The Cyber Resilience Act (CRA) is an EU regulatory framework aimed at enhancing cybersecurity standards of digital products, including IoT devices. It mandates that manufacturers, developers, and distributors of hardware and software products ensure adequate cybersecurity protections, and address vulnerabilities throughout the lifecycle of the products.
In the context of IoT projects, the CRA has significant implications as it introduces strict security requirements and accountability measures.
The full text of the Act can be accessed for free in different languages on the European Union law website: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454
Why is it needed?
The framework was created in response to the growing cybersecurity vulnerabilities and successful cyber attacks, associated with connected devices and digital products. The significance of the CRA arises as well from the rapid increase in digital products that lack adequate cybersecurity measures, leaving consumers and businesses at risk.
From when does it apply?
The Cyber Resilience Act (CRA) has been officially adopted by the European Council as of October 10, 2024. There is a gratis period of three years, allowing companies to adapt. The CRA will therefore fully apply starting in November 2027.
For products manufactured and placed on the market before November 2027, the CRA does not retroactively impose compliance. However, from August 2026, manufacturers will need to report vulnerabilities and significant security incidents if their products are still actively marketed in the EU. This encourages early alignment with CRA requirements.
(this article is part 1 of a series, stay tuned for more content)