Cyber Resilience Act: which products are covered?

Regulation (EU) 2024/2847, known as the Cyber Resilience Act (CRA), was adopted on 23 October 2024 and entered into force on 10 December 2024. It imposes cybersecurity requirements on products with digital elements made available on the European market.

Which products

The regulation covers products — hardware or software — whose intended, or reasonably foreseeable, use includes a logical or physical connection, direct or indirect, to a device or a network. The scope is broad: from connected objects to applications. Certain products already governed by sectoral regulations — medical devices, automotive, aviation, for instance — are excluded.

Which obligations

The regulation sets essential cybersecurity requirements, to be met from the design stage and throughout the lifecycle, together with vulnerability management. It provides for technical documentation, conformity-assessment procedures, and the CE marking attesting compliance with the requirements. These obligations fall on manufacturers, but also on importers and distributors.

The timeline

The CRA will be fully applicable on 11 December 2027. Two milestones come before: the reporting obligations incumbent on manufacturers — actively exploited vulnerabilities and severe incidents — apply from 11 September 2026, and certain obligations relating to conformity-assessment bodies from 11 June 2026.

For organisations that design or integrate such products, compliance is prepared upstream; determining your role in the value chain is the starting point.