← Back to all briefings

Policy · Credibility 92/100 · · 2 min read

Policy Briefing — EU Cyber Resilience Act Proposal

The European Commission proposed the Cyber Resilience Act to mandate baseline cybersecurity requirements, vulnerability handling, and transparency obligations for products with digital elements sold in the EU.

Executive briefing: On the European Commission proposed the Cyber Resilience Act (CRA). The regulation would impose essential cybersecurity requirements, vulnerability handling obligations, and conformity assessments for hardware and software products, with stricter rules for critical products.

Key provisions

  • Essential requirements. Manufacturers must design products with security by default and by design, including secure configuration, protection from unauthorised access, and resilience against known vulnerabilities.
  • Vulnerability management. Vendors must establish coordinated vulnerability disclosure, provide security updates for at least five years, and report actively exploited vulnerabilities and incidents to ENISA within 24 hours.
  • Critical product classes. High-risk categories such as identity management, industrial control, and operating systems require third-party conformity assessments before market access.

Preparation steps

  • Inventory EU product portfolios and map them against CRA product classes to identify which lines face stringent conformity assessments.
  • Evaluate vulnerability disclosure programmes, patch delivery pipelines, and SBOM coverage to ensure they meet CRA reporting timelines.
  • Coordinate with notified bodies and certification teams to plan for conformity assessment documentation, including technical files and lifecycle security evidence.

Strategic implications

  • Market surveillance. Non-compliance can lead to product withdrawal and fines up to €15 million or 2.5% of global turnover—embed CRA compliance into product launch gates.
  • Alignment with NIS2. Operators of essential services will expect suppliers to provide CRA-aligned attestations; synchronise supplier assurance with NIS2 and DORA requirements.
  • Lifecycle investment. Budget for secure development tooling, penetration testing, and long-term update infrastructure to satisfy the five-year support obligation.

Zeph Tech is mapping CRA essential requirements to product security baselines so engineering teams can integrate compliance evidence into design reviews.

  • Cyber Resilience Act
  • Product security
  • European Union
  • Vulnerability disclosure
Back to curated briefings