The CRA shifts the responsibility of cybersecurity onto manufacturers, requiring them to ensure compliance to access the EU market.

The European Union's Cyber Resilience Act (CRA), which sets minimum cybersecurity standards for products with digital elements, officially came into effect on December 10, 2024.

This legislation aims to enhance the security of connected devices, including smartwatches, internet-connected toys, and app-controlled home appliances, in response to growing concerns about cybersecurity.

Entities affected by the CRA include manufacturers, importers, and distributors of products with digital elements, each with specific roles and responsibilities.

Manufacturers are required to adopt a 'Security by Design' approach, ensuring the cybersecurity of their products throughout their lifecycle.

The CRA imposes mandatory cybersecurity requirements that cover the entire lifecycle of products, from design and development to operation.

Under the CRA, product makers must provide ongoing security support, including software updates to address vulnerabilities.

Manufacturers have until December 11, 2027, to comply with the new requirements, which include providing security updates for at least five years.

Penalties for non-compliance can be severe, reaching up to EUR 15 million or 2.5% of global turnover for essential breaches.

The enforcement of the CRA will be overseen by the European Union Agency for Cybersecurity (ENISA), with each Member State designating a market surveillance authority.

Concerns over security vulnerabilities in connected devices have been heightened by incidents involving hacked baby monitors and toys, emphasizing the need for improved consumer safety.

The CRA is part of a broader EU legislative framework addressing various aspects of cybersecurity and data protection, including the NIS2 directive and the AI Act.