The Cyber Resilience Act (CRA) law entered into force (EIF) on December 10, 2024, when it was published as Regulation (EU) 2024/2847 in the Official Journal of the European Union. Some CRA requirements become mandatory on 2026-09-11, and the CRA will fully apply three years later, on 2027-12-11. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation.
The CRA intends to address threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements as part of a wider set of European product legislation. It regulates so-called “products with digital elements”, or PDE for short, and its horizontal nature gives it a big scope, including a wide set of hardware and software, but excluding medical devices, cars and other product types with their own safety and security rules. The primary goal is to reduce the costs for data breaches and increase customer trust in products with a digital element.
