The Cyber Resilience Act 🇪🇺

What is the Cyber Resilience Act (EU)? When will it come into effect ? and What do you need to do to comply with the Act ?

These are some of the questions that IoT devices manufacturers, software developers, importers and distributors operating on the European Union market need answers to.

This website aims at answering stakeholders’ concerns and provide them with a clear path towards compliance.

Latest site update: 2024/03/26 (following the release of TA/2024/0130)

The CRA, in a few words

European flag

The Cyber Resilience Act 🇪🇺 is a disruptive legislation which establishes a set of  cybersecurity requirements applicable to manufacturers of products, both hardware and software, with digital components.

Why was the CRA introduced?
As the number of IoT devices continues to soar, it has become crucial to address the issue of low-level cybersecurity and device vulnerability by offering regular updates and continuous support.

European organizations are the most targeted in the world by cyber attacks.

Attacks will cost US$ 10.5 trillion by 2025, a 15% increase in cost every year.

There will be 30.2 billion IoT devices by 2030: +108% from today's 14.5 billion devices.

What are the CRA’s goals?
Firstly, the legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan.

Additonally, it will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products.

Therefore, by harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.

Find out how much budget to allocate to compliance.

ACHIEVING COMPLIANCE

I am an IoT device manufacturer

IoT device manufacturers are first in line when it comes to compliance. 

The CRA will change the way manufacturers operate.

Our guide covers what you have to do, how much time you have to comply and what the legal ramifications of non-compliance are.

I am a software developer

While free and open-source software, providing that their makers do not derive any profit from their distribution, does not fall under the purview of the Cyber Resilience Act, non-embedded software and software that remote process data from IoT devices need to comply with the Act.

I import / distribute/ resell

IoT device importers, distributors and resellers have many requirements under the CRA and in some circumstances can even be considered as manufacturers themselves.

Our guides detail these stakeholders’ responsibilities and liabilities.

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.