The Cyber Resilience Act (CRA) of the European Union is in force.

On December 10, 2024, the Cyber Resilience Act (EU Regulation 2024/2847 on horizontal cybersecurity requirements for products with digital elements) came into force, which introduced mandatory cybersecurity requirements for hardware and software products with digital elements.

The Regulations will be applicable as of December 11, 2027, with the exception of producer reporting requirements, which will apply as of September 11, 2026.

The new regulations stipulate that products with digital elements must meet several requirements to ensure their cybersecurity and to be placed on the market, including:

- Security requirements related to the properties of such products, including that product design, development, and production be carried out in such a way as to ensure an adequate level of cybersecurity, with a risk-based approach; and
- vulnerability management requirements, such as identifying and documenting vulnerabilities and implementing tests, policies and measures to facilitate information sharing.

In addition, the CRA clarifies-in Article 7-what products qualify as "products with important digital elements" and what additional requirements must be met. There are also specific coordination and harmonization provisions with Regulation 2024/1689 on artificial intelligence for high-risk artificial intelligence (AI) systems.

The law clarifies the obligations imposed on producers, which include:

- ensure compliance with the essential requirements for their products when they are placed on the market, in particular by conducting conformity assessments;
- Conduct a cybersecurity risk assessment and include it in the technical documentation;
- Perform specific due diligence on components from third parties;
- Implement appropriate policies and procedures, including coordinated vulnerability disclosure policies;
- Ensure that products remain in compliance and take corrective action in case of misalignment from compliance; and
- Provide users with complete information and instructions.

The manufacturer must, without undue delay and in any case within 24 hours of becoming aware of it, notify the Computer Security Incident Response Team (CSIRT) and the European Union Cybersecurity Agency (ENISA) of any vulnerability actively exploited with respect to the product with digital elements, also notifying any security impact to users. The incident notification must be sent within 72 hours of becoming aware of the incident. The CRA also allows for voluntary notification of any vulnerabilities or cyber threats that could affect a product's risk profile. ENISA is mandated to establish a single communication platform.

With regard to users, manufacturers must inform them, without undue delay and after becoming aware of the incident, about any incident and, if necessary, about the corrective measures that users can implement to mitigate the impact of the incident.

Anticipated penalties can be up to 15 million euros or, for companies, up to 2.5 percent of the previous year's total annual worldwide turnover, whichever is higher.