The new Cyber Resilience Act (EU) 2024/2847 is a significant step forward in the EU’s regulation of cybersecurity for digital products. This regulation, set to apply from 11 December 2027, has been developed to address the growing security challenges posed by rapid digitalisation and the increasing complexity of connected devices. For manufacturers and suppliers, this means new CE marking requirements and stricter oversight of product safety throughout their entire lifecycle.
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act is an EU regulation aimed at strengthening cybersecurity for digital products sold within the EU. Its goal is to ensure that all digital products – from smart home devices to complex IT systems – meet clear security requirements from the design stage and throughout their usage. This means that manufacturers, importers, and distributors must consider cybersecurity aspects and protect their products from threats that could compromise their integrity and functionality.
CE marking requirements
A central aspect of the Cyber Resilience Act is the introduction of mandatory CE marking for products with digital elements (and related digital services). The CE mark indicates that the product has undergone assessments to ensure compliance with cybersecurity requirements. This applies to all manufacturers placing digital products on the EU market, regardless of whether they are made within or outside the EU.
What products are covered?
The CRA covers a wide range of products with digital elements that can be connected to networks and are therefore potentially vulnerable to cyberattacks. Key product categories include:
Internet of Things (IoT) devices:
Includes connected household appliances such as smart fridges, lights, security cameras, and thermostats. These are frequent targets of attacks due to constant connectivity and potential vulnerabilities.Industrial IoT systems:
Covers systems used to monitor and control industrial processes, such as sensors and control systems connected to manufacturing equipment, energy management, and smart grids. These are especially sensitive to attacks aiming to disrupt operations.Network equipment:
Routers, switches, and other devices used in homes and businesses. These are common targets for attackers trying to access network communications and infrastructure.
The CRA is designed to ensure that all these products meet strict security requirements from the design phase and throughout their lifespan.
New obligations for manufacturers and suppliers
To comply with the CRA, manufacturers and suppliers must:
Conduct risk analyses and security assessments before market launch.
Develop products with “security by design” and “security by default” – security must be built-in and activated from the start.
Document and report any discovered security incidents and vulnerabilities during use.
Regularly update software to fix security issues and maintain protection.
Provide clear user instructions regarding safe use and potential product risks.
How to meet the requirements
Harmonised standards:
If a product has already been certified under previous EU standards and meets current security requirements, these certifications will still be valid under the CRA. This avoids the need for re-certification for products that already comply.
CRA timeline
As with other regulations, a product must meet all applicable legal requirements at the time it is placed on the market. This applies to new and existing products still available after the enforcement date. If an older product is resold, distributed, or updated, it must also comply with CRA – unless specifically exempt. In some cases, substantial changes may result in the product being considered “new”, meaning full CRA compliance is required.
There are two key dates to note:
11 September 2026 – Reporting obligations begin:
From this date, manufacturers, importers, and other parties must report actively exploited vulnerabilities and serious cybersecurity incidents to competent authorities within specific timeframes:Early warning within 24 hours
Supplementary report within 72 hours
Final report within 1 month (for incidents) or 14 days (for resolved vulnerabilities)
Reports must be sent to a national contact point (e.g. a CSIRT) and to ENISA, the EU’s cybersecurity agency.
11 December 2027 – Full application of CRA:
From this date, all other requirements apply, including:Digital products must meet essential cybersecurity requirements
Conformity assessments, CE marking, and EU declarations of conformity are required
Security design, risk assessments, updates, and vulnerability management throughout the support period become mandatory
Potential fines and penalties
An important part of the regulation is the introduction of significant fines for non-compliance. If a product is found to be insecure, or the manufacturer fails to take appropriate measures, the company may face fines of up to 2.5% of global annual turnover or €15,000,000, whichever is greater.
What does this mean for businesses?
Businesses manufacturing, importing, or distributing digital products in the EU must now review their security practices and ensure products meet the new requirements before market launch. This may require investment in development, testing, and documentation. Failure to comply can lead not only to fines but also damage to the company’s reputation.
Quick summary: key points of the Cyber Resilience Act
New requirements for connected products:
Digital products must meet cybersecurity standards for CE marking.Built-in cybersecurity:
Security by design and default, including risk assessments, is required.Lifecycle management:
Security updates and vulnerability handling throughout product lifetime.Reporting obligations:
Incidents and vulnerabilities must be reported to ENISA within 24 hours.Consumer protection and market advantages:
Companies that prioritise security can build trust and gain competitive benefits.Timeline:
Reporting begins in mid-2026; CRA enforcement starts fully in December 2027. Businesses should begin preparing now.
The Cyber Resilience Act will reshape how digital products are assessed and marketed in the EU. With mandatory security requirements and stricter oversight, the goal is to build a more resilient digital environment where consumers and businesses can trust the products they use. For companies, this means a greater responsibility to ensure products are secure – from design to deployment and beyond.
With this new regulation, the EU marks another major step toward protecting citizens and the internal market from cyber threats, while promoting innovation and digitalisation in a secure manner.
