The Cyber Resilience Act (CRA) is now official. All key deadlines, requirements and action areas for companies at a glance.
What does the CRA mean for companies?
The CRA’s requirements affect manufacturers, importers and distributors of products with digital elements. The term covers a wide range of devices and applications such as IoT devices, automation components, machinery and software. Products placed on the market before 11 December 2027 may also be affected if significant changes are made later.
Requirements at a glance
Manufacturers must ensure that their products assess and control cyber risks, implement effective vulnerability management and actively report vulnerabilities. Supply chain security also plays a central role. Importers and distributors are subject to tiered obligations to ensure the security standard across the entire value chain.
Further information and details can be found in our article: Cyber Resilience Act
Key deadlines
- 20 November 2024: Publication of the CRA in the Official Journal of the EU
- 10 December 2024: Entry into force of the CRA
- 11 June 2026: Requirements for conformity assessment bodies
- 11 September 2026: Reporting obligations for manufacturers
- 11 December 2027: Full applicability
Action required for companies
Companies should prepare early for the new requirements to minimise risks and ensure compliance. The CRA presents not only a regulatory challenge but also an opportunity to sustainably strengthen their own cybersecurity.
