CRA

The CRA imposes security-by-design obligations on manufacturers of connected devices and software. Products must meet essential cybersecurity requirements, handle vulnerabilities throughout their lifecycle, and carry CE marking certifying compliance. Critical products face third-party conformity assessment.

The Cyber Resilience Act addresses cybersecurity gaps in IoT devices, consumer electronics, and software. Manufacturers must design products with security in mind, document cybersecurity risks, provide security updates for the product lifetime (minimum 5 years), and report actively exploited vulnerabilities to ENISA within 24 hours. Products are categorized by risk: default (self-assessment), Class I (internal control with standards), and Class II critical products (third-party assessment). Open source software has limited exemptions for non-commercial development. Importers and distributors share responsibility for ensuring compliance. The regulation complements NIS2 (organizational security) and DORA (financial sector) by addressing product-level security, creating a comprehensive cybersecurity framework. Non-compliance can result in fines up to €15 million or 2.5% of global turnover.