Skip to content

CRA

Cyber Resilience Act

Cybersecurity of networked devices

The Cyber Resilience Act (CRA) adopted by the Council of EU Home Affairs Ministers in 2024 will impose new minimum requirements on manufacturers of networked devices in terms of cybersecurity.

This is how we support you
PCB-Board

What is the Cyber Resilience Act?

The CRA sets out binding requirements for the cyber security of networked devices placed on the market within the EU with the aim of creating a uniform security standard for digital hardware and software products on the European market.

Requirements and current information

What does the CRA entail?

The CRA contains new minimum requirements for the safety of connected devices. In future, all connected products that are placed on the market within the EU must bear the CE mark. This visibly proves to the outside world that the labelled product fulfils the requirements of the CRA.
 

Requirements imposed on manufacturers include:

  • Consideration & implementation of cyber security over the entire product life cycle (planning, development, production, operation)
  • Documentation of all cybersecurity risks
  • Reporting cybersecurity incidents to both ENISA and affected users
  • Ensuring that potential vulnerabilities are effectively addressed over the expected product life cycle (maximum 5 years)
  • Provision of security updates for at least 5 years
  • Clear & understandable operating instructions for products with digital elements

What is the current status?

The CRA was adopted by the Council of EU Home Affairs Ministers on 10 October 2024 and published in the Official Journal of the European Union on 20 November 2024 as Regulation (EU) 2024/2847.

Deadlines for implementation:

  • 10 December 2024: Entry into force of the CRA
  • 11 June 2026: Chapter IV (Notification of conformity assessment bodies) enters into force
  • 11 September 2026: Manufacturers are obliged to inform national authorities and ENISA about actively exploited vulnerabilities in their products (reporting obligations).
  • 11 December 2027: All CRA requirements apply from this date. This means that all connected products placed on the market within the EU must bear a CE mark.

Questions, comments, and more about the CRA

Your Contact
Eric Behrendt, TÜV Informationstechnik

Eric Behrendt