The Cyber Resilience Act1 (“CRA”) is the first EU-wide regulation mandating minimum cybersecurity standards for all connected products sold on the internal market. It makes cybersecurity a mandatory product feature, requiring manufacturers to implement “security by design” and maintain robust update and vulnerability management processes throughout a product’s lifecycle.
In this article, we outline the most important immediate actions and then provide an overview of the key points of the new legislation.
I. Key Immediate Actions for Companies
- Assess whether your products, embedded software, or third-party components fall within the CRA’s scope.
- Integrate “Security by Design” and “Security by Default” into product development (deadline: 11 December 2027).
- Establish vulnerability management processes and prepare to meet reporting obligations (deadline: 11 September 2026).
- Prepare the required conformity assessment, technical documentation (including SBOM), and CE marking (deadline: 11 December 2027).
Source: Dentons