The European Commission has published the Cyber Resilience Act (CRA). This means that the new regulation is now final, and has come into force on 11 December 2024. The CRA sets out legal requirements for IoT products, including hardware, software and apps, to improve the digital security of EU consumers and businesses.
TEXT: DIEDERIK TOET IMAGE: SHUTTERSTOCK
With the Cyber Resilience Act, the European Union aims to clarify and strengthen existing legislation to ensure the security of products with digital elements throughout the supply chain and life cycle. The regulation covers various types of Internet of Things (IoT) devices and their software. Products must comply with the rules before being placed on the market. There is also an obligation to report incidents and vulnerabilities.
The CRA will be introduced in stages. Standards will be developed over the first 18 months. The reporting requirement will come into force on 11 September 2026. All products must be fully compliant by 11 December 2027.
Officially into force
European Commission President Ursula von der Leyen announced the Cyber Resilience Act in 2021. The Commission presented the official proposal in September 2022, followed by a provisional agreement in November 2023. The European Parliament’s approval followed a month later, and the regulation passed the Council of the European Union last October. Twenty days after its publication in the Official Journal of the EU, it entered into force. That is since 11 December 2024.
The CRA represents a transformative step in securing Europe’s digital landscape. It is particularly relevant for cybersecurity professionals, as it mandates comprehensive measures to address vulnerabilities and introduces significant compliance obligations.
IoT and software security
IoT devices—ranging from smart home assistants to biometric systems—have become increasingly prevalent in both consumer and industrial applications. The CRA mandates that such devices be fundamentally secure at the point of sale and receive security updates for at least five years, barring exceptions for shorter product lifecycles. This requirement aligns with the increasing recognition of IoT devices as frequent targets for cyberattacks.
For software providers, the act differentiates between proprietary and open-source software. Open-source developers, particularly individuals, are exempt from stringent requirements but must still maintain a cybersecurity policy. This provision balances the CRA’s security goals with the open-source community’s collaborative nature.
‘The CRA represents a transformative step in securing Europe’s digital landscape’
Implementation challenges
While the CRA promotes harmonisation, cybersecurity teams across Europe will face challenges during its implementation:
- Compliance monitoring: Organisations must integrate compliance mechanisms into product development cycles.
- Supply chain security: Ensuring cybersecurity across complex global supply chains could require significant investment.
- Technical standards: Compliance with CE marking standards will necessitate adopting advanced testing and certification processes.
Opportunities for professionals
The CRA offers substantial opportunities for cybersecurity experts:
- Consulting services: Companies will need guidance on meeting CRA requirements, presenting opportunities for specialists in compliance and risk assessment.
- Secure-by-design frameworks: Developing frameworks and tools for designing inherently secure products can position organisations at the forefront of innovation.
- Incident response expertise: The act highlights the need for rapid mitigation of vulnerabilities, increasing demand for skilled incident response professionals.
Broader regulatory context
The CRA fits into a larger ecosystem of European regulations, including the Digital Operational Resilience Act (DORA) and the Network and Information Security (NIS2) Directive. Together, these regulations aim to bolster Europe’s cyber defences comprehensively, requiring professionals to stay updated on overlapping and evolving requirements.
Open-source considerations
The act’s treatment of open-source software has drawn attention. While organisations leveraging open-source libraries must ensure compliance, individual developers are largely unaffected. This distinction avoids stifling innovation while ensuring critical components in enterprise software remain secure.
Strategic guidance for organisations
- Prepare early: Establish teams to analyse CRA requirements and map compliance timelines.
- Collaborate with authorities: Engage with national regulators to clarify ambiguous provisions.
- Invest in training: Equip employees with the skills necessary to navigate new cybersecurity frameworks.
The Cyber Resilience Act is a landmark in cybersecurity governance, underscoring the EU’s commitment to creating a safer and more secure digital environment.
For further details, please consult the Cyber Resilience Act on EUR-Lex.
