- in United States
- within Technology, Antitrust/Competition Law and Insurance topic(s)
March 2026 – The Cyber Resilience Act (Regulation EU 2024/2847 – CRA) entered into force on 10 December 2024 and introduces a comprehensive cybersecurity framework for products with digital elements placed on the EU market. The Regulation aims to address the insufficient level of cybersecurity in many digital products and the lack of timely security updates provided throughout their lifecycle.
Which products are in scope?
The CRA applies to "products with digital elements", defined as software or hardware products, including their respective remote data processing solutions that can be directly or indirectly connected to a device or a network. Consequently, the CRA applies to both connected hardware products (e.g., smartphones, laptops, smart-home products, smart watches, internet connected toys) as well as microprocessors, firewalls, and smart meter gateways within smart metering systems), as well as software products (e.g., accounting software, computer games, mobile apps).
All products sold in the EU containing such digital elements must meet the essential requirements of the CRA governing the design, development, and maintenance of such products, with obligations applying throughout the entire supply chain. This includes low-cost consumer products as well as B2B software and complex high-end industrial systems.
The obligations imposed by the CRA are addressed to economic operators involved in the lifecycle of such products. For the purposes of the Regulation, an "economic operator" means the manufacturer, authorised representative, importer, distributor, or any other natural or legal person referred to in the Regulation.
When does the CRA start to apply?
The Regulation does not have immediate full effect but applies gradually, following a transitional period, until full applicability on 11 December 2027.
The first stage begins on 11 June 2026, when the provisions on market surveillance and enforcement (Chapter IV, Articles 35–51) become applicable.
Subsequently, on 11 September 2026 the first provisions directly targeting economic operators will apply. At this stage, Article 14 of the CRA introduces obligations for manufacturers to notify actively exploited vulnerabilities and severe incidents affecting the security of their products with digital elements. These obligations require companies to submit an early notification within 24 hours of becoming aware of such vulnerabilities or incidents, followed by a full notification within 72 hours. A final report must be submitted no later than 14 days after a corrective measure becomes available for actively exploited vulnerabilities, and within one month for severe incidents. Manufacturers submit these notifications only once per incident, through the CRA Single Reporting Platform.
Practical considerations for organisations
Although the main obligations under the CRA will only apply as of December 2027, the earlier reporting obligations require companies to begin preparing well in advance.
Organisations placing products with digital elements on the EU market should consider:
- assessing whether their products fall within the scope of the CRA;
- reviewing cybersecurity risk-management and vulnerability-handling processes;
- monitoring the internal implementation status of the EU NIS2 Directive (also at each Member State level) and the compliance with its requirements – including with respect to assessment of risk level and the self-assessment on the maturity of measures for management of cybersecurity risks;
- implementing internal procedures for incident and vulnerability reporting.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
