icone fleche gauche
Return
Compliance

Cyber Resilience Act: everything you need to understand to comply in 2027

The Cyber Resilience Act came into force in Europe in 2027. Find out how to anticipate the compliance of your digital products.

Cyber Resilience Act: everything you need to understand to comply in 2027

Adopted by the European Parliament on 12 March 2024, the Cyber Resilience Act (CRA) is one of the pillars of the European Union's strategy for Combating cyber threats. It redefines the legal framework for the security of digital products in Europe, in order to protect markets, individuals and businesses.

This European regulation will come into force on December 11, 2027. However, some provisions will be applicable from June 2026. To comply on time, it is essential to start a compliance process based on a thorough understanding of this new regulation.

Definition, key provisions, actors and products concerned, timetable, sanctions: follow our A comprehensive guide to fine-tuning your action plan.

What is the Cyber Resilience Act?

Definition and objectives

The Cyber Resilience Act is a European regulation whose objective is to establish a harmonized cybersecurity framework for Products with Digital Elements (PEN): computer hardware, software or IoT (Internet of Things) connected objects placed on the European Union (EU) market.

Its objective is twofold: on the one hand, improve the safety of items by design in order to reduce exploitable flaws, on the other hand, to give businesses and individuals reliable and transparent information to choose safer tools.

This legislation meets the transnational nature of cybersecurity issues, raised by the impact assessment carried out by the European Commission. By establishing a regulation common to all Member States, the PEN supply chain is secure across Europe and increases the EU's cyber resilience tenfold.

Last but not least, this text responds to the major economic challenge posed by cyberattacks in Europe.

Innovative legislation

To improve the cybersecurity of commercialized PENs, the Cyber Resilience Act introduced a list of specific criteria which must be met by items and services containing digital elements manufactured or distributed in the EU. To do this, this regulation adopts a global and innovative approach, aimed at all market players: manufacturers, distributors and importers.

It also reinforces the provisions established by the NIS 2 directive (Network and Information Security), which came into force on 17 October 2024 in the European Union. It is articulated with this regulation to increase the security of the entire supply chain.

However, the Cyber Resilience Act pushes consumer protection further than the NIS 2 directive. Rather than stopping at the secure design of the items and services sold, it involves the user by giving them access to detailed information, allowing them to make a informed choice.

The framework for implementing the Cyber Resilience Act

The actors concerned

The CRA is mainly aimed at manufacturers of PEN, whether hardware, embedded software or standalone programs, made available on the EU market. But it doesn't stop there: the importers And the distributors of these consumer goods are also subject to compliance verification, user information and monitoring of items in circulation.

So, any company that manufactures, imports, or distributes digital devices in the EU must comply with this regulation, regardless of its size.

Regulated products and services

The scope of application of the CRA is broad: by PEN, we mean any article that contains hardware or software components connected directly or indirectly to a device or to a network.

These include connected objects intended for the general public, embedded components, microcontrollers, routers, computer programs, the mobile applications and remote information processing services.

Some PENs are explicitly excluded from the perimeter, such as medical devices regulated by other texts and aeronautical or automotive equipment. They are in fact already regulated by other laws, like PART-IS (Information Security), European regulation applying to critical information systems in aviation, or TISAX®, information security label for the automotive industry.

The categories of PEN

The CRA does not treat all PENs in the same way. Some products, because they are widely used or displayed, present a higher risk in case of vulnerability or attack. Their manufacturers must therefore be subject to stronger requirements.

The regulation thus distinguishes several categories:

  • The standard PENs, including simple connected devices intended for the general public.
  • The important PENs, whose exploitation of a vulnerability could have serious repercussions on many other devices, or harm the health or safety of users.
  • The critical PENs, which have a function that, if compromised, can cause significant risk to a large number of other products or systems.
  • Free and open software, known as open source, which are subject to specific treatment taking into account their role and distribution.

The more critical PENs are, the more the requirement level is strict, in order to adapt European law to the technical and economic realities of the market, while guaranteeing the EU's cyber resilience.

Key requirements of the Cyber Resilience Act

Product safety

The CRA requires that PENs be designed, developed and manufactured in such a way as to ensure a level of cybersecurity appropriate to the risks. Manufacturers must ensure that no known and exploitable computer security vulnerabilities are present when the product is marketed.

PENs must also:

  • To be secured by default, using a safe factory outlet configuration.
  • Supporter of security updates.
  • Have a reduced attack surface.
  • Implement mechanisms such asauthentication, the encryption Or the protection against denial-of-service attacks or DDoS (Distributed Denial of Service).

European companies must therefore revisit their software or hardware development processes to meet these criteria.

The documentation

The regulation requires the manufacturer to maintain a appropriate technical documentation : item description, architecture, hardware and software components, dependencies, vulnerability history, tested requirements, etc.

Nomenclature Software Bill of Materials (SBOM) is added as a requirement for the traceability of components. It is a detailed, structured and comprehensive inventory the software components, libraries, dependencies, and frameworks that make up a digital product or solution. It must be provided by the manufacturer at the request of a market surveillance authority.

These documents should enable authorities and users, whether individuals or businesses, to verify compliance with legislation, to quickly identify the products concerned by a vulnerability and to ensure a post-marketing follow-up.

Vulnerability Management

The CRA also requires the implementation of a vulnerability management process which consists in identifying, documenting, correcting, notifying users and publishing information on detected faults.

The manufacturer must provide free security updates, provide a coordinated disclosure plan and inform users of existing threats and corrective actions taken.

This aspect of regulation is crucial: it marks the transition from ad hoc safety management to continuous risk supervision throughout the life of the product.

Post-marketing surveillance

Once the product is on the market, the manufacturer must monitor deficiencies, incidents, and usage behaviors in order to identify new threats. Legislation imposes notification requirements for vulnerabilities actively exploited by hackers. For PENs, the CE marking (European Conformity) must therefore take into account this long-term monitoring.

These new rules require the establishment of mechanisms for collecting feedback of the field and of the management of the logistics chain, in order to ensure that the products remain in compliance with the Cyber Resilience Act throughout their lifespan.

The Cyber Resilience Act implementation schedule

The chronology of entry into force of the CRA is as follows:

  • The regulation came into force on December 10, 2024.
  • Critical obligations, such as a ban on the marketing of non-compliant products and the CE marking related to cybersecurity, will apply from December 11, 2027.
  • Intermediate notification requirements for assessment bodies and for reporting information incumbent on manufacturers may apply as early as June 11 2026.

Following the deployment of the legislative framework, the Commission will provide Parliament with a audit report on its successful implementation.

These provisions can weigh heavily on small businesses. Support measures have been planned in order to sensitize And of train staff to these new criteria, while supporting it in the procedures for testing and assessing compliance with the law.

It is therefore essential for organizations toanticipate the application of regulations now, by mapping PENs and a compliance audit, but also by defining a CRA strategy.

La GRC Egerie platform helps your business manage its compliance, by centralizing your process on a single repository, updated in real time and based on data.

Penalties in case of non-compliance

The CRA provides for strong consequences in the event of non-compliance with obligations. First of all, the companies concerned risk marketing bans. A non-compliant PEN will not be able to bear the CE mark, which will prohibit its sale in the EU from the date of application of the law.


Of administrative fines significant amounts are also planned, reaching up to 15 million euros or 2.5% of total turnover over the previous annual financial year.

Beyond the legal aspect, a reputational risk is present, but also a loss of market or potential disputes related to security incidents. For the various actors, compliance with the CRA will therefore become a condition of access to the European market from 2027.

Cyber Resilience Act FAQ

What is the application date of the CRA?

Starting from December 11, 2027, digital products will have to comply with the CRA to be marketed in the EU. In the meantime, some intermediate requirements, in particular the provisions for the notification of conformity assessment bodies, are applied. From June 2026.

This transition period of almost 3 years allows the various digital players to prepare themselves, adjust their security management processes, integrate documentation and choose the appropriate degree of certification.

What products are covered by the CRA?

The regulation concerns all products with digital elements, i.e. hardware or programs connected directly or indirectly to a device or network and distributed in the EU. This includes connected objects, embedded components, applications, operating systems, and associated services.

Some products are excluded, such as medical, aeronautical or automotive devices and equipment adapted for military or national purposes.

Who is responsible for compliance?

Central responsibility lies with manufacturer of the digital product. It must ensure that the PEN is designed, developed, manufactured and marketed in a compliant manner. Les importers have the obligation to verify that the manufacturer has met these requirements. Les distributors must ensure that the products they offer bear the CE mark, are accompanied by the required documentation and respect the compliance chain.

How can Egerie support you in your compliance process?

The Egerie platform is designed to help businesses structure regulatory compliance, automate the monitoring of requirements, document evidence, manage risks and generate cyber governance dashboards.

  • It allows you to centralize your data to provide a single source of truth.
  • After estimating your risk level, it makes it easy to create automated assessment and reporting workflows.
  • By offering you a follow-up of the patches to be applied, it gives you a overview of the progress of your approach.
  • She makes a financial quantification of cyber risk, to allow informed decision-making on the priorities to be followed.

In short, it constitutes a centralized operational management support, essential for Manage your cyber strategy using data. Request a demo to discover our all-in-one platform !

Articles

You will love these other items

COBIT framework: definition, principles and implementation for effective IT governance
Learn how the COBIT framework strengthens IT governance, risk management, and compliance in an integrated GRC approach.
Governance
Discover
Cyber Kill Chain: Understanding, Anticipating, and Countering Cyberattacks
Discover the 7 steps of the Cyber Kill Chain and how this model helps to anticipate, counter and govern cyberattacks in a GRC approach.
Cyber Risk Management
Discover
What is Active Directory? Understand and master this IT asset management solution
Learn about the role of Active Directory in identity management, access security, and information systems governance.
Governance
Discover
icone fleche gauche
icone fleche droite
Discover our platform

Lorem Ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod temporincididunt ut labore and Dolore Magna aliqua.

Request a demo