Chapter 09 Transitional Effective: December 11, 2027 (full)

Cyber Resilience Act

Cyber Resilience Act

Overview

The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for hardware and software products with digital elements. It covers the entire product lifecycle from design through end-of-support and aims to address the proliferation of insecure IoT and software products.[1]

The CRA applies to products placed on the EU market regardless of where they are manufactured.

Application Timeline

DateMilestone
December 10, 2024CRA enters into force
September 11, 2026Reporting obligations begin
December 11, 2027Full application of all requirements

Products in Scope

Covered Products

Products with digital elements that:

  • Have a direct or indirect logical or physical data connection to a device or network
  • Include hardware and software components

Categories

CategoryRequirementsExamples
DefaultSelf-assessmentMost software, basic IoT
Important Class IStandards-based assessmentBrowsers, password managers, VPNs, network management
Important Class IIThird-party assessmentOperating systems, firewalls, routers, hypervisors
CriticalThird-party assessment + certificationHardware security modules, smart meters, smart cards

Exemptions

  • Open source software (non-commercial development)
  • SaaS (covered under other regulations)
  • Products already regulated (medical devices, vehicles, aviation)
  • Defense and national security products

Essential Cybersecurity Requirements[2]

Security by Design

Products must be designed and developed to ensure:

  1. Appropriate security level: Based on foreseeable risks
  2. No known exploitable vulnerabilities: At time of market placement
  3. Secure default configuration: Including factory reset capability
  4. Confidentiality protection: For stored, transmitted, and processed data
  5. Integrity protection: Against unauthorized modification
  6. Availability: Resilient against denial of service
  7. Minimal attack surface: Reduce potential attack vectors
  8. Incident impact limitation: Minimize breach consequences

Authentication and Access Control

  • Strong, unique default credentials or user-set on first use
  • Protection against brute force attacks
  • Secure authentication mechanisms

Data Protection

  • Encrypted storage for sensitive data
  • Secure data transmission
  • Delete or anonymize data when no longer needed

Vulnerability Handling Requirements[3]

Manufacturers must:

  1. Identify vulnerabilities: Through testing and monitoring
  2. Document components: Maintain software bill of materials (SBOM)
  3. Address vulnerabilities: Provide security updates without undue delay
  4. Disclose vulnerabilities: Coordinate with affected parties
  5. Security updates: Free updates for defined support period (minimum 5 years)

Vulnerability Reporting

From September 2026, manufacturers must report:

Report TypeTimeline
Actively exploited vulnerability24 hours to ENISA
Incident with security impact24 hours to ENISA/CSIRT
Vulnerability notification72 hours to ENISA

Conformity Assessment

CategoryProcedure
DefaultSelf-declaration or EU-type examination
Important Class IHarmonized standards OR third-party assessment
Important Class IIThird-party conformity assessment
CriticalEU-type examination + production quality assurance

Products must display CE marking confirming compliance.

Penalties

  • Non-compliance: Up to €15 million or 2.5% of global turnover
  • Essential requirements breach: Up to €10 million or 2% of turnover
  • Other violations: Up to €5 million or 1% of turnover[4]

Developer Action Items

For software and hardware manufacturers:

  1. Inventory products: Determine which are in scope and their category
  2. Security by design: Integrate security into development processes
  3. Vulnerability management: Establish detection and handling procedures
  4. SBOM creation: Document software components and dependencies
  5. Support planning: Define and communicate support periods
  6. Update mechanisms: Build secure update delivery systems
  7. Conformity preparation: Prepare technical documentation

Sources & References

[1]
Regulation (EU) 2024/2847 on cybersecurity requirements for products. EUR-Lex: CRA Official Text
[2]
CRA Annex I: Essential cybersecurity requirements. CRA Portal: Annex I
[3]
CRA Annex I Part II: Vulnerability handling requirements. CRA Portal: Vulnerability Handling
[4]
CRA Article 64: Penalties. CRA Portal: Penalties