Business.gov.nl uses cookies to improve the website. These functional and analytical cookies do not contain your personal data. Do you want to watch video content? Third parties may place tracking cookies to track your online behaviour. You can refuse these tracking cookies. How cookies are used on Business.gov.nl.

Logo Business.gov.nl, government information for entrepreneurs.
Home
Amendments

Products must meet mandatory cybersecurity requirements (CRA)

Published by:
Netherlands Enterprise Agency, RVO
1 min read
Nederlandse versie
Effective date of this change in law: 11 December 2027

What changes?

The Cyber Resilience Act (CRA) aims to enhance the security of products with digital elements. The CRA is also known the Cyber Resilience Regulation (Verordening cyberweerbaarheid). Digital products, such as apps, software, and devices with an internet connection must meet various requirements. The most important are:

  • Safe products: As of 2027 all products with a digital component such as apps, video cards, or smart devices must be designed and manufactured securely. This is known as security by design.
  • Obligations for entrepreneurs: Do you make, import, or sell digital products? Then you need to provide security updates and report issues promptly.
  • CE marking: Your product must bear CE marking to indicate that they comply with the requirements the CRA sets. You may often assess yourself whether your product is safe, but in some cases an external party must do so.
  • Reporting obligation in case of problems: Do you discover a security issue? You have to report it to the authorities and inform your customers.

For whom?

  • manufacturers of products with a digital component and software
  • authorised representatives appointed by the manufacturers to carry out obligations on their behalf
  • importers bringing such products to the EU market
  • distributors selling products with a digital component
  • software developers of, for example, apps, games, or operating systems
  • entrepreneurs in the tech sector, such as manufacturers of IoT devices or network equipment

What do you have to do?

To comply with the Cyber Resilience Act you have to:

  • draw up a risk analysis to determine your product’s weaknesses
  • design and manufacture your product safely so that it does not pose any security risks
  • supply security updates for at least 5 years or the product’s lifespan
  • set up a process to respond promptly to security issues
  • affix CE marking if the product complies with the law

When?

The most important obligations from the Cyber Resilience Act will enter into effect on 11 December 2027.

Amendments

This article is related to:

Products, services, and innovations
How would you rate this page?(question 1 of max 3)
We are sorry to hear that. How can we improve?(question 2 of 3)

Related articles

External links

Questions relating to this article?

Please contact the Netherlands Enterprise Agency, RVO

+31 (0)88 042 44 00Contact formAsk other entrepreneurs for advice on Higherlevel.nl
To top