The Cyber Resilience Act (CRA) is a comprehensive EU regulation establishing cybersecurity requirements for products with digital elements (hardware and software) to ensure their security throughout the lifecycle and protect consumers from cyber risks.The regulation introduces mandatory essential cybersecurity requirements for manufacturers, including vulnerability handling, security updates, and incident reporting. It establishes conformity assessment procedures and market surveillance mechanisms to verify compliance.Key provisions include:
- Mandatory security requirements for digital products before market placement
- Obligations for manufacturers to handle vulnerabilities and provide security updates during a defined support period (minimum 5 years)
- Requirements to report serious incidents and actively exploited vulnerabilities
- Classification of products into different risk categories (regular, important Class I/II, critical) with corresponding conformity assessment procedures
- Market surveillance framework and penalties for non-compliance
The regulation aims to improve the cybersecurity of digital products in the EU market by setting clear requirements for manufacturers while ensuring transparency for users regarding security properties and updates. It introduces a comprehensive framework covering the entire lifecycle of digital products from design to end-of-support.
