This is the first in a series of articles on the Cyber Resilience Act (CRA).
The rationale behind CRA
The Cyber Resilience Act addresses the Union’s urgent need to strengthen cybersecurity as connected devices proliferate and cyberattacks increasingly affect the economy, democracy, consumer safety, and health. Russia’s increased hybrid warfare underpins the situation.
The Regulation identifies two core problems: the low cybersecurity level of products with digital elements (PwDE)—evidenced by widespread vulnerabilities and inconsistent security updates—and the lack of user understanding of and access to security information, which prevents secure product selection and use.
To remedy these issues and reduce fragmentation across Member States, the CRA establishes a uniform EU‑wide framework of essential cybersecurity requirements to improve cyber resilience and support the functioning of the internal market.
Time is ticking
If you want to maintain the right to play (make your PwDE available in the EU market) after 11 DEC 2027, your PwDE must fully comply with the CRA. Manufacturers that place a non-compliant PwDE on the EU market after 11 DEC 2027 may incur penalties of up to €15 million or 2.5% of global annual revenue.
Do you understand CRA? Take the quiz!
See also the next article in the series: CRA harmonized standards and the presumption of conformity
Graphics created with AI-support