UPDATE — SEPTEMBER 2025: Since the EU Cyber Resilience Act (CRA) was published in the Official Journal on November 20, 2024, as Regulation (EU) 2024/2847, the legislation has formally entered into force and is now moving into its phased implementation period. The CRA became legally binding on January 9, 2025, setting a two-year compliance countdown for manufacturers and operators of digital products across the EU.
Several key milestones have followed. In mid-2025, the European Commission initiated the process of drafting delegated and implementing acts to clarify technical details, such as requirements for Software Bills of Materials (SBOMs), standardized vulnerability reporting templates, and conformity assessment procedures for critical products. Public consultations held during the summer invited feedback from manufacturers, cybersecurity experts, and standards bodies. Parallel to this, CEN, CENELEC, and ETSI began work on harmonized standards to support CRA compliance, ensuring alignment with existing ISO/IEC security frameworks.
The European Union Agency for Cybersecurity (ENISA) has played an active role, issuing sector-specific implementation notes for industries like IoT, healthcare devices, and smart home technologies. ENISA also circulated draft guidelines on coordinated vulnerability disclosure and reporting obligations, with final versions expected later in 2025. These documents aim to help companies adapt their lifecycle security practices, integrate patch management, and establish secure vulnerability reporting channels well before the CRA deadlines.
On the industry side, several member states—including Germany and the Netherlands—have piloted early conformity assessment programs for high-risk products such as firewalls and network equipment. These pilots are testing how third-party evaluations will function in practice once mandatory obligations begin. Meanwhile, the Commission has reassured SMEs and open-source developers by confirming lighter compliance requirements: non-commercial open-source projects remain outside direct scope, while SMEs will receive tailored guidance designed to minimize administrative burdens.
Looking ahead, the CRA’s vulnerability reporting rules will take effect in January 2026, requiring manufacturers to disclose exploited vulnerabilities and severe incidents to authorities, including ENISA. The broader obligations on secure-by-design product development, patching, and conformity assessments will apply from January 2027. With less than 16 months until the first compliance deadline, companies across the EU are now under pressure to establish reporting systems, strengthen their supply chain due diligence, and prepare for the shift to a harmonized cybersecurity framework.
ORIGINAL NEWS POST:
EU Cyber Resilience Act Published, Launching Countdown for Cybersecurity Regulations
The EU Cyber Resilience Act (CRA), officially published on November 20, 2024, in the Official Journal of the European Union, sets the stage for a harmonized cybersecurity framework across the EU. The legislation, designated as Regulation (EU) 2024/2847, outlines comprehensive cybersecurity requirements for digital products and initiates a two-year countdown for member states and businesses to comply.
With the exponential growth of connected devices, cybersecurity threats have become a pressing concern for individuals, businesses, and governments. The CRA aims to address these challenges by introducing mandatory cybersecurity standards for products with digital elements, ensuring their security throughout their lifecycle. The Act targets two primary issues: widespread vulnerabilities in digital products and the lack of consistent security updates.
The CRA also seeks to empower consumers and organizations by improving transparency. Manufacturers will now be required to disclose product support periods, enabling better-informed purchasing decisions.
The Act establishes horizontal requirements for a wide array of digital products, covering everything from software to smart home devices, wearable health technology, and connected toys. It provides a unified framework to replace the fragmented regulatory landscape currently in place, reducing legal uncertainty and compliance burdens for businesses operating across borders.
The CRA mandates that manufacturers integrate cybersecurity into the design and development phases of their products. Additionally, manufacturers must ensure products remain secure through regular updates and robust vulnerability management practices.
Critical and important products, such as firewalls and intrusion prevention systems, are subject to stricter conformity assessment procedures due to their potential impact on security. These assessments will involve third-party evaluations to ensure compliance with the CRA’s stringent standards.
To ensure proportionality, the Act considers the unique challenges faced by small and medium-sized enterprises (SMEs) and developers of open-source software. SMEs will benefit from tailored guidance to navigate compliance, while open-source projects intended for commercial use are provided with a light-touch regulatory framework.
The CRA emphasizes the importance of due diligence, requiring manufacturers to verify the cybersecurity of third-party components integrated into their products. This includes tracking vulnerabilities and ensuring that security updates are promptly implemented.
To enhance threat response capabilities, the CRA introduces requirements for coordinated vulnerability disclosure. Manufacturers must report exploited vulnerabilities and severe incidents to designated authorities, including the European Union Agency for Cybersecurity (ENISA). These measures aim to strengthen cybersecurity situational awareness across the EU.
In a move to improve transparency, manufacturers will be required to provide Software Bills of Materials (SBOMs), enabling better supply chain security. However, SBOMs will not be made publicly available to protect sensitive information.
As the clock starts ticking on the implementation period, stakeholders across the EU—including manufacturers, regulators, and consumers—must prepare for a new era of digital security.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
