The Cyber Resilience Act (CRA) is a comprehensive EU regulation establishing cybersecurity requirements for products with digital elements (hardware and software) to ensure their security throughout the lifecycle and protect consumers from cyber risks.The regulation introduces mandatory essential cybersecurity requirements for manufacturers, including vulnerability handling, security updates, and incident reporting. It establishes conformity assessment procedures and market surveillance mechanisms to verify compliance.Key provisions include:
- Essential cybersecurity requirements for products’ properties (secure by default, protection from unauthorized access, data protection) and vulnerability handling processes
- Obligations for manufacturers to assess cybersecurity risks, provide security updates during a support period of at least 5 years, and report incidents
- Classification of products into important (Class I and II) and critical categories with different conformity assessment procedures
- Market surveillance framework with authorities designated by Member States to monitor compliance and enforce requirements
- Penalties for non-compliance up to €15 million or 2.5% of global turnover
The regulation aims to improve the cybersecurity of connected products in the EU market by setting horizontal requirements applicable across sectors. It introduces new obligations for economic operators while considering the specific needs of SMEs and open-source software. The requirements will apply from December 2027, with certain provisions taking effect earlier.
