My favourites

About the Cyber Resilience Act (CRA) (proposal)

Full name: Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020

Type: Regulation

Objective and key elements:

  • Setting horizontal a baseline for security in the internal market
  • Increasing the overall level of cybersecurity of all products with digital elements by introducing essential cybersecurity requirements for such products
  • Security updates to be made available for at least 5 years
  • Reporting obligations in case of security incidents
  • Possibility to recall products not fulfilling the requirements

 

Relevant to: Manufacturers, importers, and distributors of products and software including digital elements (excluding services, such as SaaS and certain specifically regulated products (e.g. cars)).

Status: Proposal. Expected to enter into force in the second half of 2024 and manufacturers will have to place compliant products on the Union market by 2027. Approved by the Parliament on 12 March 2024.  Provisional  agreement reached by the Council presidency and the European Parliament’s on 30 November 2023, read more.

Documents:

Text adopted by the Parliament, link (pending Council approval and to be published May/June 2024)

The Council’s proposed amendments on 13 July 2023, link

Commission proposal published on 15 September 2022, link

 

Next steps: Awaiting final approval from the Council.

(Last updated 8 August 2024)