The Cyber Resilience Act (CRA) is official. All key deadlines, requirements and action areas for companies at a glance.
What does the CRA mean for companies?
The requirements of the CRA affect manufacturers, importers and distributors of products with digital elements. The term covers a wide range of devices and applications such as IoT devices, automation components, machinery and software. Products placed on the market before 11 December 2027 can also be affected if substantial changes are made afterwards.
Overview of requirements
Manufacturers must ensure that their products assess and control cyber risks, implement effective vulnerability management and actively report vulnerabilities. Supply chain security also plays a central role. Importers and distributors face tiered obligations to ensure the security standard along the entire value chain.
Further information and details can be found in our article: Cyber Resilience Act
Key deadlines
-
- November 2024: Publication of the CRA in the Official Journal of the EU
-
- Dezember 2024: Entry into force of the CRA
-
- Juni 2026: Requirements for conformity assessment bodies
-
- September 2026: Reporting obligations for manufacturers
-
- Dezember 2027: Full applicability
Actions required for companies
Companies should prepare early for the new requirements to minimize risks and ensure compliance. The CRA is not only a regulatory challenge but also an opportunity to strengthen their cyber security sustainably.
The Cyber Resilience Act sets clear deadlines but deliberately leaves room for implementation. If you want to understand how the dates concretely affect your products, processes and priorities, this can be clarified in a non-binding conversation.