Today marks a significant milestone in the journey towards enhanced cybersecurity across the European Union.
The Cyber Resilience Act (CRA), a cornerstone regulation designed to strengthen the digital landscape, has officially been published in the EU's Official Journal. This development sets the stage for the regulation’s implementation, shaping the future of cybersecurity for manufacturers, service providers, and consumers alike.
The requirements of CRA will become mandatory in late 2027 – but note that cybersecurity for many wireless products becomes mandatory already Aug ’25 (see last paragraph)
What is the Cyber Resilience Act?
The Cyber Resilience Act is the EU’s ambitious response to the rapidly evolving cybersecurity challenges that come with digital innovation. Its primary goal is to ensure that hardware and software products placed on the EU market are designed and developed to minimize cybersecurity risks. It also emphasizes the need for secure products throughout their lifecycle, requiring manufacturers to actively maintain cybersecurity standards post-market introduction.
Key highlights of the CRA include:
You can explore the full text of the regulation in the Official Journal here.
Why Does This Matter?
The CRA sets a precedent by introducing cybersecurity obligations that align with a product’s entire lifecycle. For businesses, this means re-evaluating existing development processes, supply chains, and compliance strategies. For consumers, it signifies greater confidence in the security of the digital products they use every day.
For industries, particularly those working with physical products like e.g., IoT devices or software development, this regulation represents both a challenge and an opportunity. Adapting to these new requirements will not only ensure compliance but also offer a competitive edge in an increasingly security-conscious market.
What This Means for Cybersecurity Certification
While the CRA doesn’t mandate specific certification schemes, its emphasis on conformity and compliance naturally ties into the role of cybersecurity certifications. Certifications provide a clear path for organizations to demonstrate their commitment to security, both in product development and ongoing maintenance.
As a company actively involved in cybersecurity assessments, we recognize the importance of informing and supporting stakeholders as they navigate the implications of this regulation. Our focus is on fostering a secure digital ecosystem through transparency, collaboration, and adherence to international standards.
Looking Ahead
The publication of the CRA in the Official Journal is just the beginning. With implementation timelines now in motion, businesses across the EU will need to prepare for compliance and adapt their processes to meet the new requirements. It’s an exciting time for those of us in the cybersecurity field, as we work together to meet the challenges and opportunities this regulation presents.
But wait, what about RED?
Mandatory cybersecurity does not wait for CRA! The Radio Equipment Directive introduced mandatory requirements for most connected wireless products already from 1 Aug 2025!
The standard chosen for these requirements is the EN 18031 and this is now widely used in Europa in the race to make all relevant products comply in time. When the CRA becomes mandatory in late 2027, the cybersecurity requirements of RED will be removed as they are replaced by the CRA which has a much wider scope.
Stay tuned for more updates and insights as the CRA moves from publication to full implementation.
And, if you need assistance book a free meeting.