The Cyber Resilience Act (CRA) is a new EU regulation aimed at improving the cybersecurity of products that include digital elements—from everyday smart devices like baby monitors and smartwatches to more complex connected systems. These products are becoming increasingly common, yet many users remain unaware of the security risks they can pose.
The CRA ensures that manufacturers and retailers are responsible for cybersecurity throughout a product’s entire lifecycle, from design to disposal. It addresses issues such as weak default security, lack of updates, and the difficulty consumers face in identifying secure products.
Under the CRA, mandatory cybersecurity standards apply to the design, development, production, and maintenance of connected products. This includes requirements for manufacturers to issue timely security updates and ensure products remain secure even after being sold. Some high-risk digital products will also need independent third-party assessments before entering the EU market.
The regulation covers nearly all connected devices, except for those already governed by sector-specific rules (such as medical devices, aviation, or automotive) or certain open-source software. Products that meet the CRA requirements will carry the CE marking, helping buyers easily identify secure, compliant items.
By shifting more responsibility onto manufacturers, the CRA allows consumers and businesses to make better-informed choices with greater confidence in the digital security of the products they use.
The CRA officially took effect on 10 December 2024, with the main requirements becoming enforceable from 11 December 2027.
To support implementation, a CRA Expert Group is also being established to provide guidance and advice to the European Commission.
The Cyber Resilience Act is a key part of the EU’s broader strategy to build a secure digital environment, complementing existing initiatives such as the 2020 EU Cybersecurity Strategy, the EU Security Union Strategy, and the NIS2 Directive.
Source – European Commission
