The Cyber Resilience Act (CRA) has officially been adopted, marking a major step towards enhancing cybersecurity standards across the EU. Its publication in the Official Journal of the European Union (EUR-Lex) as Regulation 2024/2847was the final step in the legislative process for the CRA. The act establishes horizontal cybersecurity requirements for products with digital elements, addressing widespread vulnerabilities and inconsistent security update practices, with the aim of improving the security and resilience of digital products throughout their lifecycle.
This final step defines the deadlines as follows:
- December 10, 2024: Following its publication in the Official Journal of the European Union on November 20, 2024, the CRA will enter into force on the twentieth day after its publication, ensuring a swift transition towards enhanced cybersecurity standards.
- September 11, 2026: Reporting obligations for stakeholders take effect.
- December 11, 2027: Full application of the regulation.
The CRA introduces horizontal cybersecurity standards applicable to hardware, software, and digital services. The goal is to address widespread vulnerabilities and ensure that manufacturers prioritize security throughout a product’s lifecycle.
The regulation requires manufacturers to adopt vulnerability management processes and ensure timely security updates. It emphasizes transparency in the product lifecycle, obligating manufacturers to clearly communicate the duration of support for security updates.
The act also includes provisions to support microenterprises and small businesses, particularly in understanding and complying with the cybersecurity standards required by the regulation.
The Scope and Specific Provisions of the Cyber Resilience Act (CRA) require that all products with digital elements meet mandatory cybersecurity standards before being sold in the EU. Products must also display the CE marking, indicating compliance with EU safety regulations. Additionally, the CRA distinguishes between “important” and “critical” products, with stricter assessments applied to higher-risk products to ensure greater security.
Furthermore, the CRA ensures consumers are better informed about the security features of digital products, providing them with tools to choose secure devices and ensuring a safer digital environment for end-users, including children.
Overall, the Cyber Resilience Act sets the foundation for a more resilient digital landscape in Europe by mandating essential cybersecurity measures for all digital products. Emphasizing transparency, the CRA requires from manufacturers to prioritize cybersecurity at every stage – from design to end-of-life – while ensuring users are informed about security support periods. By harmonizing requirements across the EU, the act aims to foster a secure digital market while minimizing risks for consumers and businesses alike.
For more details, see the full regulation on EUR-Lex.