The European Union's Cyber Resilience Act has been entered into the EU Journal, beginning a 20-day countdown until it officially becomes legally binding on December 20.
Like the GDPR before it, the Cyber Resilience Act is likely to have a global impact. It introduces cybersecurity rules for all hardware and software products connected to the internet, backed by the threat of fines totalling up to €15 million or 2.5% of total worldwide annual turnover.
The European Commission wrote: "The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle."
The Act forces manufacturers to guarantee robust cybersecurity at every stage of a product’s lifecycle, making them earn a CE mark to show they comply with EU security standards.
Companies will have to report an early warning about actively exploited vulnerabilities and cybersecurity incidents within 24 hours, following up with further details, including mitigation measures, within 72 hours.
Vendors will need to comply fully by 2027 and there will be periodic reviews of the Act to ensure its effectiveness.
"This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle," the Act says.
"It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements, for example by improving transparency with regard to the support period for products with digital elements made available on the market."
Announced as part of the 2020 EU Cybersecurity Strategy, the Act complements existing frameworks like NIS2 and excludes certain sectors already governed by specific rules, such as medical devices, aviation, and automotive.
Products will be categorised into different lists based on their importance and the level of cybersecurity risk they pose, with critical products including smartcards, "hardware devices with security boxes", smart meter gateways and "other devices for advanced security purposes, including for secure cryptoprocessing".
The list of high-risk products includes antivirus software, SIEM systems and boot managers. The full rundown can be seen in the screenshot below.
High-risk products will undergo rigorous assessment by a notified body, while lower-risk products may follow a simplified conformity process, typically handled internally by manufacturers.
The Regulation is set to apply from 11 December 2027, although reporting obligations for actively exploited vulnerabilities and severe security incidents will take effect from 11 September 2026 and mandatory notification of conformity assessment bodies will be necessary from 11 June 2026.
Ilkka Turunen, Field CTO at the open-source supply chain security firm Sonatype, said: "It's a GDPR-level change in the way we all will work in the future in software, regardless of geography. The obligations set out will result in standards that will place a lot of requirements ahead."
Matthieu Garin, Partner at the consultant Wavestone, also wrote: "This marks a groundbreaking step in product security, as the first regulation of its kind worldwide. In simple terms, if you manufacture, import, or resell a product with digital elements, the CRA will impact you - making compliance a must!
