Cyber Resilience Act
EU regulation imposing cybersecurity requirements on connected hardware and software products.
Last refreshed: 13 April 2026 · Appears in 1 active topic
Will the Cyber Resilience Act force a product recall culture on connected device makers?
- What is the EU Cyber Resilience Act and who does it affect?
- The CRA requires any hardware or software product with digital elements sold in the EU to meet mandatory cybersecurity requirements throughout its lifetime, from design through to end-of-support. It affects device makers, software publishers, and importers worldwide.Source: European Commission CRA proposal
- When does the Cyber Resilience Act come into force?
- The CRA was adopted in March 2024. After a 36-month transition period for most product categories, compliance will be required from approximately late 2027.Source: European Parliament CRA timeline
- Does the Cyber Resilience Act apply to open source software?
- Open source software developed commercially is covered. Purely voluntary open source contributions are largely excluded, though the final carve-out provisions were heavily debated during the legislative process.Source: EU CRA open source provisions
- How does the CRA relate to NIS2 and the AI Act?
- The CRA covers product security from design to end-of-life. NIS2 covers operational security for critical infrastructure operators. The AI Act covers AI system risk. All three are part of the EU's overlapping digital regulation stack.Source: European Commission digital regulation briefing
Background
The Cyber Resilience Act (CRA) was adopted by the European Parliament in March 2024, introducing mandatory cybersecurity requirements for any hardware or software product placed on the EU market that contains digital elements — including IoT devices, operating systems, and connected industrial equipment. Manufacturers must demonstrate compliance through vulnerability assessment, security-by-design principles, and five-year vulnerability disclosure obligations. The Act closes a long-standing gap in EU product-safety regulation by treating cybersecurity as a product characteristic rather than an optional add-on, and will apply from late 2027. It is a component of Europe's broader digital sovereignty framework, ensuring that connected products operating in European infrastructure meet EU-defined security standards.
