Skip to main content
Cyber Resilience Act

Status: In draft

  • Commission’s proposal published 15 September 2022, Parliament’s position published 26 July 2023, Council’s position published 31 August 2023
  • Final Commission, Council and Parliament reached a political agreement on the final text on 30 November 2023, Technical discussions have concluded with a final compromise text on 20 December 2023
  • Final text adopted by Parliament on 12 March 2024, formal endorsement expected by Council in spring/summer 2024. Entry into force 20 days after publication in the Official Journal of the EU (likely Q2 2024)
  • Application 36 months later after entry into force (likely Q2 2027) resp. 21 months later (likely Q1 2026) for the reporting obligations of manufacturers for incidents and vulnerabilities, resp. 18 months later for the establishment of national conformity assessments bodies


Horizontal regulation that covers all wired and wireless products connected to the internet and software.


  • Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software​ placed on the EU market

Key elements

  • Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
  • Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking​


  • Definition of hardware and software products that fall under the CRA is still being discussed
  • Overlap with other Acts of the EU Digital Strategy