EU Cyber Resilience Act Mandates New Cybersecurity Standards for Digital Products
Severity: Low (Score: 24.9)
Sources: eur-lex.europa.eu, digital-strategy.ec.europa.eu, Honeywell
Summary
The European Union has enacted the Cyber Resilience Act (CRA), which introduces mandatory cybersecurity requirements for all digital products sold in the EU market. The regulation, effective from December 11, 2027, requires manufacturers to ensure that products are designed, developed, and maintained with cybersecurity in mind. This includes conducting risk assessments, maintaining software bill of materials (SBOMs), and providing free patches for vulnerabilities during a defined support period. The CRA applies globally to any manufacturer wishing to sell products in the EU, regardless of their location. Compliance obligations will be phased in, with full requirements affecting products modified after the enforcement date. The European Commission is collaborating with industry stakeholders and ENISA to facilitate the CRA's implementation. Reporting obligations and conformity assessments are also part of the new regulatory framework. Key Points: • The Cyber Resilience Act mandates cybersecurity requirements for all digital products in the EU. • Manufacturers must conduct risk assessments and maintain SBOMs for compliance. • Full enforcement of the CRA begins on December 11, 2027, affecting global manufacturers.