Regulation (EU) 2024/2847, the Cyber Resilience Act (CRA), aims to strengthen cybersecurity across the European Union (EU). It sets out a comprehensive framework to ensure that digital products and services are:
secure by design;
resilient against cyber threats; and
capable of providing continuing protection throughout their life cycle.
It addresses the growing cybersecurity challenges posed by the increasing connectivity of devices and the rise of cyberattacks, which have significant economic and societal impacts.
KEY POINTS
The CRA has several core objectives.
Enhance cybersecurity across the EU by setting mandatory cybersecurity requirements for products with digital elements.
Promote secure practices by encouraging manufacturers to integrate cybersecurity into the product design and development phases.
Ensure transparency and accountability by requiring manufacturers to provide clear information about the cybersecurity features of their products and to take responsibility for addressing vulnerabilities.
Foster a single market for cybersecurity by harmonising rules across EU Member States to reduce fragmentation and ensure a level playing field.
Scope
The regulation applies to a wide range of products with digital elements placed on the EU market, regardless of where the manufacturer is based, that can connect directly or indirectly to other devices or networks, including:
hardware products (e.g. internet-of-things (IoT) devices, smart home appliances, industrial control systems, microchips);
software products (e.g. video games, apps, computer programmes).
Certain products are excluded, such as:
medical devices already covered by specific EU regulations;
aviation and automotive products regulated under sector-specific legislation;
marine equipment.
Key requirements for manufacturers
Secure by design
Manufacturers must integrate cybersecurity into product design and development. This includes, among other things, secure-by-default configurations, appropriate levels of encryption and access control mechanisms.
Risk assessment and mitigation
Manufacturers are required to conduct a risk assessment and keep it updated, and to implement measures to address identified vulnerabilities during the product’s life cycle.
If manufacturers rely on third-party components or services, they must exercise due diligence when integrating them into their products.
Transparency and documentation
Manufacturers must provide clear and comprehensive documentation, including:
a description of the product’s cybersecurity features;
instructions for secure installation, configuration and use;
information on how to report vulnerabilities;
a declaration of conformity to confirm compliance with the regulation.
Reporting incidents
Manufacturers must:
report severe cybersecurity incidents and actively exploited vulnerabilities to relevant national authorities and the European Union Agency for Cybersecurity (ENISA) without undue delay;
inform users about potential risks and provide guidance on mitigating them.
Software updates and support
Manufacturers must provide security updates during the product’s support period, which needs to reflect the period the product is expected to be in use.
Updates must address vulnerabilities and ensure the continued security of the product.
Obligations for importers and distributors
The regulation also places responsibilities on importers and distributors to ensure that products comply with cybersecurity requirements.
Importers must verify that manufacturers have complied with the regulation and ensure that products are labelled and documented correctly.
Distributors must ensure that products carry the CE marking and that information and instructions to the user have been supplied, before making them available on the market.
Products will bear the CE marking to indicate that they comply with the CRA requirements.
Non-EU manufacturers must comply with the regulation to access the EU market, potentially influencing global cybersecurity standards.
Enforcement
To ensure compliance, the regulation establishes a robust enforcement framework.
National market surveillance authorities will monitor compliance and carry out inspections.
Non-compliance can result in significant sanctions, which may include:
fines up to 2.5 % of the manufacturer’s global annual turnover;
prohibiting or restricting the availability of a product;
ordering a product to be withdrawn or recalled.
Member State authorities will share information and coordinate enforcement measures.
FROM WHEN DOES THE REGULATION APPLY?
The regulation applies from , with some exceptions:
reporting obligations concerning actively exploited vulnerabilities and severe incidents apply from ;
notification of conformity assessment bodies applies from .
Regulation (EU) 2024/2847 of the European Parliament and of the Council of on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, ).
Successive amendments to Directive (EU) 2024/2847 have been incorporated into the original text. This consolidated version is of documentary value only.
RELATED DOCUMENTS
Regulation (EU) 2024/1689 of the European Parliament and of the Council of laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, ).
Directive (EU) 2022/2555 of the European Parliament and of the Council of on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, , pp. 80–152).
Directive (EU) 2020/1828 of the European Parliament and of the Council of on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, , pp. 1–27).
Regulation (EU) 2019/881 of the European Parliament and of the Council of on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, , pp. 15–69).
Regulation (EU) 2019/1020 of the European Parliament and of the Council of on market surveillance and compliance of products and amending Directive 2004/42/EC and Regulations (EC) No 765/2008 and (EU) No 305/2011 (OJ L 169, , pp. 1–44).
Regulation (EU) 2019/2144 of the European Parliament and of the Council of on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users, amending Regulation (EU) 2018/858 of the European Parliament and of the Council and repealing Regulations (EC) No 78/2009, (EC) No 79/2009 and (EC) No 661/2009 of the European Parliament and of the Council and Commission Regulations (EC) No 631/2009, (EU) No 406/2010, (EU) No 672/2010, (EU) No 1003/2010, (EU) No 1005/2010, (EU) No 1008/2010, (EU) No 1009/2010, (EU) No 19/2011, (EU) No 109/2011, (EU) No 458/2011, (EU) No 65/2012, (EU) No 130/2012, (EU) No 347/2012, (EU) No 351/2012, (EU) No 1230/2012 and (EU) 2015/166 (OJ L 325, , pp. 1–40).
Regulation (EU) 2018/1139 of the European Parliament and of the Council of on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, , pp. 1–122).
Regulation (EU) 2017/745 of the European Parliament and of the Council of on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC (OJ L 117, , pp. 1–175).
Regulation (EU) 2017/746 of the European Parliament and of the Council of on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU (OJ L 117, , pp. 176–332).
Directive (EU) 2016/943 of the European Parliament and of the Council of on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, , pp. 1–18).
Directive 2014/90/EU of the European Parliament and of the Council of on marine equipment and repealing Council Directive 96/98/EC (OJ L 257, , pp. 146–185).
Regulation (EU) No 168/2013 of the European Parliament and of the Council of on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, , pp. 52–128).