In Part 1, we provided a general overview of the CRA and highlighted OpenSSF’s current activities related to its implementation. In Part 2, we’ll take a closer look at the three-year implementation timeline and what lies ahead.
Background
With its publication as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) comes into force (EIF) today, December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. It will require all products with digital elements, including their remote data processing, that are placed on the European market to comply with this regulation. This new blog series will explore the implementation of the CRA and its relevance to open source software.
CRA Implementation Timeline
Over the coming years, several implementing and delegated acts will be introduced to ensure legal clarity regarding obligations before the CRA is fully applied in 2030.
Among the most important milestones within the first 12 months after EIF is the technical description of important and critical products, due by December 11, 2025, at the latest. The website for the future consultation process regarding this specific implementing act is already available and outlined in Art. 7(4) of the CRA. Additionally, the terms and conditions under which delays to reporting duties may occur will be specified in a delegated act according to Art. 14 (9). Implementing and delegated acts differ mainly in terms of their adoption processes, but both typically involve stakeholder consultation. For more details on these acts, refer to the European Parliament Research Service’s briefing on this topic.
By 18 months after EIF, Member States are required to establish administrative structures for product conformity, at which point Chapter IV on the notification of conformity assessment bodies will apply (Art. 35-51). Although market surveillance authorities will not be fully operational until the CRA comes into full effect in three years, the framework for the conformity process, including laboratories, inspection bodies, and certification entities, will already be in place, along with an appeals process for their decisions.
Starting September 11, 2026, manufacturers will have reporting obligations for actively exploited vulnerabilities and severe incidents impacting product security, as outlined in Art. 14. The so-called Single Reporting Platform described in Art. 16, provided by ENISA, will also be operational by then. Reporting will require a designated National CSIRT in a European Member State to act as a coordinator Art. 14 (7).
ENISA is tasked with a first report after two years according to Art. 17 (3) and subsequent every two years afterwards on emerging trends regarding cybersecurity risks and submit it to the Cooperation Group, which is defined in Art. 14 of the NIS2 Directive as information exchange among Member States. By that time Member States have to ensure a sufficient number of notified bodies, see Art. 35 (2).
When the CRA fully applies on December 11, 2027, all newly designed and produced products with digital elements (PDEs) entering the European market must comply with the full set of regulations and adopt secure-by-design principles.
An exhaustive list of the new rules at that moment would go beyond the scope of this post. However, apart from the aforementioned reporting requirements, manufacturers must follow the objectives and obligations outlined in Annex I: Essential Requirements of the CRA throughout the product lifecycle.
For manufacturers it also includes due diligence for the supply chain, providing technical documentation for users and market authorities, producing a declaration of conformity, issuing security updates for 5 years and making them remain available for 10 years.Â
The technical documentation and declaration of conformity for the market surveillance authorities needs to be provided for 10 years or the lifecycle of the product to demonstrate conformity upon request, and user documentation also needs to be provided for the same period. For consumers, the possibility for representative actions apply, and market surveillance will act according to Chapter V of the CRA, including the establishment of a dedicated administrative cooperation group on EU level, dubbed ADCO, and which is defined in Art 30 (20) of the Market Surveillance Regulation (MSR).
About a year after the CRA fully applied the European Commission will be tasked with filing a report on the effectiveness of the Single Reporting Platform and a report on the delegation six months later to the European Parliament and the Council of the European Union. The former report is in particular important to address issues with vulnerability handling and reporting and is likely to seek input.
In case the European Parliament or Council of the European don’t oppose it, the CRA will be extended after five years for another five years. And finally, the last event mentioned in the regulation is the evaluation and review by the European Commission.
What’s Next?
The attentive reader will not have missed that something is missing: A dive into European Standards and conformity assessment from the viewpoint of the manufacturer, and the same with more details on the reporting, but these will be subjects for future parts of this little blog series.
In the meantime, OpenSSF has been appointed as a member of the Expert Group on Cybersecurity of Products with Digital Elements with Digital Elements by the European Commission (also known as the “CRA Expert Group”). This group, which includes around 60 other experts and several open source organizations (a full list is forthcoming), will soon begin its work. According to Art. 9, the group will provide input for guidance, help prepare the technical descriptions of the product categories, assist the assessment for the need for potential updates of the list of product categories in accordance with Art. 7(3) and Art. 8(2), supporting the assessment of the potential market impact, or helping to undertake preparatory work for the evaluation and review of the CRA.
Join Our Effort!Â
OpenSSF has been at the forefront of securing open source software and strengthening supply chain security. We are committed to collaborating with the community to ensure that our tools and frameworks contribute to a safer, more secure digital environment. By engaging developers, organizations, and policymakers, we aim to address the evolving challenges of software security and build a stronger, more resilient future together.
Stay informed about the latest CRA updates and OpenSSF events—join our mailing list today!