Laws & RegulationsCyber Resilience Act (CRA)
In ForcetechnologyRegulation (EU) 2024/2847
Regulation on Horizontal Cybersecurity Requirements for Products with Digital Elements (Cyber Resilience Act)
Also known as: Cyber Resilience Act (CRA)
The CRA is the EU's first horizontal cybersecurity law for products with digital elements — covering everything from smart devices to software. It requires manufacturers to build security in by design, maintain security throughout the product lifecycle, report vulnerabilities, and provide security updates. It entered into force in December 2024, with most obligations applying from December 2027.
Jurisdiction
European Union
Regulator
European Union Agency for Cybersecurity
Effective
12/11/2024
Sector
technology
Full Text / Summary
The CRA introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU. Products are classified into three categories: (1) Default — most products, self-assessment; (2) Important Class I — products listed in Annex III (e.g., identity management software, password managers, VPNs, network management tools) — self-assessment with harmonized standards or third-party assessment; (3) Important Class II — critical products listed in Annex III (e.g., OS, hypervisors, firewalls, industrial control systems) — mandatory third-party assessment. The regulation requires security throughout the product lifecycle, including a support period of at least 5 years (or expected product lifetime if shorter).