European Parliament Adopts Cyber Resilience Act — March 12, 2024
MEPs approved the Cyber Resilience Act to mandate secure-by-design development, coordinated vulnerability handling, and CE marking for connected products across the EU.
Executive briefing: On the European Parliament voted to adopt the Cyber Resilience Act (CRA), establishing horizontal cybersecurity requirements for products with digital elements sold in the EU. The regulation introduces baseline security-by-design obligations, coordinated vulnerability disclosure rules, and CE marking for connected devices, with transition periods ranging from 12 to 36 months after entry into force.
Key CRA obligations
- Secure development. Manufacturers must design, develop, and maintain products according to state-of-the-art cybersecurity practices, including vulnerability management processes.
- Incident reporting. Significant vulnerabilities and incidents must be reported to ENISA within 24 hours via the CSIRT network, followed by remediation updates.
- Lifecycle support. Vendors must provide security updates and publicly communicate support periods, ensuring consumers know when protection ends.
Control alignment guidance
- Product security programmes. Align secure development lifecycles and SBOM practices with CRA Annex I essential requirements.
- Coordinated vulnerability disclosure. Formalise intake, triage, and remediation workflows consistent with ISO/IEC 29147 and 30111.
- Supply-chain contracts. Update procurement clauses to ensure suppliers provide CE-marked products and timely security updates.
Operational recommendations
- Inventory in-scope hardware, software, and embedded products destined for the EU market and classify them by criticality level.
- Plan compliance roadmaps for the 12-month reporting obligations and 36-month full compliance deadline expected after the act enters into force.
- Coordinate with distributors and importers to document responsibilities for market surveillance, incident reporting, and patch distribution.