Everything You Need to Know About the EU Cyber Resilience Act
The EU Cyber Resilience Act (CRA) is a new regulatory framework. It’s designed to establish mandatory cybersecurity requirements for products with digital elements, sold within the European Union.
In this article, we’ll examine which products/organizations are affected by the CRA. We will also explore what companies can do now to prepare for compliance and adapt to the new regulatory requirements.
Which Products Fall Under the Cyber Resilience Act?
Software Products
These can be desktop apps, enterprise software platforms, productivity tools, business management systems. The category also includes dev tools and other commercial software distributed to EU customers.
Mobile Applications
Mobile apps are also covered when they are made available as products within the EU market. This applies to consumer and business applications alike. Particularly, when the app processes data, connects to external systems, interacts with cloud services. Also, if it serves as a control interface for connected devices. What does it mean for mobile development teams? Secure coding practices, vulnerability management and security testing become a must.
IoT Devices
Internet of Things products represent one of the primary targets of the regulation. Connected home devices, wearable technologies, smart appliances, industrial sensors, monitoring systems have become frequent attack vectors. It happens due to weak authentication mechanisms, insecure default configurations, insufficient updates. The CRA seeks to address these issues.
Embedded Systems and Firmware
These include industrial equipment, consumer electronics, smart devices, communication systems. Plus, other categories of connected hardware, that rely on software for their operation. Manufacturers have to demonstrate risks have been assessed and mitigated during product development.
Network and Communication Equipment
Routers, gateways, firewalls, VPN solutions, network management platforms occupy critical positions within organizations. Vulnerabilities in these products can affect large numbers of users and connected systems. Thus, certain categories may be subject to additional assessment requirements.
Connected Consumer Products
The scope of the CRA extends to many everyday consumer products. These are smart televisions, connected cameras, home automation systems, smart speakers. They function as network-connected computing devices. Therefore, they present cybersecurity risks.
Cloud Services That Are Part of Product Functionality
The CRA does not simply regulate standalone cloud platforms. Instead, it focuses on situations, where cloud services form an integral part of a product’s functionality. Many modern products depend on cloud infrastructure for authentication, data synchronization, analytics etc.
In these cases, the associated cloud services may become relevant to compliance assessments.
Which Products Are Excluded From the CRA?
Medical devices are generally regulated under dedicated healthcare legislation. It contains its own cybersecurity obligations. Similar exclusions apply to certain automotive products, aviation systems, defense-related technologies. Plus, products used for national security purposes.
Key CRA Compliance Milestones and Implementation Timeline
The Cyber Resilience Act follows a phased implementation approach. It means that organizations have enough time to prepare before requirements become enforceable. The regulation formally entered into force on December 10, 2024. This date marked the beginning of the transition period. Organizations started assessing the implications of the new requirements and planning necessary changes. And what will happen next?
June 11, 2026: Conformity Assessment Provisions Become Applicable
These organizations play an important role in evaluating certain categories of products. Those, that require independent assessment before being placed on the market.
September 11, 2026: Vulnerability and Incident Reporting Obligations Apply
The reporting requirements become applicable in September 2026. Manufacturers will be required to establish processes for identifying, managing, reporting exploited vulnerabilities.
December 11, 2027: Full CRA Enforcement Begins
In December 2027 the regulation becomes fully applicable across the European Union. Products for the EU market will be expected to comply with cybersecurity requirements.
How It Will Affect the Technology Market
The main change is the formal recognition of cybersecurity as a product characteristic. Security will no longer be treated as an optional enhancement/a feature that competes with delivery timelines and product roadmaps. Organizations will demonstrate that security considerations were incorporated during product design and development.
Software Vendors Will Need Structured Vulnerability Management
The regulation places significant emphasis on VM throughout the whole product lifecycle. This includes:
- identifying vulnerabilities
- assessing their impact
- developing remediation plans
- distributing security updates
- maintaining communication channels for vulnerability disclosure.
Product Development Teams Will Be Expected to Demonstrate Security by Design
Teams have to show cybersecurity risks were considered during architecture design, implementation, testing. Companies have to switch to threat modeling, secure coding practices & QA, architecture reviews.
Open-Source Dependencies Become a Governance Issue
That’s true, modern software heavily relies on open-source components. While these dependencies accelerate development, they also create unsafe visibility. Thus, companies need to understand which third-party components are present in their products. How are vulnerabilities tracked? How are updates managed? This is the reason Software Bills of Materials (SBOMs) are receiving growing attention.
Documentation Will Become as Important as Security Controls
A recurring theme throughout the CRA is the requirement to demonstrate compliance. Implementing measures alone is unlikely to be sufficient if you cannot provide evidence. Thus, documentation becomes a core component. Here, you can prove that risks were assessed and controls were implemented.
What This Means for All Involved Parties
Manufacturers bear primary responsibility for ensuring compliance. They must assess cybersecurity risks, implement required controls, maintain technical documentation. This will require closer collaboration between engineering, product management, security, legal, compliance functions.
Organizations responsible for placing products on the EU market will also have obligations. Importers and distributors will need to verify products meet applicable requirements before distribution. Plus, ensure that appropriate documentation accompanies these products.
Software development firms may not always be the legal manufacturers of products. However, their clients will expect development partners to follow obligatory secure practices. Developers will encounter increased expectations regarding secure coding standards, code reviews, dependency management.
Quality assurance teams will participate in validating security requirements alongside traditional functional testing. Compliance-related testing activities may become a larger part of standard QA responsibilities. These will be security verification, vulnerability validation, penetration testing coordination etc.
Product leaders will need to view cybersecurity as part of product strategy, rather than a technical concern. Decisions regarding feature prioritization, technical debt, third-party integrations will all carry compliance implications.
How to Prepare Before the CRA Becomes Fully Applicable
