Cyber Resilience Act EU

Cyber Resilience Act (CRA)

New EU regulation on cyber security - what manufacturers should know now


What is the Cyber Resilience Act about?

The Cyber Resilience Act (CRA) is a European Union regulation that sets comprehensive requirements for the cybersecurity of products with digital functions for the first time. The aim is to create a uniform level of protection throughout the internal market and thus better protect both consumers and businesses from digital threats.
It affects products that contain software and communicate with networks or other products, including many electronic components used in industry and in the private sector. The CRA was adopted in March 2024 and is expected to be fully applicable from December 2027 after a transition period.

Who exactly is affected by the CRA?

The regulation is aimed at manufacturers, importers and distributors of digital products and components – in other words, virtually all companies that develop, manufacture or place software or networked devices on the market. These include, for example:

  • Industrial control and regulation technology
  • Embedded systems with network connection
  • Firmware and operating systems
  • Smart home and IoT devices
  • Software programmes with cloud or app connection
  • and much more

What does the Cyber Resilience Act require?

The core of the CRA is to ensure cybersecurity throughout the entire product lifecycle. Security aspects should be incorporated into product design (security by design) and continuously reviewed throughout the product's lifetime. Among other things, the CRA stipulates:

  • The performance of risk assessments for each product
  • Measures to protect against known vulnerabilities
  • A secure default configuration without unnecessary access
  • The provision of security updates, even after market launch
  • A process for managing security vulnerabilities (vulnerability management)
  • The reporting of actively exploited vulnerabilities to the EU agency ENISA within 24 hours

Proof of CRA compliance is provided by the CE marking on the product

What does this mean in practice?

For manufacturers of electronic products, the CRA means an additional focus on security – right from the early development phase. The requirements apply not only to product technology, but also to internal processes, documentation and long-term support.

Companies must ensure that security aspects are taken into account throughout the entire life cycle of a product – from development and market launch to the provision of updates and the handling of potential vulnerabilities.

When does the CRA come into force?

  • Adoption by the EU Parliament: March 2024
  • Publication in the EU Official Journal: 2024
  • Transition period: 36 months
  • Mandatory application: from 2027

This page is for information purposes only – in particular for customers, partners and anyone who would like to find out about the upcoming changes in the field of cybersecurity.

Note: The content provided does not constitute legal advice.

Do you have any questions?

We look forward to receiving your call or e-mail. You are also welcome to send us a message using our contact form. We will contact you as soon as possible.