Cyber Resilience Act, CRA

The aim of the European Union’s Cyber Resilience Act (EU)2024/2847 is to improve the security of products placed on the EU market so that these products will have fewer vulnerabilities. 

The Cyber Resilience Act is a horizontal product safety regulation and the implementation of its requirements will in the future be guaranteed as part of the CE marking. Meeting the safety requirements of the Act will be a condition for market access in the EU.

Manufacturers will be responsible for cybersecurity for the entire lifecycle of the product.  The Regulation improves the transparency of the security of devices and software products. It obligates the manufacturer to also indicate the support period of the product clearly.

What products does the CRA apply to?

The EU’s Cyber Resilience Act (EU) 2024/2847 applies to a large group of products. As a result of the Regulation, especially the regulation of software will be supplemented.

The Cyber Resilience Act applies to devices or software containing a digital element that can be directly or indirectly connected to another device or to a network. 

Such products include security cameras, televisions, toys, household routers, firewalls, and games and text processing and photo editing software. 

For example, the CRA extends the cybersecurity requirements to also apply to operating systems, browsers, password management software and certain microprocessors and microcontrollers. This helps to improve cybersecurity in the entire supply chain. 

The CRA takes into account the special features of IoT devices. The control service typically linked to IoT devices, i.e., the remote data processing solution, which is under the responsibility of the manufacturer, is considered part of the product. 

A cloud solution or a component used in it falls within the scope of the regulation if it meets the definition for a remote data processing solution laid down in the regulation and its development has been the responsibility of the product manufacturer. A cloud solution may comprise, for example, the components intended for creating remote control connections.

Cloud computing services and cloud service models, such as software services (SaaS), platform services (PaaS) or infrastructure services (IaaS), are subject to the cybersecurity obligations laid down in the NIS2 Directive (EU) 2022/2555 (External link).

The CRA does not apply to these products

The Regulation does not apply to medical devices, in vitro diagnostic medical devices, certain vehicles, marine equipment and aviation certified devices such as aircraft, as cybersecurity requirements already existing in product-specific regulations apply to them.

The Cyber Resilience Act is also not applied to products intended solely for the use of national security and defence and to products intended solely for processing classified material.

Timetable

Notified bodies

The obligations concerning notified bodies will be applied as from 11 June 2026, 18 months after the entry into force of the Regulation.

Reporting of vulnerabilities

The obligations concerning the reporting of vulnerabilities will be applied as from 11 September 2026, 21 months after the entry into force. The requirements apply to all covered products on the EU market, not just those placed on the market.

Essential cybersecurity requirements

The requirements applying to the security properties of a product will be applied with a transition period of 36 months. As from 11 December 2027, products placed on the EU market must be designed, developed and produced in accordance with the essential cybersecurity requirements of the Regulation. 

The Ministry of Transport and Communications will be in charge of the national implementation. 

What kind of requirements are laid down in the CRA?

Essential cybersecurity requirements

The more specific content of the cybersecurity requirements can be found in Article 13 and Annex I of the EU’s Cyber Resilience Act.

The manufacturers of a product shall ensure that the product has been designed, developed and produced in accordance with the essential cybersecurity requirements set out in the Cyber Resilience Act. The CE marking of the product indicates the cybersecurity requirements. 

These requirements apply to products that will be placed on the market after 11 December 2027. A product is placed on the market when it is made available on the market for the first time.

The essential cybersecurity requirements will be implemented on the basis of risks. The requirements applying to products include the following, among other things:

• Secure default settings and automatic security updates
• Prevention of unauthorised access
• Confidential storage of data and minimisation of data
• Securing of key functionalities

The harmonised standards and technical specifications describe in more detail what could be contained in the requirements. When completed, the harmonised standards will be published in the Official Journal of the European Union.  

Reporting of vulnerabilities

Manufacturers of products placed on the EU market must report any actively exploited vulnerabilities contained in the product to the CSIRT and ENISA as from 11 September 2026. This requirement will also apply to current products, not only those made available on the market for the first time.

In addition, the manufacturer has the obligation to inform the users of the products of possible vulnerabilities and of the ways of repairing them.
 

The manufacturer must report 
a) actively exploited vulnerabilities contained in the product and 
b) severe incidents having an impact on the security of the product. 

When an incident is considered significant and the manufacturer falls within the scope of the NIS2 Directive (EU) 2022/2555, an NIS notification is also submitted. 

The notification practices follow the same principle as in the NIS2 Directive. The first notification is submitted within 24 hours of detecting the vulnerability in question. A further notification is submitted within 72 hours. 

Manufacturers, examiners of vulnerabilities and other actors can voluntarily notify the CSIRT or ENISA of vulnerabilities contained in the product or cyber threats that could affect the risk profile of the product. Incidents affecting the security of the product and near miss situations can also be reported.  

ENISA is preparing a centralised system for notifying vulnerabilities.

Placing a product on the market

Placing a product on the market means making a product available on the European Union market for the first time. In practice, this means that the device has been brought to the EU market from a third country or it has left the manufacturing site in the EU and entered the supply chain. The placement on the market is examined separately for each individual device.

The manufacturer must ensure the conformity of the product before the product is placed on the market. The EU’s Cyber Resilience Act, or the CRA (EU)2024/2847, applies to all products sold in the EU.  It contains requirements for the technical properties of the product and its documents and markings. Products complying with the requirements of the CRA can move freely within the entire EU.

The Cyber Resilience Act imposes obligations on the whole lifecycle of the product.

How to place a product on the market 
 

Harmonised standards

Standards will have an important role in the implementation of a product’s conformity.

Horizontal and vertical (industry-specific) standards have been considered in preliminary discussions. Vertical standards are due especially for products in Annex III.

When the Regulation enters into force, the Commission will send a standardisation request to European standardisation organisations.

The harmonised standards will be published in the Official Journal of the European Union.

CRA compliant notified bodies

The provisions on notified bodies will apply as from 11 June 2026. To be able to assess the conformity of a product, the notified body must have an approval within the scope of the CRA (EU) 2024/2847. Notified bodies can be found in the Commission’s NANDO database. 

European cybersecurity certificate

The EU declaration of conformity or certificate under the European cybersecurity certification scheme adopted under the Cybersecurity Act (EU) 2019/881 may also be used to demonstrate the conformity of a product. 

The Transport and Communications Agency Traficom is responsible for the tasks of the national cybersecurity certification authority referred to in the EU’s Cyber Resilience Act. Familiarise yourself with the activities and read more about the Cybersecurity Act and European cybersecurity certification on the national cybersecurity certification authority’s website.

Obligations of economic operators 

The manufacturers, importers and retailers of products are responsible for making available to consumers devices and software that comply with the requirements of the EU's Cyber Resilience Act.

We will supplement this page with information on the content of these obligations.

For notified bodies

Is your organisation willing to apply for the status of a notified body referred to in the CRA?

In the national implementation, special attention is paid to the number of notified bodies. If the number of bodies is not sufficient, there is a risk of bottlenecks in the market access of products.

Considerable business opportunities are also seen for notified bodies because it has been estimated that the number of products requiring assessment in all of Europe may be high. 

The provisions concerning notified bodies will be applied as from 11 June 2026, 18 months after the regulation has entered into force. 

We will supplement the website with information on how to apply for the status of a notified body referred to in the CRA.