EU Council Gives Final Approval to Cyber Resilience Act — May 30, 2024

At a glance

On 30 May 2024, the Council of the European Union formally adopted the Cyber Resilience Act (CRA), completing the legislative process following Parliament's March approval. The regulation establishes mandatory cybersecurity requirements for products with digital elements sold in the EU market, including hardware and software, with significant implications for manufacturers, importers, and distributors worldwide.

Legislative Journey and Context

The CRA represents a major EU cybersecurity initiative addressing product security gaps:

• Commission proposal: The European Commission proposed the CRA in September 2022 to address the lack of cybersecurity requirements for connected products.
• Parliament approval: The European Parliament approved the CRA in March 2024 following trilogue negotiations with the Council.
• Council adoption: The Council's May 2024 formal adoption represents the final legislative step before publication.
• Complementary framework: The CRA operates alongside NIS2 and sector-specific regulations to create full EU cybersecurity coverage.

Regulatory Scope and Covered Products

The CRA applies broadly to products with digital elements:

• Hardware products: Connected devices, IoT products, networking equipment, and industrial control systems with software components.
• Software products: Standalone software applications, operating systems, and firmware distributed to end users.
• Product categories: Consumer electronics, smart home devices, wearables, medical devices (subject to existing regulations), industrial equipment, and automotive components.
• Exclusions: Open-source software developed non-commercially, products already covered by equivalent sector-specific regulations, and national security applications.

Key Compliance Requirements

The CRA establishes multiple obligations for economic operators:

• Security by design: Products must be designed, developed, and produced following cybersecurity good practices to minimize attack surface and vulnerabilities.
• Vulnerability handling: Manufacturers must implement processes for identifying, documenting, and addressing vulnerabilities throughout the product lifecycle.
• Security updates: Products must receive security updates for a defined support period, with updates made available to users free of charge.
• Software bill of materials: Manufacturers must document software components and dependencies to support vulnerability tracking.
• Incident reporting: Actively exploited vulnerabilities and security incidents must be reported to ENISA within 24 hours.
• CE marking: Compliant products will carry CE marking indicating conformity with CRA requirements.

Key dates and milestones

The CRA introduces staged compliance deadlines:

• Entry into force: The regulation enters into force 20 days after Official Journal publication, expected in late 2024.
• 12-month obligations: Vulnerability reporting requirements to ENISA take effect 12 months after entry into force.
• 36-month full compliance: All other CRA requirements apply 36 months after entry into force, giving manufacturers time to adapt products and processes.
• Transition planning: If you are affected, begin compliance efforts immediately given the complexity of product security program development.

Product Classification and Assessment

The CRA establishes risk-based product categories with corresponding conformity assessment requirements:

• Default category: Most products undergo self-assessment by manufacturers with internal documentation and testing.
• Important products (Class I): Products with higher security implications require improved documentation and may involve third-party assessments.
• Critical products (Class II): High-risk products require third-party conformity assessment by notified bodies.
• Classification criteria: Product categorization considers functionality, intended use, deployment environment, and potential impact of compromise.

Manufacturer Obligations

Manufacturers bear primary compliance responsibility:

• Risk assessment: Conduct cybersecurity risk assessments during product design and development.
• Technical documentation: Maintain full documentation of security measures, testing results, and vulnerability handling processes.
• Conformity assessment: Complete appropriate conformity assessment procedures based on product classification.
• Market surveillance: Monitor products after market placement and take corrective action when non-compliance is identified.
• Update provision: Provide security updates throughout the defined support period, ensuring users can access and install patches.

Importer and Distributor Responsibilities

The CRA extends obligations beyond manufacturers:

• Importers: Must verify that products bear CE marking, have required documentation, and that manufacturers are identifiable before placing products on the EU market.
• Distributors: Must verify CE marking and required labeling, ensure proper storage and transport conditions, and cooperate with market surveillance authorities.
• Liability chain: Importers and distributors may assume manufacturer obligations if they significantly modify products or place products without manufacturer compliance.

Enforcement and Penalties

The CRA establishes strong enforcement mechanisms:

• Market surveillance: National authorities gain powers to test products, request documentation, and restrict or recall non-compliant products.
• Administrative fines: Non-compliance can result in fines up to €15 million or 2.5% of global annual turnover, whichever is higher.
• Product restrictions: Authorities can prohibit or restrict non-compliant products from the EU market.
• Cross-border coordination: Market surveillance authorities coordinate across member states to ensure consistent enforcement.

Global Market Implications

The CRA will affect manufacturers worldwide:

• Extraterritorial reach: Any manufacturer selling products in the EU market must comply, regardless of headquarters location.
• Supply chain impact: Component suppliers may need to provide security documentation and vulnerability information to product manufacturers.
• Standard setting: The CRA may influence global product security expectations, similar to GDPR's influence on privacy standards.
• Competitive implications: Compliance investments create barriers that may favor larger manufacturers with established security programs.

Compliance Program Development

If you are affected, develop structured CRA compliance programs:

• Product inventory: Identify all products with digital elements sold in EU markets and assess CRA applicability.
• Gap assessment: Evaluate current product security practices against CRA requirements to identify needed improvements.
• Process development: Establish vulnerability handling, incident reporting, and update distribution processes.
• Documentation: Create technical documentation templates and conformity assessment procedures.
• Notified body engagement: For Class II products, identify and engage notified bodies for third-party assessment.

Integration with Existing Frameworks

If you are affected, align CRA compliance with existing security programs:

• ISO 27001: Information security management system controls support CRA security-by-design requirements.
• ISO 9001: Quality management system processes align with conformity assessment and documentation requirements.
• NIS2: Organizations subject to both NIS2 and CRA should coordinate incident reporting and security management.
• Sector regulations: Medical devices, automotive, and other regulated products face additional requirements beyond CRA.

Wrapping up

The Council's adoption of the Cyber Resilience Act marks a major moment for product security regulation. Organizations selling products with digital elements in the EU needs to begin compliance preparations immediately, given the complexity of implementing product security programs, vulnerability handling processes, and conformity assessment procedures. The CRA's global influence will probably extend beyond EU borders as manufacturers adopt consistent security practices across markets.

Similar analysis

Additional analysis covering similar themes.

Cybersecurity · Credibility 93/100 · March 12, 2024

European Parliament Adopts Cyber Resilience Act — March 12, 2024

The EU Parliament approved the Cyber Resilience Act in March 2024. Connected products need secure-by-design development, vulnerability disclosure processes, and CE marking. If you sell IoT in Europe, this is your…

Cybersecurity · Credibility 89/100 · April 18, 2023

European Commission Proposes Cyber Solidarity Act — April 18, 2023

EU Cyber Solidarity Act proposal in April 2023 aimed to strengthen collective cyber defense. EU-wide detection infrastructure, emergency response, and mutual assistance. Building European cyber resilience.

Cybersecurity · Credibility 91/100 · October 17, 2025

NIS2 and Supply-chain security

NIS2 requires EU Member States to complete coordinated supply chain risk assessments by October 17, 2025. If you are in a covered sector, expect questions about your supply chain security. Have your evidence ready.

Cybersecurity · Credibility 94/100 · December 27, 2022

EU NIS2 Directive Published in Official Journal — December 27, 2022

NIS2 was published in the Official Journal on December 27, 2022. Member states have until October 17, 2024 to transpose it. More sectors, stricter requirements, and personal liability for management. Start your gap…

Cybersecurity · Credibility 91/100 · May 18, 2021

CIS Controls Version 8 published

On 18 May 2021 the Center for Internet Security released CIS Controls v8, consolidating and modernizing the focus ond security guidance for cloud, mobile, and work-from-home environments.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

May 30, 2024

Coverage pillar

Cybersecurity

Source credibility

93/100 — high confidence

Topics

European Union · Product security · Cyber Resilience Act · Compliance

Sources cited

3 sources (consilium.europa.eu, digital-strategy.ec.europa.eu, iso.org)

Reading time

5 min

Further reading

1. Council of the EU — Cyber Resilience Act: Council gives its final approval
2. European Commission — Cyber Resilience Act
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization