Logo Business.gov.nl, government information for entrepreneurs.
Home
Amendments

Products must meet mandatory cybersecurity requirements (CRA)

Published by:
Netherlands Enterprise Agency, RVO
1 min read
Nederlandse versie
Effective date of this change in law: 11 December 2027

What changes?

The Cyber Resilience Act (CRA) aims to enhance the security of products with digital elements. The CRA is also known the Cyber Resilience Regulation (Verordening cyberweerbaarheid). Digital products, such as apps, software, and devices with an internet connection must meet various requirements. The most important are:

  • Safe products: As of 2027 all products with a digital component such as apps, video cards, or smart devices must be designed and manufactured securely. This is known as security by design.
  • Obligations for entrepreneurs: Do you make, import, or sell digital products? Then you need to provide security updates and report issues promptly.
  • CE marking: Your product must bear CE marking to indicate that they comply with the requirements the CRA sets. You may often assess yourself whether your product is safe, but in some cases an external party must do so.
  • Reporting obligation in case of problems: Do you discover a security issue? You have to report it to the authorities and inform your customers.

For whom?

  • manufacturers of products with a digital component and software
  • authorised representatives appointed by the manufacturers to carry out obligations on their behalf
  • importers bringing such products to the EU market
  • distributors selling products with a digital component
  • software developers of, for example, apps, games, or operating systems
  • entrepreneurs in the tech sector, such as manufacturers of IoT devices or network equipment

What do you have to do?

To comply with the Cyber Resilience Act you have to:

  • draw up a risk analysis to determine your product’s weaknesses
  • design and manufacture your product safely so that it does not pose any security risks
  • supply security updates for at least 5 years or the product’s lifespan
  • set up a process to respond promptly to security issues
  • affix CE marking if the product complies with the law

When?

The most important obligations from the Cyber Resilience Act will enter into effect on 11 December 2027.

This article is related to:

Products, services, and innovations

Related articles

Amendments

External links

Questions relating to this article?

Please contact the Netherlands Enterprise Agency, RVO

+31 (0)88 042 44 00Contact formAsk other entrepreneurs for advice on Higherlevel.nl
To top