EU’s Cyber Resilience Act (2024/2847, “CRA”) is a regulation that sets the framework for developing secure products with digital elements — meaning software, hardware, and their associated remote data processing solutions.

The CRA applies to devices and software containing a digital element that can be directly or indirectly connected to another device or a network. Examples include smart home products such as smart door locks, alarm systems and security cameras, personal wearable health technology, toys, household routers, firewalls, video editing software, and certain microprocessors and microcontrollers.

Manufacturers are responsible for cybersecurity throughout the entire lifecycle of their products. They must ensure that products are designed, developed, and produced in accordance with the CRA’s essential cybersecurity requirements. Compliance with these requirements is a prerequisite for affixing the required CE marking. The CRA also improves transparency by requiring manufacturers to clearly indicate the product’s support period and, where technically feasible, provide security updates separately from functionality updates.

Manufacturers need to designate a single point of contact to enable users to communicate directly with them, and to facilitate reporting on vulnerabilities of the product. Manufacturers also need to add the information on the single point of contact to the mandatory information and instructions that need to be provided to the users together with the product.

The main requirements of the CRA apply to products placed on the market after 11 December 2027 (a product is considered placed on the market when it is made available on the market for the first time). Also, products that have been placed on the market before 11 December 2027 are subject to the requirements of the CRA if, from that date, those products are subject to a substantial modification.

Also, some other obligations take effect earlier: Article 14, covering reporting obligations, applies from 11 September 2026, and Chapter IV (Articles 35–51), covering the notification of conformity assessment bodies, applies from 11 June 2026. From 11 September 2026, manufacturers must report any actively exploited vulnerabilities in their products and severe incidents having an impact on the security of the product to the CSIRT (Computer Security Incident Response Team) and ENISA (European Union Agency for Cybersecurity) within 24 hours (and thereafter updated in intervals as defined in the CRA), and to the users of the product. This requirement will also apply to current products, not only those made available on the market for the first time.

Failure to comply with the CRA can result in significant penalties — up to EUR 15 million or 2.5% of global annual turnover from the previous financial year, whichever is higher.

Even though the main obligations are not yet in force, manufacturers must start evaluating and preparing their products to meet the CRA’s requirements, including reporting duties. Ensuring compliance before products are placed on the market is essential.

Related Services

◆ AI, Data & Privacy
◆ Commercial Contracts