At a glance: The CRA enters into force on 11 December 2024. From 11 December 2027, all new products must comply with CRA requirements. Manufacturers must assess risks, remediate vulnerabilities and provide regular security updates. From 11 September 2026, vulnerabilities and security incidents must be reported.
The Cyber Resilience Act (CRA) is a new EU regulation that establishes mandatory security standards for products with digital elements. It explains the cybersecurity requirements that manufacturers, importers and distributors must meet in order to place products on the EU market.
The Cyber Resilience Act establishes uniform security standards across the EU for hardware and software cybersecurity. The aim is to minimise security risks and protect network, information systems, consumers and businesses.
Covered products include, for example, smartphones, laptops, smart home products, smartwatches, connected toys, microprocessors, firewalls, accounting software, computer games and mobile applications. Certain medical devices, aerospace technology and most vehicles are excluded.
The CRA divides affected products into categories: important products of Class I (for example, identity management systems, access controls, password managers and smart home systems), Class II (hypervisors, container runtime systems) and critical products with security elements.
Manufacturers must ensure that products and their processes meet certain requirements. They must prepare technical documentation, draw up declarations of conformity and affix CE markings. In addition to manufacturers, importers and distributors are also affected by the regulation. Implementation of CRA requirements will require significant changes to support and maintenance procedures for many companies.
Source: www.activemind.legal