This document is an excerpt from the EUR-Lex website
Document 32024R2847
Horizontal cybersecurity requirements for products with digital elements
- Date of last review:
- 18/02/2025
- Initial creation date:
- 24/03/2025
- Summary code:
-
- 23.08.06.00 Cyber crime
- 31.08.00.00 Personal data & privacy rules
- 31.10.00.00 EU data economy & data protection
- 23.08.06.00 Cyber crime
- EUROVOC descriptor:
- Directory code:
- Summarised document(s):
- Author:
- Publications Office of the European Union
- Responsible entity(ies):
- Directorate-General for Communications Networks, Content and Technology
Horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)
SUMMARY OF:
WHAT IS THE AIM OF THE REGULATION?
Regulation (EU) 2024/2847, the Cyber Resilience Act (CRA), aims to strengthen cybersecurity across the European Union (EU). It sets out a comprehensive framework to ensure that digital products and services are:
- secure by design;
- resilient against cyber threats; and
- capable of providing continuing protection throughout their life cycle.
It addresses the growing cybersecurity challenges posed by the increasing connectivity of devices and the rise of cyberattacks, which have significant economic and societal impacts.
KEY POINTS
The CRA has several core objectives.
- Enhance cybersecurity across the EU by setting mandatory cybersecurity requirements for products with digital elements.
- Promote secure practices by encouraging manufacturers to integrate cybersecurity into the product design and development phases.
- Ensure transparency and accountability by requiring manufacturers to provide clear information about the cybersecurity features of their products and to take responsibility for addressing vulnerabilities.
- Foster a single market for cybersecurity by harmonising rules across EU Member States to reduce fragmentation and ensure a level playing field.
Scope
The regulation applies to a wide range of products with digital elements placed on the EU market, regardless of where the manufacturer is based, that can connect directly or indirectly to other devices or networks, including:
- hardware products (e.g. internet-of-things (IoT) devices, smart home appliances, industrial control systems, microchips);
- software products (e.g. video games, apps, computer programmes).
Certain products are excluded, such as:
- medical devices already covered by specific EU regulations;
- aviation and automotive products regulated under sector-specific legislation;
- marine equipment.
Key requirements for manufacturers
Secure by design
Manufacturers must integrate cybersecurity into product design and development. This includes, among other things, secure-by-default configurations, appropriate levels of encryption and access control mechanisms.
Risk assessment and mitigation
- Manufacturers are required to conduct a risk assessment and keep it updated, and to implement measures to address identified vulnerabilities during the product’s life cycle.
- If manufacturers rely on third-party components or services, they must exercise due diligence when integrating them into their products.
Transparency and documentation
Manufacturers must provide clear and comprehensive documentation, including:
- a description of the product’s cybersecurity features;
- instructions for secure installation, configuration and use;
- information on how to report vulnerabilities;
- a declaration of conformity to confirm compliance with the regulation.
Reporting incidents
Manufacturers must:
- report severe cybersecurity incidents and actively exploited vulnerabilities to relevant national authorities and the European Union Agency for Cybersecurity (ENISA) without undue delay;
- inform users about potential risks and provide guidance on mitigating them.
Software updates and support
- Manufacturers must provide security updates during the product’s support period, which needs to reflect the period the product is expected to be in use.
- Updates must address vulnerabilities and ensure the continued security of the product.
Obligations for importers and distributors
The regulation also places responsibilities on importers and distributors to ensure that products comply with cybersecurity requirements.
- Importers must verify that manufacturers have complied with the regulation and ensure that products are labelled and documented correctly.
- Distributors must ensure that products carry the CE marking and that information and instructions to the user have been supplied, before making them available on the market.
- Products will bear the CE marking to indicate that they comply with the CRA requirements.
- Non-EU manufacturers must comply with the regulation to access the EU market, potentially influencing global cybersecurity standards.
Enforcement
To ensure compliance, the regulation establishes a robust enforcement framework.
- National market surveillance authorities will monitor compliance and carry out inspections.
- Non-compliance can result in significant sanctions, which may include:
- fines up to 2.5 % of the manufacturer’s global annual turnover;
- prohibiting or restricting the availability of a product;
- ordering a product to be withdrawn or recalled.
- Member State authorities will share information and coordinate enforcement measures.
FROM WHEN DOES THE REGULATION APPLY?
The regulation applies from , with some exceptions:
- reporting obligations concerning actively exploited vulnerabilities and severe incidents apply from ;
- notification of conformity assessment bodies applies from .
BACKGROUND
For further information, see:
- Cyber Resilience Act (European Commission)
- Cyber Resilience Act – Factsheet (European Commission)
- The digital Europe programme (European Commission).
MAIN DOCUMENT
Regulation (EU) 2024/2847 of the European Parliament and of the Council of on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, ).
Successive amendments to Directive (EU) 2024/2847 have been incorporated into the original text. This consolidated version is of documentary value only.
last update