CRA compliance

A first ever EU wide legislation of its kind: the Cyber Resilience Act introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle. 

Vulnerability Management

Effective vulnerability management involves a systematic approach to identify, assess, prioritize, mitigate and monitor these vulnerabilities to minimize potential security breaches and their impact. These are the new requirements related to vulnerability management:

  • Document product vulnerabilities.   
  • Address and remediate vulnerabilities promptly. 
  • Implement effective and regular testing and reviews. 
  • Publish information about vulnerabilities and patches according to coordinated policies. 
  • Report vulnerabilities to ENISA within a 24-hour timeframe. 
  • Provide security updates promptly and free of charge, for at least five years. 

Product Conformity

Product compliance is crucial to ensure that IT products meet the quality, safety and performance standards required for effective and safe use in business and consumer environments. These will be the new requirements applied:

  • Design, develop, and produce the product with an adequate level of cybersecurity, and with default security policies. 
  • Evaluate and document all cybersecurity risks.
  • Include cybersecurity assessment in the technical documentation. 
  • Systematically document relevant cybersecurity aspects. 
  • Consider changes in the development, production, and design process that may impact cybersecurity. 

Recommended adoption timeline

Entry into force expected early 2024

Manufacturers will have to apply the rules 36 months after their entry into force

The Commission will periodically review the Cyber Resilience Act and report on its functioning