The Game-Changer is Here: EU Publishes the Cyber-Resilience Act
On November 20, 2024, the Cyber-Resilience Act (CRA) was officially published in the EU's Official Journal as Regulation (EU) 2024/2847. This marks the final, formal step in a legislative process that will fundamentally reshape the market for connected devices.
The CRA is the EU's first horizontal law that legally mandates secure-by-design. It moves product cybersecurity from a feature to a fundamental requirement for market access.
The Clock is Ticking
With the regulation now in force, the timeline for compliance has officially begun. Key dates for manufacturers include:
- September 11, 2026: Mandatory vulnerability and incident reporting obligations begin. Manufacturers must notify ENISA of actively exploited vulnerabilities within 24 hours.
- December 11, 2027: The grace period ends. From this date, all products with digital elements placed on the EU market must be fully compliant with the CRA's essential requirements and bear the CE mark accordingly.
Non-compliant products will face market withdrawal, recalls, and potential fines of up to €15 million or 2.5% of worldwide turnover.
What Does This Mean for You?
If you manufacture any product with digital elements sold in the EU, you must now:
- Assess your products against the risk categories defined in the CRA.
- Implement secure-by-design engineering practices to meet the essential requirements in Annex I.
- Establish robust vulnerability handling processes, including a public disclosure policy.
- Prepare technical documentation, including a Software Bill of Materials (SBOM), to prove compliance.
The CRA is the most significant piece of product security legislation in a generation. It creates a level playing field and ensures that only secure products can reach EU consumers.
To understand the full scope, obligations, and timelines, dive into our complete CRA Overview.