Policy Briefing — European Parliament Adopts Cyber Resilience Act Position
The European Parliament approved its negotiating position on the Cyber Resilience Act on 12 September 2023, backing mandatory security requirements and vulnerability handling obligations for connected products.
On 12 September 2023 Parliament voted to enter trilogues on the Cyber Resilience Act (CRA), a regulation that would impose baseline cybersecurity, vulnerability disclosure, and support lifetime requirements on hardware and software products with digital elements. The Parliament text seeks shorter remediation timelines for critical vulnerabilities and clearer obligations for open-source components used in commercial products.
Manufacturers and software publishers targeting the EU market should monitor the negotiations for final conformity assessment, incident reporting, and secure development mandates. Early alignment of SBOM practices, vulnerability intake processes, and support commitments will ease certification once the CRA is finalized.
- European Parliament press release outlines the adopted position and next steps.
- European Commission CRA proposal details the baseline obligations and product classes.
Continue in the Policy pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Semiconductor Industrial Strategy Policy Guide — Zeph Tech
Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.
-
Digital Markets Compliance Guide — Zeph Tech
Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…
-
Export Controls and Sanctions Policy Guide — Zeph Tech
Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…