EU Cyber Resilience Act (CRA).

EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027. サイバーセキュリティの コンプライアンスとフレームワーク カテゴリに属します。

EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027.

The EU Cyber Resilience Act (Regulation 2024/2847) is the first horizontal EU cybersecurity law applying to products. It entered into force in December 2024 with a phased timeline: vulnerability-reporting obligations from September 2026 and the full set of essential requirements from 11 December 2027. The CRA covers 'products with digital elements' — software, hardware, or both, including IoT devices, libraries, and many SaaS-tied products — placed on the EU market. Manufacturers must perform a cybersecurity risk assessment, deliver products free of known exploitable vulnerabilities, ship secure-by-default configurations, support security updates for at least five years (or product life if shorter), maintain an SBOM, handle vulnerabilities including coordinated disclosure, and report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. Open-source software is largely excluded from manufacturer obligations but introduces 'open-source software stewards' as a lighter category. Penalties reach €15 million or 2.5 % of worldwide annual turnover. The CRA is widely expected to reshape OSS funding, embedded device security, and vendor risk programs through the late 2020s.

EU Cyber Resilience Act (CRA) に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: CRA, Regulation EU 2024/2847。