Cyber Resilience Act

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the European Union's regulation on horizontal cybersecurity requirements for products with digital elements. It was published in the Official Journal on 20 November 2024 and enters into force on 10 December 2024, with most obligations applying from 11 December 2027.

Scope

The CRA applies to all products with digital elements placed on the EU market, including hardware and software products. It covers manufacturers, importers, and distributors, establishing cybersecurity requirements throughout the product lifecycle.

Key Requirements

• Cybersecurity by design and by default for products with digital elements
• Vulnerability handling and security update obligations for manufacturers
• Incident and vulnerability reporting to ENISA within 24 hours (Art. 14)
• Conformity assessment procedures based on product risk category
• Software bill of materials (SBOM) requirements
• Market surveillance and enforcement with fines up to EUR 15 million or 2.5% of global turnover

Articles

Browse the full text of the regulation article by article using the table of contents on the left.