What is the EU Cyber Resilience Act and who does it affect?: The CRA requires any hardware or software product with digital elements sold in the EU to meet mandatory cybersecurity requirements throughout its lifetime, from design through to end-of-support. It affects device makers, software publishers, and importers worldwide selling into the EU market.Source: European Commission CRA proposal
When does the Cyber Resilience Act come into force?: The CRA was adopted in March 2024. After a 36-month transition period for most product categories, compliance will be required from approximately late 2027.Source: European Parliament CRA timeline
Does the Cyber Resilience Act apply to open source software?: Open source software developed commercially is covered. Draft March 2026 guidance confirmed liability falls on the entity that 'puts it into service': the commercial publisher or deployer, not the volunteer maintainer community. Purely voluntary open source contributions are largely excluded.Source: European Commission CRA open-source guidance, March 2026
How does the CRA relate to NIS2 and the AI Act?: The CRA covers product security from design to end-of-life. NIS2 covers operational security for critical infrastructure operators. The AI Act covers AI system risk. All three are part of the EU's overlapping digital regulation stack.Source: European Commission digital regulation briefing
Is the Capita ICO fine a preview of what the CRA will enforce?: The Capita £14m fine and South Staffordshire Water £963,900 fine both enforced NCSC baseline guidance as a proxy for adequate security under UK GDPR Article 32, the same security-of-processing standard the CRA will codify at product level for EU manufacturers. The enforcement pattern confirms the regulatory baseline is moving before the CRA reaches the statute book.Source: ICO / Lowdown analysis

Background

The Cyber Resilience Act (CRA) was adopted by the European Parliament in March 2024, introducing mandatory cybersecurity requirements for any hardware or software product placed on the EU market that contains digital elements: IoT devices, operating systems, and connected industrial equipment. Manufacturers must demonstrate compliance through vulnerability assessment, security-by-design principles, and five-year vulnerability disclosure obligations. The Act closes a long-standing gap in EU product-safety regulation by treating cybersecurity as a product characteristic rather than an optional ADD-on, and will apply from late 2027 after a 36-month transition period. It is a component of Europe's broader digital sovereignty framework, ensuring that connected products operating in European infrastructure meet EU-defined security standards.

The CRA's open-source provisions (heavily debated during the legislative process) were partially resolved in March 2026 when the European Commission published draft implementation guidance confirming that responsibility for free and open-source software (FOSS) falls on the entity that 'puts it into service', not the volunteer maintainer community. The consultation closed on 31 March 2026. This interpretation protects individual contributors while placing compliance obligations on commercial publishers and deployers of open-source components: a distinction with significant implications for enterprise software procurement.

The CRA is not yet in force, but the enforcement picture it anticipates (mandatory cybersecurity requirements with penalties of up to 2.5 per cent of global annual turnover) is already being approximated through statutes on the books. The ICO's Capita enforcement under UK GDPR Article 32, the South Staffordshire Water fine of £963,900 under the same framework, and the SEC's 2023 cyber-disclosure rule as applied to the West Pharma 8-K (May 2026) together constitute a cross-jurisdictional enforcement convergence that the CRA will eventually systematise.

Update #383 (May 2026) does not ADD a direct CRA legislative advance. The significance is contextual: three enforcement actions across UK ICO, EU GDPR, and US SEC in a single fortnight demonstrate that the security-of-processing duty the CRA will codify at product level is already being enforced at the organisational level through existing data-protection and disclosure statutes. For legal and compliance teams tracking the CRA's implementation timeline, the regulatory baseline is moving before the Act reaches the Federal Register or the UK's equivalent Cyber Security and Resilience Bill reaches Royal Assent. The practical question is whether CRA compliance planning can be accelerated by mapping against GDPR Article 32 and NCSC baseline guidance, which the Capita and South Staffordshire enforcement has confirmed are already treated as enforceable standards.

Source Material

European Commission: Cyber Resilience Act Regulation (EU) 2024/2847: Cyber Resilience Act

How the World Sees Them

The CRA is the centrepiece of the EU's product-security framework, treating cybersecurity as a regulated product characteristic for the first time. The open-source guidance published in March 2026 partially resolved the liability debate that threatened to push FOSS development outside EU jurisdiction.

The UK's Cyber Security and Resilience Bill is the nearest domestic equivalent to the CRA, but it remains at Commons Report Stage. Meanwhile, the ICO is already enforcing NCSC guidance as Article 32 UK GDPR baseline; a de facto CRA-type standard without the Act.

The SEC's 2023 cyber-disclosure rule, as applied to the West Pharma 8-K in May 2026, creates a parallel disclosure-level enforcement track. The CRA and SEC rule together define a cross-jurisdictional baseline for large multinationals with EU and US market exposure.