The Cyber Resilience Act (CRA) is the first EU legislation to lay down binding cybersecurity requirements for products with digital elements. The regulation came into force on December 11, 2024. Companies now have three years to implement the requirements. What they should consider now.
These products are covered by the Cyber Resilience Act
The regulation places greater responsibility on manufacturers to ensure the security of hardware and software products. At the heart of the law are new obligations for manufacturers to provide software updates that fix security vulnerabilities and provide security support to consumers. By improving transparency on cyber risks and product safety, the law enables consumers to make more informed choices about products available on the EU market.
All products sold in the EU that contain "digital elements" must meet the requirements of the CRA. This includes low-cost consumer products as well as B2B software and complex high-end industrial systems. "Products with digital elements" are defined in the CRA as products that can be connected to a device or network and include both hardware products with networked functions (e.g. smartphones, laptops, smart home products, smartwatches, networked toys, but also microprocessors, firewalls and smart meters) and pure software products (e.g. accounting software, computer games, mobile apps).
Non-commercial open source software products are exempt from the CRA and therefore do not have to fulfill the requirements of the CRA.
What's next with the Cyber Resilience Act
Products will bear the CE marking to indicate that they meet the requirements of the regulation. The main obligations of the law will apply from December 11, 2027.
- 12.2024: CRA comes into force
- 12.2026: Conformity assessment bodies can assess conformity with the requirements of the CRA.
- 12.2027: New products must meet all CRA requirements.
The German Federal Office for Information Security (BSI) recommends that companies take the requirements of the CRA into account as early as the product development stage. Manufacturers must carry out a risk assessment for their products and address potential cyber security risks.
According to the design principle "secure by design", networked products must be designed with cyber security in mind, e.g. by ensuring that data stored or transmitted with the product is encrypted and that the attack surface is kept as small as possible.
According to the configuration principle "secure by default", the default settings of networked products must contribute to increasing their security, e.g. by prohibiting weak default passwords, automatically installing security updates, etc.
The mandatory handling of product vulnerabilities should already be taken into account during development. The basis for this is the integration of tools for creating software bills of materials (SBOMs). For software, an SBOM is the equivalent of a list of ingredients for food. It lists which libraries and other software components are used in the product. The CRA prescribes the creation of an SBOM, but it does not have to be published.
Reading tip: NIS 2 Directive - these companies are affected
Further CRA requirements
Declaration of conformity
Manufacturers need a declaration of conformity to prove that the respective product with digital elements fulfills all requirements of the CRA. The conformity assessment procedure to be applied depends on the product category. For most products, it is a self-assessment by the manufacturer, for a few it is an assessment by a notified body.
Obligation to report
A new central reporting platform will be set up to facilitate the exchange of information on actively exploited vulnerabilities and serious security incidents. These vulnerability reports must be submitted via the reporting platform.
Support obligation
Security updates must be made available to the end user throughout the entire product life cycle.
The Cyber Resilience Act complements the NIS2 cybersecurity framework, which came into force last year. It is part of a series of comprehensive measures that the EU is taking to strengthen cyber security in an increasingly digital and interconnected Europe.
Source: FAQs from the Federal Office for Information Security on the Cyber Resiliance Act
English 
German 
Italian 
French