UPDATE — SEPTEMBER 2025: The Cyber Resilience Act (CRA) was formally adopted in 2024 and entered into force in January 2025. Also, lawmakers extended the transition period to 36 months. That means most product obligations will begin in 2027, while vulnerability-disclosure and incident-reporting requirements start in 2026. The final text clarified the law’s scope: non-commercial open-source software remains exempt, while commercial OSS, along with all consumer and business IoT and software products, must comply. The CRA introduces risk classes for “critical” products that face tighter controls and directs reports through national CSIRTs to ENISA.
Member states are now preparing market-surveillance systems to enforce CRA conformity. European standards bodies are developing harmonized technical standards to support CE-style certification. Manufacturers, importers, and distributors selling in the EU should already be implementing secure-by-design practices, update and patch policies, software bills of materials (SBOMs), and third-party risk controls to ensure readiness for 2026–2027 enforcement.
ORIGINAL NEWS POST:
EU Approves Cyber Resilience Act, Setting New Cybersecurity Standards for Digital Products
The Council of the European Union recently approved the Cyber Resilience Act (CRA), a landmark regulation that establishes binding cybersecurity standards for digital products across the EU. Covering hardware, software, and Internet of Things (IoT) devices, the CRA requires companies to ensure product security from the design phase through the entire lifecycle.
Raising the Bar for Digital Security
Under the CRA, all digital products—ranging from smart devices and software applications to connected consumer electronics—must meet strict cybersecurity standards before entering the EU market. Manufacturers are responsible for keeping products secure through regular security updates and timely vulnerability reporting. The Act’s intent is clear: cybersecurity must be integrated into every stage of product development. Rather than treating security as a patchwork fix, the CRA pushes companies to make protection a core design principle.
Balancing Innovation and Accountability
To help industry adjust, lawmakers included a transition period to allow businesses time to update systems and documentation. The Act also exempts non-commercial open-source software, recognizing its community-driven nature, while commercial open-source projects remain covered by the law’s obligations. This balance ensures innovation continues without compromising user protection. Companies that fail to comply face penalties of up to 2.5% of global annual turnover, a move meant to ensure cybersecurity becomes a non-negotiable business priority.
Strengthening Europe’s Digital Defenses
The CRA complements existing EU laws like the General Data Protection Regulation (GDPR), expanding the focus from personal data protection to the security of all digital products. As connected devices multiply across Europe, the CRA helps safeguard consumers, businesses, and critical infrastructure from cyberattacks. The Netherlands played a key role in advancing the Act, emphasizing that strong cybersecurity standards can go hand in hand with innovation. Therefore, as Europe faces an increasingly complex threat landscape, the CRA ensures that every product sold in the EU meets the same high standard of digital trust.
Need Help?
If you have questions about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Hence, their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
