As of today, the Cyber Resilience Act (CRA) has officially come into effect. This law is aimed at manufacturers, distributors and importers of hardware and software that will be marketed in the EU from December 11, 2027. The CRA requires them to ensure that digital products meet essential security requirements. They must also offer security updates so that products remain safe. This way, consumers and companies can count on the fact that products they have purchased in the EU are digitally safe.
What is the Cyber Resilience Act and what are its requirements?
The most important requirements of the CRA are imposed on the products that are placed on the market. But requirements are also imposed on the processes that manufacturers have set up to develop, design, manufacture and maintain their products.
To avoid safety problems, the manufacturer of a product must determine the functionality and intended operation with which the product is developed. The manufacturer carries out a risk analysis, which should form the basis for the safe design of the product. It is important that all vulnerabilities and real risks are removed. In the event of serious incidents or actively exploited vulnerabilities, the manufacturer will be obliged from September 11, 2026 to report to the national CSIRT (the NCSC in the Netherlands) and to inform and advise the affected users. The law also requires that the manufacturer set up a process to respond to vulnerabilities and to address them immediately, for example by providing a security update. These obligations apply for the entire expected useful life of the product, but at least for a period of five years.
Read on the RDI website which types of products must comply with the CRA.
What is the timeline of the Cyber Resilience Act?
Preparations for the CRA were already in full swing and with its entry into force, official guidelines and timetables have now been established. European member states can now appoint supervisors, and the European Commission will start formulating implementing legislation and having the necessary standards and requirements drawn up.
Although the CRA starts today, this does not mean that manufacturers must immediately comply with all requirements. An important milestone will be reached in September 2026 with the introduction of a reporting requirement, followed by full compliance with the CRA in December 2027.
- December 10, 2024: The Cyber Resilience Act comes into effect. The preparation includes developing harmonized standards.
- September 11, 2025: The reporting obligation for actively exploited vulnerabilities and incidents comes into effect.
- December 11, 2027: All requirements come into effect and all products with digital elements must comply with the CRA.
This already applies to wirelessly connected equipment (such as laptops, smart doorbells, etc.). August 2025 that they must meet cybersecurity requirements under the Radio Equipment Directive.
Obligations
The CRA’s obligations focus on manufacturers, importers and distributors of digital products. They can take note of the essential requirements that their product must meet after 2027 (Appendix 1 of the CRA). Customers can already pay attention to the CE marking: from August 2025, the CE marking means that the product not only meets the physical safety requirements of the EU, but also the cybersecurity requirements in the RED. From December 2027, these requirements will be further expanded to include the more extensive requirements from the CRA, which will also apply to ‘stand alone’ software.
Until products with digital elements must comply with the CRA, users and purchasers of software can check which essential requirements are contained in the CRA. Make contractual agreements about this with the software supplier or manufacturer until December 2027, until the products with digital elements must comply with the CRA.