EU Council Gives Final Approval to Cyber Resilience Act — May 30, 2024
The Council of the European Union adopted the Cyber Resilience Act, completing the legislative process and setting the stage for publication and staged compliance deadlines.
Executive briefing: On the Council of the European Union formally adopted the Cyber Resilience Act (CRA), following Parliament’s March vote. The regulation will be published in the Official Journal after linguistic checks, enter into force 20 days later, and apply after a 36-month transition period, with certain vulnerability reporting obligations taking effect after 12 months.
Implications for manufacturers
- Compliance timeline. Organisations now have clarity on the 12-month reporting and 36-month full compliance deadlines once the CRA enters into force.
- Market surveillance. National authorities will gain powers to restrict or recall non-compliant products, requiring robust conformity assessment documentation.
- Coordination duties. Manufacturers, importers, and distributors must cooperate with authorities and ensure security updates reach end users promptly.
Control alignment guidance
- Product compliance programmes. Finalise CRA implementation roadmaps, including CE marking, vulnerability handling, and software bill of materials documentation.
- Incident reporting processes. Integrate CRA 24-hour ENISA notifications with existing NIS2 and sectoral reporting workflows.
- Quality management systems. Align ISO 9001 and ISO/IEC 27001 controls with CRA conformity assessment requirements.
Operational recommendations
- Monitor the Official Journal for publication to lock in exact compliance dates and update programme milestones accordingly.
- Coordinate cross-functional teams—product security, legal, supply chain, and customer support—to validate responsibilities across the value chain.
- Engage with EU notified bodies early if conformity assessments or third-party evaluations will be required for high-risk product classes.