The Cyber Resilience Act (CRA), adopted in 2024, is a European regulation that imposes cybersecurity requirements on any hardware or software product placed on the European market, throughout its lifecycle. It also introduces an obligation to notify vulnerabilities and increases transparency for users.
It applies to manufacturers, importers and distributors of digital products placed on the European market.
The ARC will come into full effect in 2027, with a 36-month transition period.
The CRA Regulation builds on the EU's 2020 cyber security strategy and the Security Union strategy. It complements other key legislative instruments, in particular the NIS2 directive.
The aim of the CRA is twofold: to strengthen consumer and business protection in the face of increasing cyber security incidents, while harmonising requirements to create a more secure and competitive internal market.
[FC1]Link to the regulation sheet
| KEY POINTS | CLARIFICATION |
|---|---|
| "Security by design" and "Security by default | Digital products must be designed with cyber security measures built in from the outset (security by design) and secure settings activated by default (security by default). |
| Vulnerability management | Manufacturers must put in place a process for detecting, correcting and monitoring vulnerabilities, and publish security updates throughout the product's lifespan. |
| Transparency and information | Users must be informed of the cybersecurity risks, best practice and the duration of security updates. |
| Compliance and monitoring | The product must undergo a conformity assessment (self-declaration or third party), be accompanied by technical documentation, and comply with notification obligations in the event of an incident. |
The Cyber Resilience Act marks a major breakthrough: cybersecurity is no longer an option, but an essential property expected at the design stage. By requiring control of each integrated component, the Act goes to the heart of the cloud model, which is based on interconnected software chains where trust is built on transparency. Europe is sending out a strong signal: cybersecurity is becoming a lever for competitiveness and technological sovereignty.
Although the CRA provides for exemptions for non-profit, non-commercial open source projects, its application becomes restrictive when open source software is integrated into products or services offered in a commercial context.
These requirements include full technical documentation, proactive vulnerability management, declaration of conformity, marking and provision of a software nomenclature.
This implies a profound transformation of the development, monitoring and maintenance processes, with a significant operational and financial impact.