This growing dependence on products with digital elements has driven significant advances in innovation, efficiency, and automation, but it has also drastically expanded exposure to cybersecurity threats. Widespread interconnection means that failures are not limited to a single product or system; instead, they can spread rapidly, causing far‑reaching and difficult‑to‑control impacts.
To address this challenge, the European Union has created the Cyber Resilience Act (CRA), a regulation intended to introduce a completely renewed approach in which cyber resilience is considered a fundamental requirement for any digital product in today’s market.
In this context, the European Union, through the Cyber Resilience Act, introduces a horizontal and mandatory cybersecurity framework to ensure that products with digital elements placed on the European market are secure by design and throughout their entire lifecycle. The following sections provide an overview of this regulation, exploring its essential elements, scope of application, and the principles on which it is built to help redefine the European digital landscape.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is a Regulation of the European Union (Regulation (EU) 2024/2847) adopted on October 23, 2024, and which entered into force on December 10, 2024. However, it does not become mandatory until December 11, 2027. Nevertheless, the regulation establishes intermediate application deadlines that must be taken into account for certain obligations:
▪️From June 11, 2026, the provisions related to the notification and designation of conformity assessment bodies come into application (Chapter IV – Articles 35 to 52).
▪️ Following this, from September 11, 2026, Article 14 comes into application, regulating manufacturers’ obligations to report actively exploited vulnerabilities and serious security incidents.
▪️ From December 11, 2027, the remainder of the Regulation becomes applicable, establishing the obligation of compliance for all products within the scope of the CRA.
| Relevant Dates | |
| Before June 11, 2026 | Member States must have systems in place to designate conformity assessment bodies and prepare for certifications. |
| September 11, 2026 | Even products already sold must report actively exploited vulnerabilities and serious incidents. |
| September 11, 2027 | No product with digital elements may be placed on the EU market unless it complies with all CRA requirements. |
| Application of Relevant Dates | ||
| Product Sold | Vulnerability / Incident Detected | CRA Obligation? |
| Before 09/11/2026 | Before 09/11/2026 | No (CRA does not apply yet) |
| Before 09/11/2026 | After 09/11/2026 | Yes (if exploited and under support → notification) |
| Before 12/11/2027 | After 12/11/2027 | Yes (if within support → full management required) |
| After 12/11/2027 | From then on | Yes (full CRA applies) |
| Out of support | On any date | No CRA obligation |
NOTE: The CRA applies to any unit of the product manufactured after 11/12/2027 (FAQ 7.2).
The objective of the CRA is to strengthen the cybersecurity of products with digital elements marketed in the European Union. This regulation seeks to ensure that products with digital elements placed on the European market maintain high cybersecurity standards from their development phase and throughout their entire lifecycle, reducing the presence of vulnerabilities. To achieve this, the CRA requires that protection measures and management mechanisms be incorporated from the design stage and maintained through support and updates applied after commercialization. In this way, only products that meet these requirements can obtain the CE marking and be legally distributed in the European market.
By establishing a mandatory minimum baseline for cybersecurity practices, both consumers and companies benefit. Not only are users better protected against growing risks, but a safer and more reliable digital environment is also promoted across the European Union.
Scope of Application of the CRA
The CRA applies to any organization that manufactures, develops, imports, or distributes any product with digital elements (whether software or hardware) within the European Union, as well as any software or hardware that is not integrated into the product but is sold separately. In other words, it covers any product directly or indirectly connected to another device or network, with the exception of open‑source software or services already regulated under other frameworks.
Accordingly, the scope of the CRA includes:
▪️Manufacturers of products with digital elements: both companies established within the European Union and those outside it, as long as their products are placed on or made available to the European market.
▪️ Software developers: responsible for designing and maintaining applications to ensure compliance with the cybersecurity requirements established by the regulation.
▪️ Importers and distributors: intermediaries in the product supply chain who must ensure that the products they distribute or market comply with the regulation.
▪️ Other operators: resellers or any other entity involved in the commercialization of products within the EU environment.
In practical terms, the CRA establishes a detailed classification of the products it covers, based on their level of risk. This classification, from lowest to highest risk, is divided into:
▪️ Unclassified: representing 90% of the products on the market, with low or standard risk levels. Companies responsible for these products must carry out periodic self‑assessments to identify vulnerabilities and implement improvements to ensure security.
▪️ Important: products that present a higher cybersecurity risk.
▫️Class I: medium‑high‑risk products requiring the application of harmonized standards or
third‑party assessment. These include items such as password managers, standalone
and integrated browsers, network management systems, boot managers, operating
systems, and physical or virtual network interfaces.
▫️ Class II: high‑risk products requiring third‑party assessment, except in very specific
cases where full harmonized standards apply. These include items such as hypervisors
or container execution systems enabling virtualized OS environments, firewalls,
intrusion detection and prevention systems, tamper‑resistant microprocessors, and
similar components.
▪️ Critical: products that, if improperly manipulated, could negatively affect a large number of systems. These products require external assessment or a European cybersecurity certification. Examples include secure computer equipment devices, smart meter gateways within intelligent metering systems (as defined in Article 2, point 23 of Directive (EU) 2019/944), or smart cards and similar devices containing secure elements.
Any product covered by this regulation must bear the CE marking to indicate compliance with the requirements. This compliance is not a one‑time event; organizations must ensure security support and the application of patches throughout the product’s entire lifecycle, and must notify the competent authorities of any detected incident.
Fundamental Principles of the CRA
The CRA is built on several fundamental principles that shape its regulatory approach and aim to balance technological progress with effective protection measures, while avoiding excessive burdens:
▪️ Security by design and by default: cybersecurity must be incorporated from the design phase, ensuring that products are delivered with secure default configurations that automatically protect the user.
▪️ Full lifecycle management: the manufacturer’s responsibility does not end once the product is placed on the market; instead, a continuous commitment is required, including monitoring, identifying, and correcting vulnerabilities through patches and security updates throughout the product’s lifecycle.
▪️ Risk‑based approach: since the level of requirements varies depending on the type of product, the regulation adapts its obligations to the level of risk, the product’s criticality, its intended use, and its potential impact within the digital environment.
▪️ Shared responsibility: all actors involved in the product’s lifecycle share responsibility. Manufacturers, importers, and distributors must verify compliance with the regulation, ensuring that the product remains secure throughout the entire commercialization process.
▪️ Transparency and traceability: users must have easy access to all relevant security information about the product, including the security measures it incorporates, the duration of support, and the vulnerabilities that have been identified and resolved.
Essential Security Requirements
To ensure CE marking and allow products to be placed on the EU market, manufacturers must demonstrate compliance with several fundamental cybersecurity requirements, including:
▪️Technical documentation: preparing and maintaining detailed product documentation, accompanied by an up‑to‑date risk analysis that ensures compliance with the regulation.
▪️Vulnerability management: implementing procedures to detect, record, and remediate any vulnerability, as well as fulfilling the obligation to report serious incidents to the competent authorities (CSIRTs or ENISA).
▪️Security updates: providing mechanisms to apply updates or patches automatically or with minimal user intervention, ensuring the correction of security flaws.
▪️Data protection: adopting robust controls to guarantee the security of data (whether at rest, in use, or in transit), along with effective measures to prevent unauthorized access.
▪️Notification obligation: reporting any security incident to the European Union Agency for Cybersecurity (ENISA) within 24 hours, in addition to informing product users of any incident that occurs.
Meeting these requirements compels organizations to strengthen their development, testing, and maintenance processes, promoting collaboration across different areas such as business, technical, and legal teams.
Conclusion
In conclusion, the CRA represents a decisive step forward in the evolution of cybersecurity within the European Union by making the security of products with digital elements a mandatory requirement, thereby fostering a more reliable and robust market in the face of increasingly difficult threats to confront.
Although this new regulation poses a significant challenge for European manufacturers and companies, understanding and implementing its requirements is essential, as it offers an opportunity to advance toward stronger and more sustainable digital resilience, protecting users and contributing to a safer and more future‑ready digital environment.
References
https://eur-lex.europa.eu/legal-content/ES/TXT/PDF/?uri=OJ:L_202402847BOE - Horizontal cybersecurity requirements for products with digital elements
Cyber Resilience Act | Shaping Europe’s digital future
Cyber Resilience Act implementation - Frequently asked questions
The European Cyber Resilience Act enters into force | Businesses | INCIBE
