When do Cyber Resilience Act obligations start applying?

The CRA entered into force on 10 December 2024. Vulnerability and incident reporting duties apply from 11 September 2026, and the bulk of obligations from 11 December 2027.

Does the CRA cover open-source software?

Non-commercial open-source projects are largely exempt. 'Open-source software stewards' — organisations that systematically support OSS used commercially — face a lighter, tailored set of duties rather than full manufacturer obligations.

How does the CRA relate to the NIS2 Directive?

NIS2 regulates the cybersecurity practices of essential and important entities (operators), while the CRA regulates the security of the products those entities and consumers buy. The two are complementary.

Cyber Resilience Act | Model Diplomat

The Cyber Resilience Act (CRA) is a European Union regulation that establishes mandatory cybersecurity requirements for "products with digital elements" — meaning hardware and software placed on the EU single market. Proposed by the European Commission in September 2022, it was politically agreed by the European Parliament and Council in late 2023, adopted in 2024, and entered into force on 10 December 2024. Most obligations apply from 11 December 2027, with earlier deadlines for vulnerability reporting (from September 2026).

The CRA targets a gap left by earlier EU legislation: while the NIS2 Directive regulates the cybersecurity of operators, and the Radio Equipment Directive covers wireless devices, no horizontal rule governed the security of connected products themselves. Under the CRA, manufacturers must:

Conduct cybersecurity risk assessments and design products to be secure by default.
Provide security updates throughout a defined support period (typically at least five years, or the expected product lifetime if shorter).
Report actively exploited vulnerabilities and severe incidents to ENISA and the relevant national CSIRT, generally within 24 hours of awareness.
Affix the CE marking to demonstrate conformity, with stricter third-party assessment for "important" and "critical" product categories such as password managers, operating systems, industrial firewalls, and smart meters.

Importers and distributors carry secondary obligations. Non-compliance can trigger administrative fines of up to €15 million or 2.5% of worldwide annual turnover, whichever is higher.

Notable exclusions include products already covered by sectoral regimes — medical devices under Regulation 2017/745, motor vehicles under Regulation 2019/2144, civil aviation under Regulation 2018/1139 — and pure software-as-a-service (which falls under NIS2). After lobbying by the open-source community, non-commercial free and open-source software is largely exempt; "open-source software stewards" face a lighter, tailored regime. The CRA is often discussed alongside the AI Act and Data Act as part of the EU's broader digital rulebook.

Cyber Resilience Act

Frequently asked questions