
Cyber Resilience Act
EU regulation imposing cybersecurity requirements on connected hardware and software products.
Last refreshed: 20 May 2026 · Appears in 2 active topics
If the UK ICO is already enforcing NCSC baseline guidance under GDPR, what does the CRA add?
Timeline for Cyber Resilience Act
Mentioned in: EU backs open source with €2bn plan
European Tech SovereigntyMentioned in: Magento RCE forces 9-day patch race
Cybersecurity: Threats and DefencesMentioned in: RansomHouse posts Trellix internal screenshots as extortion leverage
Cybersecurity: Threats and DefencesProceeded to Lords Second Reading with Trellix as a live case study for 24-hour reporting provisions
Cybersecurity: Threats and Defences: Trellix discloses 21-day-old breach of source-code repositoryAnnounced with summer 2026 formal launch and GOV.UK signatories list
Cybersecurity: Threats and Defences: UK cyber sector clears 14.7bn poundsWhat is the EU Cyber Resilience Act and who does it affect?
When does the Cyber Resilience Act come into force?
Does the Cyber Resilience Act apply to open source software?
Background
The Cyber Resilience Act (CRA) was adopted by the European Parliament in March 2024, introducing mandatory cybersecurity requirements for any hardware or software product placed on the EU market that contains digital elements: IoT devices, operating systems, and connected industrial equipment. Manufacturers must demonstrate compliance through vulnerability assessment, security-by-design principles, and five-year vulnerability disclosure obligations. The Act closes a long-standing gap in EU product-safety regulation by treating cybersecurity as a product characteristic rather than an optional ADD-on, and will apply from late 2027 after a 36-month transition period. It is a component of Europe's broader digital sovereignty framework, ensuring that connected products operating in European infrastructure meet EU-defined security standards.
The CRA's open-source provisions (heavily debated during the legislative process) were partially resolved in March 2026 when the European Commission published draft implementation guidance confirming that responsibility for free and open-source software (FOSS) falls on the entity that 'puts it into service', not the volunteer maintainer community. The consultation closed on 31 March 2026. This interpretation protects individual contributors while placing compliance obligations on commercial publishers and deployers of open-source components: a distinction with significant implications for enterprise software procurement.
The CRA is not yet in force, but the enforcement picture it anticipates (mandatory cybersecurity requirements with penalties of up to 2.5 per cent of global annual turnover) is already being approximated through statutes on the books. The ICO's Capita enforcement under UK GDPR Article 32, the South Staffordshire Water fine of £963,900 under the same framework, and the SEC's 2023 cyber-disclosure rule as applied to the West Pharma 8-K (May 2026) together constitute a cross-jurisdictional enforcement convergence that the CRA will eventually systematise.
Update #383 (May 2026) does not ADD a direct CRA legislative advance. The significance is contextual: three enforcement actions across UK ICO, EU GDPR, and US SEC in a single fortnight demonstrate that the security-of-processing duty the CRA will codify at product level is already being enforced at the organisational level through existing data-protection and disclosure statutes. For legal and compliance teams tracking the CRA's implementation timeline, the regulatory baseline is moving before the Act reaches the Federal Register or the UK's equivalent Cyber Security and Resilience Bill reaches Royal Assent. The practical question is whether CRA compliance planning can be accelerated by mapping against GDPR Article 32 and NCSC baseline guidance, which the Capita and South Staffordshire enforcement has confirmed are already treated as enforceable standards.