Cyber Resilience Act (CRA)

Despite the rapid digitalization across Europe, many connected devices and software products still enter the market with inadequate security, unpatched vulnerabilities, and no clear accountability. Users, both consumers and businesses, are often left in the dark about the security risks of the digital products they rely on daily.

At the same time, cyberattacks have evolved from isolated technical incidents into events that threaten public safety, economic stability, democratic institutions, and critical infrastructure. As the number and variety of connected digital devices continues to grow, so does the urgency to address this expanding attack surface.

While sectors like healthcare, aviation, and finance have traditionally been subject to cybersecurity regulations, most general-purpose hardware and software have remained unregulated, until now.

Cyber Resilience Act

The Cyber Resilience Act (Regulation EU 2024/2847) is the European Union’s first comprehensive legal framework that sets binding cybersecurity requirements for almost all digital products placed on the EU market. This includes everything from consumer IoT devices and embedded systems to complex enterprise software and cloud-connected applications.

The CRA aims to:

• Ensure all digital products are secure by design and by default

• Reduce vulnerabilities at the time of release

• Promote transparency around security updates and support periods

• Make manufacturers accountable for cybersecurity throughout the entire product lifecycle

A key principle of the CRA is the recognition that even low-risk or non-critical devices, such as smart lightbulbs or baby monitors, can be exploited to gain access to larger networks. Therefore, all products with digital elements must be developed with security in mind, whether they connect via APIs, network sockets, files, or other interfaces.

Moreover, the regulation enhances supply chain resilience by ensuring that cybersecurity responsibilities extend across vendors, integrators, and developers. It aims to empower users, both consumers and businesses, by giving them visibility into the security posture of the products they use, including disclosure of support periods and the availability of security updates.

By harmonizing rules across Member States and making security a baseline expectation for market access, the CRA represents a significant step toward a digitally resilient Europe. 

This regulation is not just about compliance, it’s about trust, innovation, and securing the digital future.

Scope and Applicability

The Act establishes cybersecurity requirements for a wide range of digital products, referred to as "products with digital elements", that are placed on the EU market.

Unlike sector-specific regulations (e.g., for medical devices or automotive systems), the CRA takes a horizontal approach, applying across industries, technologies, and use cases.

What Is Covered?

The CRA applies to all products with digital elements that are (Annex III provides more details):

• Connected, directly or indirectly, to a device or network

• Placed on the EU market, regardless of where they are manufactured

• Intended for either consumer or commercial use

Examples include:

• Software products: operating systems, databases, productivity tools, antivirus software, network monitoring tools (e.g., SIEMs)

• Embedded software: firmware, microcontroller systems

• Connected hardware: IoT devices, smart home appliances, wearables, industrial sensors, routers

• Cloud-connected or hybrid systems, even if part of a larger platform

Note: The CRA applies to products that interact logically not just physically. This includes:

• Application Programming Interfaces (APIs)

• Data flows via files, sockets, or pipes

• Any networked communication interfaces

What Is Excluded?

The following categories fall outside the scope of the CRA:

• Products developed exclusively for national security or defense purposes

• Open-source software that is:

  • Made available free of charge, and

  • Developed or maintained outside a commercial context (e.g., community-driven projects)

• Products already regulated under sector-specific EU cybersecurity legislation, including:

  • Medical devices (Regulations (EU) 2017/745, 2017/746)

  • Aviation equipment (Regulation (EU) 2018/1139)

  • Motor vehicles (Regulation (EU) 2019/2144)

  • Maritime equipment (Directive 2014/90/EU)

However, open-source software may fall under CRA if it is:

• Later commercialized or

• Embedded into a commercial product or

• Used in critical infrastructure

Who Must Comply?

The CRA places legal obligations on all actors in the supply chain, including:

• Manufacturers: Hold primary responsibility for ensuring cybersecurity compliance before and after placing the product on the market

• Importers: Must verify that products from outside the EU comply with CRA requirements

• Distributors: Must ensure that products they place on the market are CE-marked and conformant

All parties are expected to:

• Cooperate with market surveillance authorities

• Maintain vulnerability handling procedures, update mechanisms, and documentation

Territorial Scope

The CRA applies to any product made available in the EU, regardless of the manufacturer’s location. This means:

• Non-EU software vendors and device manufacturers must comply,

• If their product is sold, distributed, or integrated into a system within the EU