Skip to main content
Cyber Resilience Act

Status: In force

  • In force since 10 December 2024.
  • Application: 11 December 2027 of generally all rules of the CRA, with certain exceptions where obligations are applicable earlier: (1) 11 September 2026 for the reporting obligations of manufacturers for incidents and vulnerabilities, (2) 11 June 2026 for the establishment of national conformity assessment bodies

Summary

Horizontal regulation that covers all wired and wireless products connected to the internet and software.

Scope

  • Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software​ placed on the EU market

Key elements

  • Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
  • Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking​

Challenges

  • Definition of hardware and software products that fall under the CRA is still being discussed
  • Overlap with other Acts of the EU Digital Strategy

Blogs

German Election #2: Digital Policies in the 2025 Election Campaign – How Germany’s Political Parties Want Germany to Catch Up on Digitalisation

On 23 February 2025, almost 60 million German voters will elect a new federal parliament in snap elections after the collapse...

Author(s): Alex Schmidtke

  • 2024 elections
  • ai
  • cyber security
  • data
  • data protection
  • eu ai act
  • eu cyber resilience act
  • eu data act
  • eu data governance act
  • eu digital markets act
  • eu digital strategy
  • eu nis2 directive
  • political change
  • europe

Cyber Resilience Act – How to implement the new cybersecurity rules for digital products

The Cyber Resilience Act (CRA) has become reality: it has been published in the Official Journal of the EU on 20 November 202...

Author(s): Theresa Ehlen, Lutz Riede, Christoph Werkmeister, Julia Utzerath, Christina Moellnitz, Jimena Gonzalez

  • eu cyber resilience act
  • eu digital strategy
  • cyber security

Top EU data regulation trends for 2023

2022 was a year full of challenges for global businesses, and in particular in the realm of data protection regulation in the...

Author(s): Christoph Werkmeister, Michael Schwaab, Annabelle Hamelin

  • eu digital strategy
  • eu digital services act
  • eu digital markets act
  • eu nis2 directive
  • eu data governance act
  • eu data act
  • eu ai act
  • eu cyber resilience act
  • eu ai liability directive
  • gdpr

Cybersecurity Resilience Act - EU proposes stricter cybersecurity rules for connected products

The European Commission proposed a Cyber Resilience Act (CRA) on 15 September 2022 aimed at protecting consumers and business...

Author(s): Julia Utzerath, Theresa Ehlen, Christoph Werkmeister, Eugene McQuaid

  • cyber security
  • data
  • eu cyber resilience act
  • eu digital strategy
  • gdpr
  • internet of things
  • product liability
Previous
Next

Country Selector

Our regional experience

Europe

Americas

Asia-Pacific

Middle East

Africa

International language sites