European Commission - Cyber Resilience Act
Pagina oficial de la Comision Europea sobre CRA.
- Regulación: CRA
- Emisor: European Commission
- Fuente oficial: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
An official website of the European UnionAn official EU website
How do you know?
All official European Union website addresses are in the europa.eu domain.
See all EU institutions and bodies
Cyber Resilience Act
Introducing the Cyber Resilience Act: the EU's new plan to make sure all digital products are safe from cyber threats. This important rulebook requires that devices and software are designed, updated, and maintained to protect users in our increasingly digital world. Experience a safer, more connected future where your security comes first.
From baby-monitors to smart watches, from apps to computer programs, connectable hardware and software are omnipresent in our daily lives. Less apparent to many users is the security risk such products may present.
The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying software or hardware products with digital elements. The CRA addresses the inadequate level of cybersecurity in many products, and the lack of timely security updates. It also tackles the challenges consumers and businesses currently face when trying to determining which products are cybersecure and in setting them up securely, making it easier to identify hardware and software with the proper cybersecurity features.
The CRA introduces mandatory cybersecurity requirements for manufacturers, covering the planning, design, development and maintenance of such products. These obligations must be met at every stage of the value chain. The CRA also requires manufacturers to handle vulnerabilities during the lifecycle of their products. Some products of particular relevance for cybersecurity may need to undergo a third-party assessment by a notified body before they are sold on the EU market.
Products will bear the CE marking to indicate that they comply with the CRA requirements and national market surveillance authorities will ensure enforcement of the rules.
The CRA entered into force on 10 December 2024. The main obligations introduced by the Act will apply from 11 December 2027, with reporting obligations to apply as of 11 September 2026.
The Cyber Resilience Act builds on the 2020 EU Cybersecurity Strategy and EU Security Union Strategy. It complements other legislation in this area, specifically the NIS2 Directive.
Find out more about the implementation of the Cyber Resilience Act.
Related Content
Big Picture
The European Union works on various fronts to promote cyber resilience, safeguarding our communication and data and keeping online society and economy secure.
Cyber Resilience Act - Manufacturers
The CRA acknowledges that manufacturers along the entire supply chain are responsible for security...
Cyber Resilience Act - Member States
Member States play an essential role in the implementation of the CRA. In particular, they are...
The Cyber Resilience Act - Summary of the legislative text
The text below summarises the main provisions of Regulation (EU) 2024/2847, in order to support the...
Cyber Resilience Act - Conformity assessment
Most products, such as household appliances, computer games or mobile applications, will be subject...
Cyber Resilience Act - Microenterprises and Small and Medium-sized enterprises (MSMEs)
It is important to provide support to microenterprises and small and medium-sized enterprises (MSMEs...
Cyber Resilience Act - Open source
The Cyber Resilience Act has a special approach to free and open-source software, given its central...
Cyber Resilience Act - Standardisation
Technical standards play an important role in facilitating the CRA implementation.
Cyber Resilience Act - Reporting obligations
As of 11 September 2026, manufacturers are required to report actively exploited vulnerabilities and...
PreviousNext
Last update
3 December 2025