EU Regulation 2024/2847 setting horizontal cybersecurity requirements for products with digital elements. Entered into force on 10 December 2024. Main obligations apply from 11 December 2027. Reporting duties for actively exploited vulnerabilities apply from 11 September 2026.

The Cyber Resilience Act covers nearly every networked hardware and software product placed on the EU market: IoT devices, industrial controllers, smart home appliances, operating systems, applications, developer tools. Open-source software is in scope only in commercial contexts; not-for-profit communities are exempt.

Manufacturer duties (Annex I): security-by-design, security-by-default, free security updates over the expected product lifetime (5 years minimum default), vulnerability-handling process, SBOM, conformity assessment with CE marking. Important products (Class I/II) need additional conformity procedures; critical products (Annex IV) require third-party assessment.

Reporting duties to ENISA and national CSIRTs: actively exploited vulnerabilities within 24 hours (early warning), 72 hours (incident notification), 14 days (final report). Fines up to 15 M EUR or 2.5 percent of worldwide group turnover. CRA conformity becomes a precondition for any EU market entry from December 2027.

Cyber Resilience Act (CRA)

Related terms