Skip to main content
Cyber Resilience Act

Status: In draft

  • Commission’s proposal published 15 September 2022
  • Final text adopted by Parliament on 12 March 2024, see Corrigendum (reflecting the political agreement reached between Parliament and Council), formal endorsement by Council on 10 October 2024. Entry into force 20 days after publication in the Official Journal of the EU (likely Q4 2024)
  • Application 36 months after entry into force (likely Q4 2027) of generally all rules of the CRA, with certain exceptions where obligations are applicable earlier: (1) 21 months after entry into force for the reporting obligations of manufacturers for incidents and vulnerabilities, (2) 18 months after entry into force for the establishment of national conformity assessment bodies

Summary

Horizontal regulation that covers all wired and wireless products connected to the internet and software.

Scope

  • Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software​ placed on the EU market

Key elements

  • Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
  • Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking​

Challenges

  • Definition of hardware and software products that fall under the CRA is still being discussed
  • Overlap with other Acts of the EU Digital Strategy

Blogs

Top EU data regulation trends for 2023

2022 was a year full of challenges for global businesses, and in particular in the realm of data protection regulation in the...

Author(s): Christoph Werkmeister, Michael Schwaab, Annabelle Hamelin

  • eu digital strategy
  • eu digital services act
  • eu digital markets act
  • eu nis2 directive
  • eu data governance act
  • eu data act
  • eu ai act
  • eu cyber resilience act
  • eu ai liability directive
  • gdpr

Cybersecurity Resilience Act - EU proposes stricter cybersecurity rules for connected products

The European Commission proposed a Cyber Resilience Act (CRA) on 15 September 2022 aimed at protecting consumers and business...

Author(s): Julia Utzerath, Theresa Ehlen, Christoph Werkmeister, Eugene McQuaid

  • cyber security
  • data
  • internet of things
  • product liability
  • eu digital strategy
  • eu cyber resilience act
  • eu nis2 directive
  • eu ai act
  • eu data act
  • gdpr
Previous
Next

Country Selector

Our regional experience

Europe

Americas

Asia-Pacific

Middle East

Africa

International language sites