The Cyber Resilience Act (CRA) is an EU regulation that creates horizontal cybersecurity rules for "products with digital elements" (PDEs) — essentially any hardware or software product that can connect to a device or network. It was proposed by the European Commission in September 2022, politically agreed by the Council and European Parliament in late 2023, and formally adopted in 2024 as Regulation (EU) 2024/2847, entering into force in December 2024. Most substantive obligations apply from late 2027, with vulnerability-reporting duties kicking in earlier.
Core obligations fall mainly on manufacturers, with lighter duties for importers and distributors. They must:
- Design and deliver products with a level of cybersecurity appropriate to the risks, following the "essential requirements" in Annex I.
- Provide security updates throughout a defined support period (default expectation: at least five years, or the product's expected lifetime if shorter).
- Conduct a conformity assessment and affix the CE marking; critical categories listed in Annex III/IV may require third-party assessment.
- Notify actively exploited vulnerabilities and severe incidents to ENISA and the relevant national CSIRT within 24 hours of awareness, with follow-up reports.
- Maintain a software bill of materials (SBOM) and a coordinated vulnerability disclosure policy.
The CRA carves out products already covered by sector-specific rules (medical devices, motor vehicles, civil aviation, certain marine equipment). Free and open-source software developed outside commercial activity is largely excluded; a new category of "open-source software stewards" carries lighter obligations.
Penalties are significant: up to €15 million or 2.5% of worldwide annual turnover for breaches of essential requirements, whichever is higher.
The CRA complements rather than replaces NIS2 (which targets operators of services) and the EU Cybersecurity Act (which created ENISA's certification schemes). Together they form the backbone of the EU's product- and operator-level cybersecurity architecture.
Example
In 2024, the EU formally adopted the Cyber Resilience Act, meaning that by 2027 a smart-doorbell manufacturer selling in Germany must ship security patches, publish an SBOM, and report exploited vulnerabilities to ENISA within 24 hours.
Frequently asked questions
It entered into force in December 2024. Vulnerability and incident reporting obligations apply earlier, but the main manufacturer obligations apply from late 2027 (36 months after entry into force).
Keep learning