EU Cyber Resilience Act proposal published

On 15 September 2022, the European Commission published its proposal for the Cyber Resilience Act (CRA), establishing horizontal cybersecurity requirements for all products with digital elements—hardware and software—placed on the EU market. The regulation mandates security-by-design principles, vulnerability handling processes, and CE marking requirements. With fines up to €15 million or 2.5% of global turnover, the CRA represents the most significant product cybersecurity regulation globally.

Scope and requirements

The CRA applies to all products with digital elements placed on the EU market, including IoT devices, software applications, and connected hardware. Products are classified into default, "important" (Class I), and "critical" (Class II) categories, with higher categories requiring third-party conformity assessment. Critical products include industrial automation systems, firewalls, and certain network equipment.

Manufacturers must ensure products are designed with security-by-design principles, ship with secure default configurations, and remain patchable throughout their support period. Products must not contain known exploitable vulnerabilities at time of release. Manufacturers must conduct risk assessments, implement vulnerability handling processes, and provide security updates for at least five years or the product's expected lifetime.

Documentation and disclosure

The CRA mandates full documentation including technical specifications, risk assessments, and software bills of materials (SBOMs). Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA within 24 hours of becoming aware, followed by detailed reports within 72 hours. This disclosure requirement exceeds many existing frameworks and will require significant process changes.

Products must display CE marking indicating conformity with CRA requirements. Non-compliant products can be recalled from the market, and market surveillance authorities gain powers to require remediation or prohibit sales.

Timeline and preparation

Following legislative adoption, manufacturers will have a transition period (originally proposed as 24 months, with 12 months for reporting obligations) to achieve compliance. If you are affected, begin gap assessments against CRA requirements, evaluate product classification, and establish or improve vulnerability handling processes.

Key preparation steps include implementing secure development lifecycles, establishing SBOM generation capabilities, developing vulnerability disclosure policies, and building relationships with third-party assessment bodies for Class I and II products. Companies should also evaluate supply chain implications, as component suppliers will need to provide security information to downstream manufacturers.

Policy Development and Analysis

Policy analysis should assess the implications of this development for organizational operations, compliance obligations, and strategic positioning. Impact assessments should consider both direct requirements and indirect effects through industry practices, customer expectations, and competitive dynamics.

Policy development processes should engage relevant teams to ensure full consideration of diverse perspectives and practical setup constraints. Feedback mechanisms should capture lessons learned and drive policy refinements based on operational experience.

Policy Implementation Monitoring

Policy teams should track setup progress and monitor for developments that may affect requirements or interpretation. Stakeholder engagement should ensure relevant parties understand policy implications and their responsibilities for compliance. Documentation should support audit and examination processes by demonstrating timely awareness and appropriate response to policy developments.

Regular reviews should assess ongoing compliance status and identify any gaps requiring additional attention or resource allocation.

Detailed guidance

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Assurance and verification

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Working with vendors

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

What planners should consider

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

How to measure progress

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

Final notes

Organizations should prioritize assessment of their current posture against the requirements outlined above and develop actionable plans to address identified gaps. Regular progress reviews and stakeholder communications help maintain momentum and accountability throughout the implementation journey.

Continued engagement with industry peers, professional associations, and regulatory bodies provides valuable opportunities for knowledge sharing and influence on future policy developments. Organizations that address emerging requirements position themselves favorably relative to competitors and build stakeholder confidence.

How governance applies

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Sustaining progress

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

Immediate steps

• Assessment requirement: Evaluate current practices against the updated requirements outlined in this analysis.
• Documentation update: Review and update relevant policies, procedures, and technical documentation.
• Stakeholder communication: Brief affected teams on timeline implications and resource requirements.
• Compliance verification: Schedule internal review to confirm alignment with guidance.

More on this topic

Further reading from our research library.

Policy · Credibility 71/100 · June 27, 2023

EU Council adopts general approach on Cyber Resilience Act

EU Council adopted its Cyber Resilience Act approach in June 2023. Product cybersecurity requirements for the EU market. Hardware and software manufacturers prepare for compliance.

Policy · Credibility 71/100 · September 12, 2023

European Parliament Adopts Cyber Resilience Act Position

The European Parliament approved its negotiating position on the Cyber Resilience Act on 12 September 2023, backing mandatory security requirements and vulnerability handling obligations for connected products.

Policy · Credibility 90/100 · December 16, 2020

EU Cybersecurity Strategy for the Digital Decade

The European Commission’s December 2020 cybersecurity strategy pairs the NIS2 legislative recast, a proposed Joint Cyber Unit, and investment plans for cloud, 5G, and OT security, signaling stricter board accountability…

Policy · Credibility 71/100 · December 15, 2020

European Commission proposes Digital Markets Act

The European Commission unveiled the draft Digital Markets Act on 15 December 2020, introducing ex-ante obligations for large online platforms designated as gatekeepers.

Policy · Credibility 86/100 · August 5, 2025

Supply chain due diligence

EU Battery Regulation due diligence requirements address supply chain risks for battery materials. Companies placing batteries on the EU market need documented policies for cobalt, lithium, and other critical minerals.…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

September 15, 2022

Coverage pillar

Policy

Source credibility

93/100 — high confidence

Topics

EU regulation · product security · cybersecurity requirements · CE marking

Sources cited

3 sources (digital-strategy.ec.europa.eu, cvedetails.com, iso.org)

Reading time

6 min

Source material

1. Cyber Resilience Act Proposal — European Commission
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization