Products must meet mandatory cybersecurity requirements (CRA)
The Cyber Resilience Act (CRA) is an EU Act that aims to enhance the security of products with digital elements. The CRA is also known the Cyber Resilience Regulation (Verordening cyberweerbaarheid).Â
The Act applies to software and hardware with digital functions. Components thereof are also covered by the Act. Remote data processing solutions are only covered by the CRA if they are necessary for the functioning of the digital product. Services are not covered by the CRA.
What changes?
Digital products, such as apps, software, and devices with an internet connection must meet various requirements. The most important are:
- Safer products: As of 11 December 2027 all products with a digital component such as apps, video cards, or smart devices must be designed and manufactured securely. This is known as security by design.
- Obligations for entrepreneurs: Do you make, import, or sell digital products? Then you need to provide security updates and report issues promptly.
- CE marking: Your product must bear CE marking to indicate that they comply with the requirements the CRA sets. You may often assess yourself whether your product is safe, but in some cases an external party must do so.
- Reporting obligation in case of problems: From 11 September 2026 manufacturers must report serious issues with their digital products. Â Reporting must be done via the digital reporting desk of the National Cyber Security Centre (NCSC).
For whom?
- manufacturers of products with a digital component and software
- authorised representatives appointed by the manufacturers to carry out obligations on their behalf
- importers bringing such products to the EU market
- distributors selling products with a digital component
What do you have to do?
The Cyber Resilience Act sets rules for manufacturers. Importers and distributors must also keep to these rules. They must make sure that products with digital components meet specific requirements, and ensure this remains the case. They must also be able to demonstrate the products meet these requirements. They do so with documentation and reports.Â
You can find the most important information on the new rules in the Dutch-language Cyber Resilience Act Guide (pdf).Â
When?
From 11 September 2026 companies must report serious security issues and actively exploited vulnerabilities. The other obligations from the Cyber Resilience Act will enter into effect on 11 December 2027.
Amendments
- European Accessibility Act for products and servicesEffective date: 28 June 2025
- Security of smart devices must be improvedEffective date: 1 August 2025
- Right to repair makes product repair more appealing to consumersEffective date: 31 July 2026