Cyber Resilience Act: A New Chapter in EU Cybersecurity Regulation

Written By

natallia karniyevich module
Dr. Natallia Karniyevich

Associate
Germany

I am a seasoned attorney situated at the Bird & Bird Düsseldorf office, with a specialisation in cybersecurity and data protection law, and a co-head of the Bird & Bird International Cybersecurity Steering Group.

feyo sickinghe Module
Feyo Sickinghe

Of Counsel
Netherlands

I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.

The Cyber Resilience Act (CRA) was officially published in the Official Journal of the European Union on 20 November 2024, marking a key milestone in Europe’s cybersecurity framework. The Regulation will come into force on 10 December 2024, with its main provisions expected to take effect in late 2027. Reporting obligations for manufacturers will apply from 11 September 2026.

Scope of application

The CRA applies to connected software and hardware products, regardless of whether they connect directly or indirectly to another device or network. Exceptions include products already governed by specific regulations, such as medical devices, aeronautical equipment, and cars. This broad scope encompasses consumer electronics and complex industrial systems.

Objectives of the CRA

The CRA seeks to strengthen consumer protection and bolster cybersecurity by:

  1. Mandating security measures: Manufacturers must provide ongoing security support and software updates for products.
  2. Enhanced safety: Products should only be made available on the European market on the basis of a third party or self-conformity assessment. 
  3. Reducing vulnerabilities: The Regulation aims to minimise weaknesses in products with digital elements.
  4. Boosting user trust: By enhancing security standards, the CRA aims to foster confidence in digital products.
  5. Harmonising rules: Establishing a unified cybersecurity framework for products across the EU.

Obligations under the CRA

The CRA introduces comprehensive obligations for manufacturers, distributors, and importers of digital products, including standalone components and remote data processing solutions. 
To find out more about the CRA, please read this article: New cybersecurity requirements for products with digital components - adoption of the Cyber Resilience Act (CRA)

Latest insights

More Insights
flower

NEWSFLASH - The UK’s New Consultation on AI and Copyright: Purr-suing Balance?

Dec 19 2024

Read More
laptop phone

EU/UK sanctions regarding Russia and Belarus (16-12-2024)

Dec 19 2024

Read More
Curiosity line teal background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More