**TL;DR **
- The EU Cyber Resilience Act (CRA) sets a mandatory baseline for security in digital products sold in the EU, covering their entire lifecycle from design to end of support.
- Products must meet 13 essential security requirements and 8 vulnerability handling requirements, including secure defaults, timely patching, and secure update mechanisms.
- Manufacturers must have formal processes for identifying, fixing, and publicly disclosing vulnerabilities, as well as providing free security updates.
- Non-compliance can result in significant fines, market restrictions, or product withdrawal, making cybersecurity both a technical and legal obligation.
**Raising the baseline for product security **
Product security has matured significantly over the last decade. Secure defaults, defined ownership of security risk, reliable update mechanisms, and structured vulnerability handling are now mainstream and well understood by experienced engineering and security teams. These practices are no longer aspirational. They are now the minimum required to build and operate digital products responsibly.
The new EU Cyber Resilience Act (CRA) formalises this reality. Rather than introducing new security concepts, it codifies expectations that already exist across mature product security programmes and makes them enforceable across the EU market. The result is a consistent baseline for how software and hardware products with digital components are designed, maintained, and supported throughout their lifecycle.
**What is in scope **
The CRA act is an EU regulation designed to improve cybersecurity across software and hardware based digital products that are sold in or to the EU. This regulation sets binding minimum cybersecurity requirements for products throughout their entire lifecycle, from design, deployment and market deployment to maintenance.
The act intends to safeguard consumers and businesses within the EU when purchasing and operating these products, addressing inadequate levels of cybersecurity as well as a lack of timely security updates and patching. In doing this, it allows consumers to easily identify which products are implemented with the correct cybersecurity features for their intended application. Unlike the earlier EU cyber legislation, which focused primarily on networks or specific sectors, the CRA applies horizontally across industries.
If a product contains digital components and is placed on the EU market, it is likely to fall within scope.
**When obligations apply **
The CRA was implemented on the 10th of December 2024, with the primary obligations of the act being introduced from the 11th of December 2027. Reporting obligations will apply from the 11th of September 2026.