EU Cyber Resilience Act: New Mandatory Cybersecurity Requirements

The European Union’s Cyber Resilience Act (CRA) introduces the first mandatory cybersecurity requirements for products with digital elements sold within the European Single Market. Designed to address the growing frequency of cyberattacks, the regulation mandates that manufacturers, importers, and distributors ensure their hardware and software meet strict security standards throughout their entire lifecycle. For small and medium-sized enterprises (SMEs), this transition requires a fundamental shift in how digital products are developed, documented, and maintained, according to the European Commission.

The regulation, which was officially adopted by the European Parliament in March 2024 and the Council in October 2024, aims to close the security gaps that have historically left connected devices vulnerable to exploitation. By establishing a harmonized framework, the CRA seeks to protect consumers and businesses alike while ensuring that security is “built-in” rather than treated as an afterthought. As noted by the Council of the European Union, the rules apply to almost all products connected to a network, ranging from smart home appliances to industrial control systems.

What the Cyber Resilience Act Demands of Businesses

At the core of the CRA is the requirement for manufacturers to conduct thorough risk assessments and implement security-by-design principles. Companies must demonstrate that their products are free from known vulnerabilities at the time of release and provide ongoing security updates for a period commensurate with the product’s expected lifespan. According to the European Union Agency for Cybersecurity (ENISA), which will play a central role in supporting the implementation of the act, transparency is a key pillar of the new regime.

What the Cyber Resilience Act Demands of Businesses

Manufacturers are now obligated to provide users with clear information regarding security features, including the duration of support and the availability of software patches. This documentation must be accessible and easy to understand, allowing consumers to make informed purchasing decisions. For SMEs, the regulation includes provisions designed to reduce administrative burdens, such as simplified conformity assessment procedures for lower-risk products. However, the requirement for a “CE marking” remains, serving as a visible declaration that the product complies with all relevant EU safety and security standards, as specified in the official text of the Regulation.

Why SMEs Must Prepare Now

The impact on medium-sized enterprises (the “Mittelstand”) is significant, as many firms will need to overhaul their development cycles to incorporate security testing as a standard practice. Unlike large corporations that may already have dedicated cybersecurity teams, smaller firms often operate with limited resources. The CRA requires these businesses to manage the entire supply chain, meaning they are responsible not only for their own software but also for the security of third-party components they integrate into their products.

Dr. Henrik Hanssen explains the EU’s Cyber Resilience Act (CRA)

To assist with this, the European Commission has established the CRA Single Portal, which provides guidance and resources to help companies navigate the complex regulatory landscape. The transition period is finite; manufacturers have 36 months from the date of entry into force to align their internal processes with the new requirements. During this time, companies are encouraged to audit their existing product portfolios and identify which items fall under the scope of the new rules, particularly those categorized as high-risk, which may require third-party assessment.

Timeline for Compliance and Implementation

Following the final adoption of the act, the clock has started on the implementation phase. The regulation enters into force 20 days after its publication in the Official Journal of the EU. While the full application of the rules is set for 36 months after entry into force, certain provisions, such as the reporting obligations for incidents and vulnerabilities, will take effect sooner—specifically 21 months after the regulation’s entry into force, according to the European Council.

Timeline for Compliance and Implementation

Businesses are advised to monitor the official publications of the European Commission for further delegated acts that will specify technical requirements for different product categories. As the industry moves toward this new standard, proactive engagement with industry associations and legal advisors is recommended to ensure that internal product development roadmaps are compliant by the deadline. The European Commission plans to release ongoing updates and technical guidance to support stakeholders throughout this transition period.

Leave a Comment