This article provides a summary and high-level overview of the EU Cyber Resilience Act (CRA) EU 2024/2847 – a regulation designed to strengthen cybersecurity for products with digital elements connected to a network or to other products and sold in the European Union. The CRA introduces mandatory security requirements and aims to ensure that cybersecurity is embedded throughout the entire lifecycle of digital products.
Digital hardware and software are gates to cyberattacks where, in a connected world, a cyberattack in one unit can have severe effect on a chain of units and functions within a machine or system and even black out an entire organization.
What is the Cyber Resilience Act?
The CRA is a new regulation adopted by the European Union that establishes baseline cybersecurity requirements products with digital elements which includes a direct or indirect logical or physical data connection to a device or network. These include physical devices (e.g., laptops, smart robots, and industrial control systems) as well as software (e.g., firmware, operating systems, and mobile apps). The main goal of the CRA is to improve the overall level of cybersecurity in the internal market and ensure that products with digital elements placed on the EU market are designed, developed and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks; and that vulnerabilities are addressed through security updates.
The regulation will apply from 11 December 2027, while the obligation for manufacturers to report significant security incidents and actively exploited vulnerabilities will enter into force earlier, on 11 September 2026.
Which products are covered?
The CRA applies to all "products with digital elements" marketed in the EU and involves a risk-based classification. All products must meet the same core cybersecurity requirements, but the process for demonstrating compliance varies. Important products require third-party assessment, and critical products may require EU cybersecurity certification (e.g., under the EUCC scheme).
Product categories:
- General products in the scope
Basic digital products like photo editing software or external hard drives.
These can be verified through self-assessment or by notified body assessment. - Important products class I
For example network interfaces, microcontrollers with security-related functionality and password managers.
These must be verified through the application of a harmonized standard or by notified body assessment. - Important products class II
Includes, for example, firewalls, intrusion detection, prevention systems, tamper-resistant microcontrollers.
These must be verified by notified body assessment. - Critical products
Includes hardware devices with security boxes, smart meter gateways, smartcard including secure elements.
These must be certified by a European cybersecurity certification scheme, or if not in delegated act, notified body assessment.
Standalone products that are never connected to i.e. the internet or external software platforms are likely not covered by the CRA. Wireless communication using Bluetooth, Wi-Fi or cellular are covered by the act, as well as proprietary non-IP-based radio.
Key obligations for manufacturers
Manufacturers placing digital products on the EU market must, for example:
- Design products securely from the outset: Including minimizing attack surfaces and limiting the impact of potential incidents.
- Conduct cybersecurity risk assessments: Ensure that the level of cybersecurity is appropriate for the product’s intended use and threat environment.
- Protect data and access: Ensure confidentiality, integrity, and availability, and e.g. prevent unauthorized access or denial-of-service attacks.
- Maintain product security: Address known vulnerabilities throughout the expected lifetime, and provide security updates without delay.
- Be transparent about support: Communicate the duration and scope of technical support to customers.
- Implement a vulnerability disclosure policy
Incident reporting and penalties
Manufacturers will for any severe incidents and actively exploited vulnerabilities be required to submit:
- an early warning notification within 24 hours,
- a notification within 72 hours,
- a final report within 14 days for vulnerabilities and one month for incidents
Notifications will be submitted through a central EU reporting platform, in coordination with national CSIRTs (Computer Security Incident Response Teams) and to ENISA.
Non-compliance can result in administrative fines of up to €15 million or 2.5% of the manufacturer’s total annual global turnover, depending on the infringement of the regulation.
Enforcement and market surveillance
National market surveillance authorities and cybersecurity bodies will be responsible for enforcement. They are empowered to:
- Restrict or prohibit the sale of non-compliant products
- Order the withdrawal or recall of products from the market
- Require corrective actions
If national authorities fail to act, the European Commission may intervene directly to preserve the integrity of the internal market.
What does CRA mean for businesses?
Manufacturers, importers, and distributors that wish to market digital products in the EU will need to align with CRA requirements. This may involve:
- Investing in secure product design and secure development processes
- Establishing long-term vulnerability management procedures
- Undergoing third-party assessments or EU cybersecurity certification
For companies unfamiliar with structured cybersecurity practices, the CRA represents a significant shift. However, it also offers an opportunity to gain a competitive edge by delivering trustworthy and secure products.
Final thoughts
The Cyber Resilience Act is a critical step in creating a more secure digital environment across the European Union. It sets out a clear and harmonized framework for cybersecurity, focused on responsibility, transparency, and long-term resilience. For businesses, the CRA is a call to action: cybersecurity is no longer optional — it’s mandatory.
Please note: This text is not a legal document and should not be considered legal advice. It is our interpretation and summary of the regulation. For the official text and legal obligations, please refer to EU’s official sources, for example:
- https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng
This article explains in general terms what the EU Cyber Resilience Act (CRA) EU 2024/2847 is. Cybersecurity in relation to radio remote controls and machinery however is a complex matter and is covered in a number of technical standards as well as the amendment/Delegated Regulation (EU 2022/30) to the Radio Equipment Directive (RED) (2014/53/EU), and the Machinery Regulation 2023/1230.