CRA
1 min
The Cyber Resilience Act addresses cybersecurity gaps in IoT devices, consumer electronics, and software. Manufacturers must design products with security in mind, document cybersecurity risks, provide security updates for the product lifetime (minimum 5 years), and report actively exploited vulnerabilities to ENISA within 24 hours. Products are categorized by risk: default (self-assessment), Class I (internal control with standards), and Class II critical products (third-party assessment). Open source software has limited exemptions for non-commercial development. Importers and distributors share responsibility for ensuring compliance. The regulation complements NIS2 (organizational security) and DORA (financial sector) by addressing product-level security, creating a comprehensive cybersecurity framework. Non-compliance can result in fines up to €15 million or 2.5% of global turnover.