The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to establish common cybersecurity standards for products with digital elements — including software and hardware connected to the internet. Its purpose is to ensure that every digital product sold in the EU maintains a consistent and reliable level of cybersecurity throughout its lifecycle. The CRA aims to strengthen the EU’s digital ecosystem by increasing the resilience of each connected device, and ultimately protecting consumers when interacting with them.

The Cyber Resilience Act applies to three main economic operators: manufacturers, importers, and distributors of products with digital elements sold in the EU, regardless of where the company is based.

The CRA identifies products with digital elements as hardware, software, and remote data processing solutions.

• Hardware refers to physical devices connected to the internet or other networks, such as smart home appliances, wearable technology, and industrial IoT devices.
• Software includes standalone applications that can be installed on hardware or operate independently, such as productivity tools or messaging apps.
• Remote data processing solutions cover digital services essential to a product’s operation but performed remotely, including cloud-based services

Some of these products are classified based on risk evaluation criteria:

• Important products listed in Annex III
• Critical products listed in Annex IV

The CRA defines a clear set of cybersecurity requirements that manufacturers and developers must meet before placing a product on the EU market. They fall into three main categories:

• Essential security: Products must be secure by design and allow vulnerabilities to be addressed through updates and patches.
• Vulnerability handling: Manufacturers must respond to discovered vulnerabilities proactively, using a structured and transparent approach.
• Reporting: Manufacturers must report exploited vulnerabilities and cybersecurity incidents to national authorities via ENISA within 24 hours for early warnings and within 72 hours for complete notifications.

The penalties are intended to be effective, proportionate, and dissuasive. Violations of essential cybersecurity requirements may result in fines of up to €15 million or 2.5% of global annual turnover, whichever is higher.

Other breaches, such as those related to documentation, CE marking, or reporting, can incur fines of up to €10 million or 2% of global turnover.

Member States retain flexibility in how penalties apply, particularly for public bodies or microenterprises. Corrective or restrictive actions, such as product recalls, may also be enforced.