What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is an EU regulation (2024/2847) that came into force on 10 December 2024 and becomes fully applicable from 11 December 2027. It sets baseline cybersecurity standards for all hardware and software products with digital components sold in the EU – this includes everything from IoT devices and firmware to cloud‑connected software.

Why it matters

Many connected products today are vulnerable, poor update processes and weak default configurations have led to significant breaches. The CRA addresses this by requiring secure‑by‑design principles and lifecycle security management. It also ensures that consumers and businesses can choose products confidently, backed by a CE‑mark indicating compliance.

Who will this affect

The CRA applies to manufacturers, importers and distributors of “products with digital elements” (PDEs), including devices with firmware, remote data processing tools, and connected software. Exclusions include medical devices, motor vehicles and aviation, which already fall under other regulations.

Core obligations

1. Secure by design and default: Products must have minimal vulnerabilities, protected default settings, and ability to be restored

2. Vulnerability handling: manufacturers must identify and document issues (e.g. via SBOMs), respond to threats promptly, and provide security updates at no extra cost.

3. Incident reporting: serious incidents or exploited vulnerabilities must be reported to ENISA within 24–72 hours, with deadlines differing by type: reporting begins 11 September 2026; cybersecurity requirements are enforced from 11 December 2027.

4. Conformity assessments: basic-risk products Class I can use self‑assessment; higher-risk (Class II and critical PDEs) need third‑party audits before CE‑

Penalties for non‑compliance

Failure to comply may lead to fines up to €15 million or 2.5 percent of global turnover, plus market withdrawal of non‑compliant products and potential reputational damage.

Our Top Tips – Are You Ready?

1. Map your product portfolio now: Identify which hardware and software components fall under the regulation.

2. Review development processes: Incorporate threat modelling, SBOMs, and automated security testing into your design and build workflows.

3. Set up incident management: Create a team and workflows to detect, patch, and report security incidents within the required timeframes.

4. Plan for conformity: Determine which products need self‑assessment and which require third‑party review. Start gathering technical documentation ahead of time.

5. Update supply‑chain procedures: Ensure contracts and vendor agreements include obligations to support CRA compliance throughout the lifecycle of the product.

Working with an experienced partner can streamline this transformation. If you want to ensure your products meet the Cyber Resilience Act requirement and remain market-ready across Europe, book a call with us: https://stl.com.mt/book-a-call/