News

Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements, amending Regulations (EU) 168/2013 and (EU) 2019/1020, and Directive (EU) 2020/1828 (Cyber Resilience Act), has been published in the Official Journal of the European Union. The CRA regulation will be applied as of 11 December 2027. The regulation will apply directly in all EU countries.

The Cyber Resilience Act (CRA) describes the cybersecurity requirements for hardware and software with digital components marketed in the European Union. Digital hardware and software are one of the main avenues for successful cyberattacks. In a connected environment, a cybersecurity incident in one product can affect an entire organization or supply chain, often spreading beyond the borders of the internal market within minutes. Product cybersecurity has a particularly strong cross-border dimension, as products manufactured in one country are often used by organizations and consumers throughout the internal market.

The regulation establishes a uniform legal framework to ensure that hardware and software are designed, developed, and maintained with robust cybersecurity measures throughout their life cycle. The CRA requires manufacturers to comply with basic cybersecurity requirements, conduct risk assessments, and ensure security updates, thus supporting a safer digital environment across the EU.