces.
  • EU Security Union Strategy: Complements the EU Security Union Strategy, aiming to safeguard Europe’s digital transformation.
  • NIS2 Directive: The CRA operates alongside the NIS2 Directive, which sets broader cybersecurity requirements for critical infrastructure and essential services.
  • European Union Agency for Cybersecurity (ENISA): The ENISA agency works to achieve a high common level of cybersecurity across Europe.
  • CRA Expert Group: The upcoming Cyber Resilience Act Expert Group will assist and advise the European Commission on CRA implementation details.

Future Outlook (2024–2029 Commission Mandate)
  • Enforcement of EU Digital Laws: Ensuring manufacturers and retailers comply with the new cybersecurity standards remains a high priority.
  • Cybersecurity in Healthcare: The European Commission will propose a European action plan on the cybersecurity of hospitals and healthcare providers, to better protect Europe’s healthcare systems from cyber threats.

​By enforcing rigorous cybersecurity standards and sharing responsibility among manufacturers, retailers, and regulators, the Cyber Resilience Act helps build trust in the connected devices that are integral to modern life.