What is Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is an EU directive designed to enhance the security of digital products, including both software and hardware, by strengthening their resilience against cyberattacks. This regulation imposes specific requirements on manufacturers to ensure cybersecurity is integrated throughout the product lifecycle—from design and development to market deployment.

Under the CRA, all products must meet the following cybersecurity requirements:

• Ensure the product is free from known vulnerabilities upon release, reducing its attack surface and the potential impact of any vulnerability.
• Offer a secure default configuration, with automatic security update capabilities.
• Guarantee the confidentiality of data managed by the product; the integrity of the software, data, and configuration; and maintain essential product functionality in case of an attack (e.g., a DoS attack) by implementing adequate mitigation measures, minimizing any potential impact on third parties.
• Include appropriate access control mechanisms.
• Collect logs of any security-relevant activity.
• Adhere to the principle of data minimization.

To meet these requirements, products must undergo security testing (such as penetration testing) before being released to the market. Additionally, suppliers are required to conduct a product risk assessment and produce supplementary technical documentation, which will be used to assess CRA compliance. They must also provide updates and security patches for at least five years after the product’s release. Companies must offer users clear instructions for secure configuration and maintenance, facilitating the adoption of cybersecurity best practices.

A key aspect of the CRA is its mandate on vulnerability management. Manufacturers must report any exploited vulnerability or significant security incident associated with their products to the relevant authorities. These reports are submitted through the Single Report Platform (SRP), managed by ENISA and accessible to European CSIRTs. Notifications must be made within a specified timeframe, which can range from 24 hours to 30 days after an incident is detected. All product vulnerabilities will subsequently be recorded in a European vulnerability database.

Non-compliance with the CRA can result in significant penalties for manufacturers, including fines of up to €15 million or 2.5% of the company’s annual global revenue, whichever is greater, and the potential market withdrawal of the product. The directive was approved in October 2024, with full compliance required within 36 months; however, certain obligations, such as active vulnerability and incident reporting, will take effect within 21 months.