Cyber Resilience Act: A New Chapter in EU Cybersecurity Regulation

Written By

feyo sickinghe Module
Feyo Sickinghe

Of Counsel
Netherlands

I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.

The Cyber Resilience Act (CRA) was officially published in the Official Journal of the European Union on 20 November 2024, marking a key milestone in Europe’s cybersecurity framework. The Regulation will come into force on 10 December 2024, with its main provisions expected to take effect in late 2027. Reporting obligations for manufacturers will apply from 11 September 2026.

Scope of application

The CRA applies to connected software and hardware products, regardless of whether they connect directly or indirectly to another device or network. Exceptions include products already governed by specific regulations, such as medical devices, aeronautical equipment, and cars. This broad scope encompasses consumer electronics and complex industrial systems.

Objectives of the CRA

The CRA seeks to strengthen consumer protection and bolster cybersecurity by:

  1. Mandating security measures: Manufacturers must provide ongoing security support and software updates for products.
  2. Enhanced safety: Products should only be made available on the European market on the basis of a third party or self-conformity assessment. 
  3. Reducing vulnerabilities: The Regulation aims to minimise weaknesses in products with digital elements.
  4. Boosting user trust: By enhancing security standards, the CRA aims to foster confidence in digital products.
  5. Harmonising rules: Establishing a unified cybersecurity framework for products across the EU.

Obligations under the CRA

The CRA introduces comprehensive obligations for manufacturers, distributors, and importers of digital products, including standalone components and remote data processing solutions. 
To find out more about the CRA, please read this article: New cybersecurity requirements for products with digital components - adoption of the Cyber Resilience Act (CRA)

Latest insights

More Insights
Curiosity line blue background

China’s Personal Information Protection Audit - When Is It Required and How to Conduct It?

Jul 10 2025

Read More
Curiosity line yellow background

International Dispute Resolution team authored key content for Lexology Panoramic: Dispute Resolution 2025

1 minute Jul 08 2025

Read More
featured image

Report of Trade Mark Cases For the CIPA Journal May 2025

1 minute Jul 04 2025

Read More