UPDATE — SEPTEMBER 2025:
Since the EU Cyber Resilience Act (CRA) was published in the Official Journal on November 20, 2024, as Regulation (EU) 2024/2847, the legislation has formally entered into force and is now moving into its phased implementation period. The CRA became legally binding on January 9, 2025. It sets a two-year compliance countdown for manufacturers and operators of digital products across the EU.
Several key milestones have followed. In mid-2025, the European Commission initiated the process of drafting delegated and implementing acts to clarify technical details. That includes requirements for Software Bills of Materials (SBOMs), standardized vulnerability reporting templates, and conformity assessment procedures for critical products. Public consultations held during the summer invited feedback from manufacturers, cybersecurity experts, and standards bodies. Parallel to this, CEN, CENELEC, and ETSI began work on harmonized standards to support CRA compliance, ensuring alignment with existing ISO/IEC security frameworks.
The European Union Agency for Cybersecurity (ENISA) has played an active role, issuing sector-specific implementation notes for industries like IoT, healthcare devices, and smart home technologies. ENISA also circulated draft guidelines on coordinated vulnerability disclosure and reporting obligations, with final versions expected later in 2025.
On the industry side, several member states—including Germany and the Netherlands—have piloted early conformity assessment programs for high-risk products such as firewalls and network equipment. These pilots are testing how third-party evaluations will function in practice once mandatory obligations begin. Meanwhile, the Commission has reassured SMEs and open-source developers by confirming lighter compliance requirements: non-commercial open-source projects remain outside direct scope, while SMEs will receive tailored guidance designed to minimize administrative burdens.
Looking ahead, the CRA’s vulnerability reporting rules will take effect in January 2026, requiring manufacturers to disclose exploited vulnerabilities and severe incidents to authorities, including ENISA.
ORIGINAL NEWS POST:
EU Cyber Resilience Act Published, Launching Countdown for Cybersecurity Regulations
The European Union has officially published the Cyber Resilience Act (CRA), marking a major shift in how cybersecurity will be regulated across the bloc. Released on November 20, 2024, in the Official Journal, the law—Regulation (EU) 2024/2847—creates unified cybersecurity requirements for digital products. Its publication begins a two-year countdown for companies and member states to meet the new obligations.
Why the CRA Matters
As connected devices multiply, cybersecurity threats have grown at an alarming pace. The CRA aims to address this reality by establishing clear, mandatory rules for the security of products that include digital elements. It is designed to reduce widespread vulnerabilities and ensure that products receive consistent security updates throughout their lifecycle. The Act also seeks to give consumers more transparency, especially by requiring manufacturers to disclose how long their products will receive support.
What the CRA Covers
The Act applies to a wide range of digital products. It includes software, smart home devices, connected toys, wearable technologies, and many other tools used in daily life. Instead of a patchwork of national rules, the CRA introduces a single framework. As a result, companies operating across EU borders will face fewer conflicting requirements and more clarity about their responsibilities.
Security Obligations for Manufacturers
Under the CRA, manufacturers must build cybersecurity into the earliest stages of product design. They also must maintain security throughout the product’s lifecycle with regular updates and strong vulnerability management. Because critical products such as firewalls pose greater risks, the Act requires these items to undergo stricter third-party conformity assessments before being placed on the market.
Support for SMEs and Open-Source Developers
To ensure proportionality, the CRA includes accommodations for smaller organizations. SMEs will receive tailored guidance that reduces administrative burdens. Open-source tools intended for non-commercial use remain outside the scope of the Act. However, developers of commercial open-source software still must meet lighter compliance requirements to ensure basic security.
Strengthening Supply Chain Security
The Act also requires companies to assess third-party components included in their products. Manufacturers must track vulnerabilities and apply security updates quickly. These due-diligence requirements aim to reduce risks that often enter products through external libraries or integrated software.
Reporting Requirements and SBOMs
The CRA introduces stronger reporting rules to improve awareness of active cyber threats. Manufacturers must report exploited vulnerabilities and serious security incidents to designated authorities, including ENISA. The Act also requires companies to provide a Software Bill of Materials (SBOM), which will support better supply chain visibility. Although SBOMs will be shared with authorities, they will not be public to avoid exposing sensitive information.
Preparing for a New Cybersecurity Era
With the CRA now in force, manufacturers, regulators, and consumers must prepare for significant changes. The two-year transition period gives companies time to adjust, but the scope of the Act means work must begin quickly. As the EU moves toward a harmonized cybersecurity framework, the CRA represents one of the most far-reaching digital security laws in the world.
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
