EU Cyber Resilience Act Enforcement Begins
The EU Cyber Resilience Act (CRA) has entered its enforcement phase, marking a significant shift in how software and digital products are regulated for cybersecurity across the European Union.
What Is the Cyber Resilience Act?
The CRA establishes mandatory cybersecurity requirements for products with digital elements sold in the EU. This includes:
- IoT devices and smart home products
- Desktop and mobile software
- Operating systems and firmware
- Network equipment and routers
Key Requirements
For Manufacturers
- Conduct cybersecurity risk assessments during product design
- Implement security by default configurations
- Provide free security updates for the expected product lifetime (minimum 5 years)
- Maintain a vulnerability handling process with 24-hour reporting
For Software Publishers
- Generate and maintain SBOMs (Software Bills of Materials)
- Implement secure development lifecycle practices
- Report actively exploited vulnerabilities to ENISA within 24 hours
Penalties
Non-compliance can result in:
- Fines up to €15 million or 2.5% of global annual turnover
- Product recall or withdrawal from the EU market
- Public naming of non-compliant organizations
What Companies Should Do Now
- Audit your product portfolio — Identify all products that fall under CRA scope
- Establish SBOM processes — Automate SBOM generation in your CI/CD pipeline
- Set up vulnerability disclosure — Create a coordinated vulnerability disclosure program
- Document compliance — Prepare CE marking documentation for digital products
- Train your teams — Ensure developers understand secure development requirements
The CRA represents the most comprehensive digital product cybersecurity regulation globally and will likely influence similar legislation in other jurisdictions.