Cyber Resilience Act (CRA)

The Cyber Resilience Act (CRA) is a proposed law by the European Commission that, for the first time, establishes binding cybersecurity requirements for digital products and software offered on the European internal market. The goal of the CRA is to ensure a high level of cybersecurity throughout the entire lifecycle of a product—from development and usage to disposal.

The CRA takes a risk-based approach and sets out specific obligations for manufacturers, importers, and distributors of digital products. These include:

·        Secure product design (“security by design”)

·        Regular updates and vulnerability remediation

·        Transparent communication about known security issues

·        Mandatory risk assessments prior to market release

The CRA is particularly relevant for manufacturers of Internet of Things (IoT) devices, software vendors, providers of digital services, and products with embedded software. Open-source software is also covered under certain conditions.

A key component of the CRA is the obligation to report serious security incidents within 24 hours, as well as a conformity assessment process that ensures products meet essential security requirements before entering the market.

The CRA is expected to fully enter into force in the course of 2025. Companies must begin preparing early by aligning their product development with the new requirements and implementing processes for security documentation.

In the long term, the CRA aims to strengthen trust in digital products, reduce security vulnerabilities, and safeguard Europe’s competitiveness in the global technology market.