The Cyber Resilience Act (CRA) is official. This article summarizes the key deadlines, requirements and action areas companies need to know.
What the CRA means for companies
The CRA's requirements affect manufacturers, importers and distributors of products with digital elements. The term covers a wide range of devices and applications such as IoT devices, automation components, machinery and software. Products placed on the market before 11 December 2027 may also be affected if substantial changes are made to them afterwards.
Requirements at a glance
Manufacturers must ensure that their products assess and control cyber risks, implement effective vulnerability management and actively report vulnerabilities. Supply chain security also plays a central role. Importers and distributors have tiered obligations to ensure the security standard across the entire value chain.
For further information and details, see our article: Cyber Resilience Act
Key deadlines
- 20 November 2024: Publication of the CRA in the Official Journal of the EU
- 10 December 2024: Entry into force of the CRA
- 11 June 2026: Requirements for conformity assessment bodies
- 11 September 2026: Reporting obligations for manufacturers
- 11 December 2027: Full applicability
Action required for companies
Companies should prepare early for the new requirements to minimize risks and ensure compliance. The CRA is not only a regulatory challenge but also an opportunity to sustainably strengthen their cybersecurity.
Support for implementation
The requirements of the Cyber Resilience Act present a challenge for many companies. We assist you with analyzing your products and processes, integrating security measures and meeting technical requirements such as secure update processes and vulnerability management. We also support you with technical tests, certifications and the preparation of necessary documentation.
Contact us for a non-binding initial consultation where we will discuss how we can support you in the efficient and effective implementation of the Cyber Resilience Act.