In an era where almost every object around us — from toys and household appliances to complex industrial systems — is connected to the internet, cybersecurity has become a vital necessity. To address increasingly frequent vulnerabilities, the European Union introduced the Cyber Resilience Act (CRA), the first legislative framework of its kind that imposes mandatory security standards for products with digital components.
So far, many software and hardware products have been released to the market with major security flaws, providing attackers with easy entry points into user networks. Moreover, consumers have often been left without technical support or security updates shortly after purchase. The CRA aims to correct these shortcomings by shifting responsibility from the end user to the manufacturer.
The Act applies to all products that are directly or indirectly connected to another device or network. These include:
Hardware: From computers and phones to IoT sensors and smart home devices.
Software: Various programs and applications that are not already covered by specific regulations (such as medical or aviation software).
Products already subject to strict sector-specific legislation, such as medical devices, vehicles, or national security products, are exempt.
Under the new legislation, companies wishing to sell their products on the European single market must comply with several key principles:
Security by design: Products must be designed, developed, and manufactured to provide a high level of cybersecurity from the outset.
Vulnerability management: Manufacturers are required to monitor and fix any security defects discovered throughout the product lifecycle.
Mandatory updates: Companies must provide security updates for a minimum period (generally 5 years or the expected product lifetime).
Transparency: Users must receive clear instructions on secure configuration and usage.
A central element of the CRA is the CE marking. This will serve as proof that a product complies with the EU’s essential cybersecurity requirements. Depending on the product’s risk level, conformity will be assessed either through self-declaration by the manufacturer or through third-party audits for critical categories.
Once fully implemented, the Cyber Resilience Act will significantly reduce costs caused by cyber incidents, estimated at billions of euros annually. For consumers, this means more reliable products, while for companies, the framework creates a level playing field and strengthens reputation in the global market.
Read the full article
For more details on legislative stages and technical annexes, visit the official page of the European Commission:
https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
