European Parliament Adopts Cyber Resilience Act — March 12, 2024

Executive briefing: On 12 March 2024 the European Parliament voted to adopt the Cyber Resilience Act (CRA), establishing horizontal cybersecurity requirements for products with digital elements sold in the EU. The regulation introduces baseline security-by-design obligations, coordinated vulnerability disclosure rules, and CE marking for connected devices, with transition periods ranging from 12 to 36 months after entry into force.

Key CRA obligations

• Secure development. Manufacturers must design, develop, and maintain products according to state-of-the-art cybersecurity practices, including vulnerability management processes.
• Incident reporting. Significant vulnerabilities and incidents must be reported to ENISA within 24 hours via the CSIRT network, followed by remediation updates.
• Lifecycle support. Vendors must provide security updates and publicly communicate support periods, ensuring consumers know when protection ends.

Control alignment guidance

• Product security programmes. Align secure development lifecycles and SBOM practices with CRA Annex I essential requirements.
• Coordinated vulnerability disclosure. Formalise intake, triage, and remediation workflows consistent with ISO/IEC 29147 and 30111.
• Supply-chain contracts. Update procurement clauses to ensure suppliers provide CE-marked products and timely security updates.

Operational recommendations

• Inventory in-scope hardware, software, and embedded products destined for the EU market and classify them by criticality level.
• Plan compliance roadmaps for the 12-month reporting obligations and 36-month full compliance deadline expected after the act enters into force.
• Coordinate with distributors and importers to document responsibilities for market surveillance, incident reporting, and patch distribution.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 93/100 · May 30, 2024

EU Council Gives Final Approval to Cyber Resilience Act — May 30, 2024

The Council of the European Union adopted the Cyber Resilience Act, completing the legislative process and setting the stage for publication and staged compliance deadlines.

Cybersecurity · Credibility 90/100 · March 7, 2024

Cybersecurity Briefing — March 7, 2024

CISA’s Secure by Design pledge sets seven concrete outcomes—MFA defaults, secure configurations, unique credentials, memory safety roadmaps, VDP maturity, accessible telemetry, and incident transparency—that vendors must…

Cybersecurity · Credibility 88/100 · March 27, 2024

FCC Updates Telecom Data Breach Reporting Rules — March 27, 2024

The FCC modernized breach notification timelines and federal coordination requirements for carriers handling CPNI and customer data.

Cybersecurity · Credibility 88/100 · April 17, 2024

Global Partners Issue Secure AI Implementation Guidance — April 17, 2024

UK NCSC, CISA, and 18 allied agencies published implementation guidance to operationalize secure-by-design controls for AI systems.

Cybersecurity · Credibility 91/100 · April 30, 2024

CISA Launches Secure by Design Pledge — April 30, 2024

CISA invited major technology manufacturers to commit to seven measurable secure-by-design goals covering memory-safe languages, MFA by default, and vulnerability disclosure performance.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.