The EU Cyber Resilience Act (Regulation 2024/2847) introduces new cybersecurity requirements for products with digital elements, affecting manufacturers, importers, distributors and other economic operators across the EU.
The regulation entered into force in 2024 and will largely apply from 11 December 2027, with certain reporting obligations taking effect earlier in 2026. Despite the timeline, organisations should begin preparing now, as compliance may require significant time and resources.
At its core, the CRA requires that products with digital elements are designed, developed and maintained in line with essential cybersecurity requirements throughout their lifecycle. This includes risk assessments, vulnerability management, security updates, and detailed documentation. The regulation also introduces strict incident and vulnerability reporting obligations, as well as enhanced responsibilities across the supply chain.
Non-compliance may lead to substantial penalties of up to EUR 15 million or 2.5% of global annual turnover (whichever is higher).
Zoltán Balázs Kovács and Benedek Ádám have prepared an overview of the main obligations. To access the article click HERE.
