Skip to main content
Cyber Resilience Act

Status: In draft

  • Commission’s proposal published 15 September 2022
  • Currently undergoing the legislative process with reviews by Council and Parliament both proposing various and differing amendments
  • Adoption expected for Q1 2024
  • Application expected for Q1 2026


Horizontal regulation that covers all wired and wireless products connected to the internet and software.


  • Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software​ placed on the EU market

Key elements

  • Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
  • Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking​


  • Definition of hardware and software products that fall under the CRA is still being discussed
  • Overlap with other Acts of the EU Digital Strategy