European Parliament Adopts Cyber Resilience Act — March 12, 2024

High-level summary

On 12 March 2024, the European Parliament voted to adopt the Cyber Resilience Act (CRA), establishing full cybersecurity requirements for products with digital elements sold in the European Union. The regulation mandates secure-by-design development practices, coordinated vulnerability handling, CE marking for connected devices, and security update obligations throughout product lifecycles, with transition periods ranging from 12 to 36 months after entry into force.

Legislative Context

The Parliament's adoption represents a key milestone in the EU's full cybersecurity regulatory framework:

• Commission proposal: The European Commission proposed the CRA in September 2022 to address critical gaps in product cybersecurity requirements.
• Trilogue negotiations: Parliament, Council, and Commission engaged in extended negotiations to finalize the regulation's scope and requirements.
• Final steps: Following Parliament adoption, Council formal adoption completes the legislative process before Official Journal publication.
• Complementary framework: The CRA works alongside NIS2, sector-specific regulations, and the AI Act to create full EU digital security coverage.

Scope and Covered Products

The CRA applies broadly to products with digital elements:

• Hardware products: Connected devices, IoT products, industrial control systems, networking equipment, and embedded systems.
• Software products: Standalone software applications, operating systems, firmware, and software components.
• Product categories: Consumer electronics, smart home devices, wearables, automotive components, medical devices, and industrial equipment.
• Exclusions: Certain products already covered by equivalent sector-specific regulations (for example, medical devices, automotive), open-source software developed non-commercially, and national security applications.

Core Security Requirements

The CRA establishes essential cybersecurity requirements for all covered products:

• Secure development: Products must be designed, developed, and maintained according to state-of-the-art cybersecurity practices, implementing security throughout the development lifecycle.
• Security by design: Default configurations must focus on security, with attack surface minimization and defense-in-depth principles applied.
• Vulnerability minimization: Products must be delivered without known exploitable vulnerabilities, with processes to identify and address security issues.
• Data protection: Products must protect confidentiality, integrity, and availability of data they process or store.
• Access control: Appropriate authentication and authorization mechanisms must protect against unauthorized access.

Vulnerability Handling Obligations

The CRA establishes full vulnerability management requirements:

• Vulnerability identification: Manufacturers must implement processes to identify vulnerabilities in their products throughout the lifecycle.
• Coordinated disclosure: Establish coordinated vulnerability disclosure processes enabling security researchers to report findings.
• Incident reporting: Actively exploited vulnerabilities and significant security incidents must be reported to ENISA within 24 hours.
• Remediation: Vulnerabilities must be addressed without delay through security updates distributed to users.
• Documentation: Maintain documentation of identified vulnerabilities, remediation actions, and security updates.

Security Update Obligations

Manufacturers must ensure products receive ongoing security maintenance:

• Free updates: Security updates must be provided to users free of charge throughout the support period.
• Support period disclosure: Manufacturers must publicly communicate the expected support period at time of sale.
• Minimum support: Support periods must be proportionate to expected product lifetime, with minimums established for different product categories.
• Update distribution: Updates must be made available through accessible mechanisms enabling users to install patches.
• End-of-support notification: Users must be informed when security support ends.

Conformity Assessment

Products must undergo conformity assessment before EU market placement:

• Default category: Most products undergo manufacturer self-assessment with internal documentation and testing.
• Important products (Class I): Products with elevated security implications face improved assessment requirements.
• Critical products (Class II): High-risk products require third-party assessment by notified bodies.
• CE marking: Compliant products needs to bear CE marking indicating conformity with CRA requirements.
• Technical documentation: Manufacturers must maintain documentation demonstrating conformity.

Schedule and deadlines

The CRA establishes staged compliance deadlines:

• Entry into force: The regulation enters into force 20 days after Official Journal publication.
• 12-month obligations: Vulnerability reporting requirements to ENISA take effect 12 months after entry into force.
• 36-month full compliance: All other CRA requirements apply 36 months after entry into force.
• Notified body designation: Member states must designate conformity assessment bodies within the transition period.

Supply Chain Implications

The CRA creates obligations throughout the product supply chain:

• Component suppliers: Suppliers of software and hardware components may need to provide security documentation to product manufacturers.
• Software bill of materials: Manufacturers must document software components to support vulnerability tracking.
• Importers: Must verify products comply with CRA requirements before placing them on the EU market.
• Distributors: Must verify CE marking and cooperate with market surveillance authorities.

Compliance Program Development

If you are affected, begin developing CRA compliance programs:

• Product inventory: Identify all products with digital elements destined for EU markets and assess CRA applicability.
• Gap assessment: Evaluate current security practices against CRA essential requirements.
• Process development: Establish secure development, vulnerability handling, and update distribution processes.
• Documentation: Create technical documentation and conformity assessment procedures.
• Standards alignment: Align with ISO/IEC 27001, ISO/IEC 29147, ISO/IEC 30111, and emerging harmonized standards.

Global Impact

The CRA will influence product security practices worldwide:

• Extraterritorial reach: Any manufacturer selling products in the EU must comply regardless of headquarters location.
• Standard setting: The CRA may influence global product security expectations similar to GDPR's impact on privacy.
• Competitive implications: Compliance investments may favor manufacturers with mature security programs.

Closing analysis

The European Parliament's adoption of the Cyber Resilience Act marks a major moment for product security regulation globally. Organizations selling products with digital elements in EU markets needs to begin compliance preparations immediately, given the complexity of implementing full product security programs. The CRA establishes security-by-design as a market access requirement, fundamentally changing how connected products are developed and maintained.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 93/100 · May 30, 2024

EU Council Gives Final Approval to Cyber Resilience Act — May 30, 2024

The Council of the European Union adopted the Cyber Resilience Act, completing the legislative process and setting the stage for publication and staged compliance deadlines.

Cybersecurity · Credibility 90/100 · March 7, 2024

Secure by Design

CISA launched its Secure by Design Pledge, asking software manufacturers to commit to MFA defaults, reducing vulnerability classes, and security patch transparency. It is voluntary, but names are published.

Cybersecurity · Credibility 88/100 · March 27, 2024

FCC Updates Telecom Data Breach Reporting Rules — March 27, 2024

The FCC updated data breach rules for telecom carriers in March 2024. Faster notification timelines and better federal coordination. If you are a carrier, review your breach response procedures.

Cybersecurity · Credibility 91/100 · April 17, 2024

Global Partners Issue Secure AI Implementation Guidance — April 17, 2024

UK NCSC, CISA, and 18 allied agencies published setup guidance to operationalize secure-by-design controls for AI systems.

Cybersecurity · Credibility 92/100 · April 30, 2024

CISA Secure by Design pledge launches

On 30 April 2024 CISA launched the Secure by Design pledge, with major software vendors committing to measurable security improvements within one year.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

March 12, 2024

Coverage pillar

Cybersecurity

Source credibility

93/100 — high confidence

Topics

European Union · Product security · Secure by design · Regulation

Sources cited

3 sources (europarl.europa.eu, digital-strategy.ec.europa.eu, iso.org)

Reading time

5 min

Source material

1. European Parliament — Cyber Resilience Act: press release
2. European Commission — Cyber Resilience Act
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization