EU Cyber Resilience Act (CRA).

EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027. 它属于网络安全的 合规与框架 分类。

EU Regulation 2024/2847 imposing security-by-design, vulnerability handling, and conformity-assessment obligations on essentially all products with digital elements sold in the EU, with main obligations applying from December 2027.

The EU Cyber Resilience Act (Regulation 2024/2847) is the first horizontal EU cybersecurity law applying to products. It entered into force in December 2024 with a phased timeline: vulnerability-reporting obligations from September 2026 and the full set of essential requirements from 11 December 2027. The CRA covers 'products with digital elements' — software, hardware, or both, including IoT devices, libraries, and many SaaS-tied products — placed on the EU market. Manufacturers must perform a cybersecurity risk assessment, deliver products free of known exploitable vulnerabilities, ship secure-by-default configurations, support security updates for at least five years (or product life if shorter), maintain an SBOM, handle vulnerabilities including coordinated disclosure, and report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours. Open-source software is largely excluded from manufacturer obligations but introduces 'open-source software stewards' as a lighter category. Penalties reach €15 million or 2.5 % of worldwide annual turnover. The CRA is widely expected to reshape OSS funding, embedded device security, and vendor risk programs through the late 2020s.

针对 EU Cyber Resilience Act (CRA) 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: CRA, Regulation EU 2024/2847。