On December 10, 2024, the Cyber Resilience Act will come into force. This means that manufacturers of networked devices will have to meet new minimum requirements in terms of cyber security in the future. The experts at TÜVIT support manufacturers in meeting them.
What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (CRA) sets out binding requirements for the cyber security of networked devices that are placed on the market within the EU. Its aim is to create a uniform security standard for digital hardware and software products on the European market.
Who is affected?
Manufacturers or developers of networked digital devices are addressed by the CRA. The CRA obliges them to ensure that a device functions safely throughout its entire life cycle. However, only a few product types are exempt from the CRA. These include, for example, non-commercial open source software products.
What does the CRA entail?
The CRA contains new minimum requirements for the safety of connected devices. In future, all connected products that are placed on the market within the EU must bear the CE mark. This visibly proves to the outside world that the labeled product meets the requirements of the CRA.
The requirements placed on manufacturers include
- Consideration & implementation of cyber security over the entire product life cycle (planning, development, production, operation)
- Documentation of all cybersecurity risks
- Reporting cybersecurity incidents to both ENISA and affected users
- Ensuring that potential vulnerabilities are effectively addressed over the expected product life cycle (maximum 5 years)
- Provision of security updates for at least 5 years
- Clear & understandable operating instructions for products with digital elements
What is the current status?
The CRA was adopted by the Council of EU Interior Ministers on 10.10.2024 and published in the Official Journal of the European Union on 20.11.2024 as Regulation (EU) 2024/2847. The deadlines for implementation have now been set:
- December 10, 2024: Entry into force of the CRA
- June 11, 2026: Chapter IV (Notification of conformity assessment bodies) enters into force.
- September 11, 2026: Manufacturers are obliged to inform national authorities and ENISA about actively exploited vulnerabilities in their products (notification obligations).
- December 11, 2027: From this date, all requirements of the CRA apply. This means that all connected products placed on the market within the EU must bear a CE marking.
