• In force since 10 December 2024.
• Application: 11 December 2027 of generally all rules of the CRA, with certain exceptions where obligations are applicable earlier: (1) 11 September 2026 for the reporting obligations of manufacturers for incidents and vulnerabilities, (2) 11 June 2026 for the establishment of national conformity assessment bodies

Summary

Horizontal regulation that covers all wired and wireless products connected to the internet and software.

Scope

• Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software​ placed on the EU market

Key elements

• Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
• Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking​

Challenges

• Definition of hardware and software products that fall under the CRA is still being discussed
• Overlap with other Acts of the EU Digital Strategy