About the Cyber Resilience Act (CRA) (Proposal)

Full name: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828

(Link to original text)

Type: Regulation

Objective and key elements:

• Setting horizontal baseline of rules for security in the internal market
• Increasing the overall level of cybersecurity of all products with digital elements by introducing essential cybersecurity requirements for such products
• Security updates to be made available for at least 5 years
• Reporting obligations for manufacturers in case of security incidents
• Possibility to recall products not fulfilling the requirements

Relevant to: Manufacturers, importers, and distributors of products and software including digital elements (excluding services, such as SaaS and certain specifically regulated products (e.g. cars)).

Status: Adopted by the Council on 10 October 2024 and published in the Official Journal on 20 November 2024.

Next steps: The Cyber Resilience Act will enter into force on the 20th day following its publication.

 

Documents:

• Text adopted by the Council on 10 October 2024 is available here
• Text adopted by the Parliament on 12 March 2024 is available here
• The Council’s proposed amendments on 13 July 2023 is available here
• Commission proposal published on 15 September 2022 is available here

Guidance:

• European Commission: Cyber Resilience Act – Questions and Answers

(Last updated 21 November 2024)