EU Cyber Resilience Act (CRA).

EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027. It belongs to the Compliance & Frameworks category of cybersecurity.

EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027.

The EU Cyber Resilience Act (Regulation 2024/2847) is the first horizontal EU cybersecurity law applying to products. It entered into force in December 2024 with a phased timeline: vulnerability-reporting obligations from September 2026 and the full set of essential requirements from 11 December 2027. The CRA covers 'products with digital elements' — software, hardware, or both, including IoT devices, libraries, and many SaaS-tied products — placed on the EU market. Manufacturers must perform a cybersecurity risk assessment, deliver products free of known exploitable vulnerabilities, ship secure-by-default configurations, support security updates for at least five years (or product life if shorter), maintain an SBOM, handle vulnerabilities including coordinated disclosure, and report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. Open-source software is largely excluded from manufacturer obligations but introduces 'open-source software stewards' as a lighter category. Penalties reach €15 million or 2.5 % of worldwide annual turnover. The CRA is widely expected to reshape OSS funding, embedded device security, and vendor risk programs through the late 2020s.

Defences for EU Cyber Resilience Act (CRA) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: CRA, Regulation EU 2024/2847.