What Is the Cyber Resilience Act
- The CRA is an EU regulation (Regulation (EU) 2024/2847) that sets horizontal cybersecurity requirements for products with digital elements—this means hardware & software that is directly or indirectly connected to a network or another device.
- The goal is to ensure products are secure throughout their lifecycle: from design and development, through production, to deployment, maintenance, updates, and end of life.
- It aims to close gaps in current laws, harmonize requirements across EU member states, simplify compliance, and give consumers clearer information and stronger protections.
Key Dates / Status
- Entered into force on 10 December 2024.
- The main obligations apply from 11 December 2027. Digital Strategy+2Cyber Resilience Act+2
- Some reporting / conformity / assessment provisions come into effect earlier (e.g. reporting obligations ~ September 2026).
Scope / What Products Are Covered
- Products with digital elements whose intended & foreseeable use includes network connection (direct or indirect) or connection with other devices.
- Exemptions: Certain products already heavily regulated under existing EU laws (e.g. medical devices, aeronautical, cars) are excluded or treated differently.
Obligations & Requirements
Here are the main requirements that manufacturers, importers, distributors etc. must meet:
- Security by design & default: Products must be developed with cybersecurity in mind from the start. Risk assessment is required. European Parliament+2Cyber Resilience Act+2
- Ongoing security updates / vulnerability management: Products must have mechanisms for security updates, patching vulnerabilities. Support must continue for a reasonable period.
- Incident reporting: When cybersecurity incidents happen, manufacturers must notify relevant authorities in defined timeframes.
- Documentation and technical information: Maintain technical documentation; enable traceability and transparency around product security.
- Conformity assessment & CE marking: Products need to meet minimum cybersecurity requirements, and eligible ones must go through conformity assessment. Compliant products get CE marking to show they satisfy the regulation.
- Risk-based classification: Some products are classed as “critical” or “important” and face stricter obligations (e.g. external auditing) versus more generic ones which may rely on self-assessment.
Penalties / Enforcement
- Non-compliance can lead to significant fines: up to €15 million or 2.5% of global annual turnover, whichever is higher.
- The regulation is binding directly in all EU member states (since it’s a regulation, not a directive).
Impacts & Challenges
- For manufacturers & developers: need to plan product lifecycles with security in mind; invest in tooling, monitoring, update systems.
- For open-source projects: there were concerns about how the CRA might affect open source — but some carve-outs/exceptions and new roles (e.g. “open source steward”) were introduced.
- For businesses importing or selling digital devices/products: must ensure suppliers comply, adapt contracts, maintain documentation, foresee reporting obligations.
Secure Design and Architecture
The Cyber Resilience Act (CRA) emphasizes that digital products should be designed and built with security as a core principle, which is often called secure by design. This approach means that security is not an afterthought but integrated into the product’s architecture from the earliest stages of development. It involves identifying potential threats, defining security requirements, and implementing controls that reduce vulnerabilities throughout the software or hardware lifecycle. Secure design under the CRA encourages practices like minimizing attack surfaces, enforcing strong authentication, and ensuring data privacy by default.
In terms of secure architecture, the CRA highlights the importance of layered defences, also known as defence-in-depth, where multiple security mechanisms are used across different components of a system. This could include secure communication channels, regular software updates, monitoring mechanisms, and fail-safe procedures to maintain functionality during attacks. A robust architecture under the CRA also requires thorough testing for vulnerabilities, including penetration testing and code reviews, to verify that the system can withstand both known and emerging cyber threats.
Overall, the CRA pushes manufacturers and developers to take a proactive approach to security. By embedding secure design principles and architectural best practices, products are more resilient to cyberattacks, helping to protect users, critical infrastructure, and data integrity. Compliance with these requirements also fosters trust in digital products within the European Union and aligns with broader cybersecurity strategies.
Secure Software Development
Secure software development is a methodology that integrates security practices directly into the software development lifecycle (SDLC), ensuring that applications are resilient to cyber threats from the earliest stages of design to deployment and maintenance. Unlike traditional development approaches, which may treat security as an afterthought, secure software development emphasizes proactive risk management. This includes identifying potential vulnerabilities, performing threat modelling, and establishing security requirements before a single line of code is written. By embedding security principles early, developers reduce the likelihood of costly post-release fixes and mitigate risks to users and organizations.
Key practices in secure software development include input validation, authentication and authorization controls, encryption, and secure session management. Input validation prevents malicious data from compromising the system, while proper authentication and authorization ensure that only legitimate users can access sensitive functions and data. Encryption protects information both at rest and in transit, and secure session management safeguards user sessions from hijacking. Developers are also encouraged to follow secure coding standards, such as avoiding common vulnerabilities like buffer overflows, SQL injection, and cross-site scripting (XSS), which remain prevalent attack vectors.
Another critical component is continuous testing and monitoring. This involves automated code scanning, static and dynamic analysis, and penetration testing to uncover vulnerabilities before deployment. Post-deployment, applications should be regularly updated with security patches, and monitoring systems should detect anomalous behaviour that could indicate a breach. Secure software development also emphasizes a culture of security awareness, where developers, testers, and managers are trained to recognize security risks and integrate best practices into everyday workflows. Overall, this approach ensures that software is not only functional but also resilient, protecting both users and organizations against evolving cyber threats.
Dependance on Supply Chain Security
Dependence and supply chain security has become a critical focus in modern cybersecurity because most organizations rely on a network of third-party vendors, software libraries, and cloud services to operate effectively. Every external dependency introduces potential risk, as vulnerabilities in a supplier’s systems can cascade into downstream organizations. High-profile incidents, such as attacks exploiting third-party software, have highlighted how a single compromised vendor can disrupt operations, steal sensitive data, or enable ransomware campaigns. Therefore, organizations must treat supply chain security as an integral part of their overall cybersecurity strategy.
A strong approach to supply chain security involves identifying and mapping all dependencies, both direct and indirect. This includes software components, hardware devices, cloud services, and outsourced services. Organizations should perform risk assessments for each supplier, evaluating their security practices, compliance certifications, and incident response capabilities. Contracts should enforce security requirements, including regular updates, vulnerability disclosure processes, and adherence to standards such as ISO/IEC 27001 or NIST cybersecurity frameworks. Continuous monitoring of suppliers is also essential to detect changes in risk posture, newly disclosed vulnerabilities, or unexpected behavior in supplied software or services.
Another key aspect is secure software supply chain management. This includes practices like verifying the integrity of third-party libraries through checksums or digital signatures, scanning for known vulnerabilities, and restricting use of components from untrusted sources. Organizations can also adopt zero-trust principles in supplier interactions, limiting access to only what is necessary and enforcing strong authentication and authorization. Finally, incident response planning should explicitly include supply chain scenarios, ensuring organizations can quickly isolate affected systems and mitigate impact. By prioritizing supply chain security, organizations not only reduce operational risk but also strengthen resilience against increasingly sophisticated and interconnected cyber threats.
Build and CI/CD Security
Under the Cyber Resilience Act, manufacturers must ensure that secure development practices are embedded throughout the software lifecycle, including within build pipelines and CI/CD environments. Build systems and automated deployment pipelines are high-value targets for attackers, as compromise at this stage can introduce malicious code into otherwise trusted software. Therefore, organizations are expected to implement strong controls that protect the integrity, authenticity, and traceability of software artifacts produced during development.
Secure CI/CD practices include strict access control, separation of duties, hardened build environments, and secure handling of secrets such as API keys and signing certificates. All build steps should be reproducible, auditable, and protected from unauthorized modification. Code signing and artifact verification are essential to ensure that only trusted software components are released. Additionally, dependency management must be tightly controlled, with continuous monitoring for vulnerabilities in third-party components and open-source libraries used within the pipeline.
The CRA also emphasizes traceability and accountability across the build process. This includes maintaining detailed logs, version control records, and Software Bills of Materials (SBOMs) to enable rapid vulnerability identification and response. By securing CI/CD pipelines, organizations can significantly reduce the risk of supply chain attacks, ensure regulatory compliance, and maintain a high standard of cybersecurity resilience throughout the software delivery process.
Testing and Validation
Under the Cyber Resilience Act, manufacturers are required to implement comprehensive testing and validation processes throughout the product lifecycle to ensure that products with digital elements meet essential cybersecurity requirements. Testing activities must systematically identify vulnerabilities, verify security controls, and validate that implemented protections effectively mitigate known and foreseeable threats. This ensures that products are secure by design and resilient against cyber risks before being placed on the market.
Effective testing and validation practices include static and dynamic application security testing (SAST/DAST), penetration testing, fuzz testing, and continuous vulnerability scanning. These methods help detect coding flaws, configuration weaknesses, and runtime vulnerabilities across both software and firmware components. Automated testing should be integrated into CI/CD pipelines to provide continuous assurance, while manual testing and expert-led security assessments are used to validate higher-risk components and complex attack scenarios.
The CRA also emphasizes continuous validation after deployment, requiring manufacturers to monitor emerging threats, test patches, and validate updates before release. Regression testing ensures that security fixes do not introduce new vulnerabilities or degrade existing protections. Together, structured testing, ongoing validation, and documented evidence of results enable organizations to demonstrate compliance, maintain product integrity, and rapidly respond to evolving cybersecurity risks.
Update and Patch Management
The Cyber Resilience Act requires manufacturers to establish robust update and patch management processes to ensure that products with digital elements remain secure throughout their supported lifecycle. As new vulnerabilities and threats continuously emerge, timely updates are essential to maintain product security and protect users from exploitation. Organizations must implement structured procedures for identifying vulnerabilities, developing patches, validating fixes, and securely deploying updates to customers.
Effective patch management includes continuous vulnerability monitoring, coordinated vulnerability disclosure processes, and clearly defined response timelines. Security updates should be prioritized based on risk severity, exploitability, and potential impact. All updates must undergo thorough testing and validation before release to ensure they do not introduce regressions or new vulnerabilities. Secure delivery mechanisms, such as encrypted update channels and cryptographic signing, are critical to guarantee the authenticity and integrity of patches.
The CRA also emphasizes transparency and long-term support obligations. Manufacturers must clearly communicate update policies, including support periods, end-of-life timelines, and instructions for applying patches. Maintaining accurate documentation, update logs, and version histories ensures traceability and compliance. By implementing disciplined update and patch management practices, organizations can reduce exposure to cyber threats, strengthen user trust, and demonstrate adherence to regulatory requirements.
Monitoring and Logging
The Cyber Resilience Act emphasizes the importance of continuous monitoring and detailed logging as critical components of a secure digital product lifecycle. Monitoring allows manufacturers and operators to detect anomalous activities, potential security breaches, and emerging threats in real time. Properly configured monitoring ensures that products remain resilient against attacks, providing visibility into system behavior, user activity, and network traffic, which is essential for early threat detection and rapid response.
Logging plays a complementary role by creating a detailed, tamper-evident record of system events. Logs can include authentication attempts, configuration changes, network communications, and application errors. Under the CRA, logs must be structured, protected, and retained for a sufficient period to support forensic analysis, regulatory compliance, and audit requirements. Ensuring the integrity of log data is essential to maintain trust and to provide actionable intelligence during incident investigations.
Advanced monitoring strategies integrate automation, anomaly detection, and correlation of events across multiple systems. Alerts should be prioritized based on risk, and procedures must be in place to investigate and remediate incidents efficiently. By combining comprehensive logging with active monitoring, organizations can not only detect and mitigate security issues but also demonstrate regulatory compliance, improve incident response, and strengthen overall cyber resilience.
Vulnerability Handling
The Cyber Resilience Act places strong emphasis on systematic vulnerability handling to reduce the risk of cyber threats and maintain the security of digital products throughout their lifecycle. Organizations are required to implement processes for the identification, assessment, and mitigation of security vulnerabilities. This includes monitoring both internal systems and third-party components for potential weaknesses that could be exploited by attackers, ensuring that products remain resilient and secure.
Effective vulnerability handling involves the establishment of a coordinated vulnerability disclosure (CVD) program, allowing security researchers, users, and other stakeholders to report potential vulnerabilities safely. Each reported vulnerability should be triaged based on its severity, exploitability, and potential impact on users, enabling organizations to prioritize resources and address the most critical risks first. Clear timelines for assessment, remediation, and communication are essential to maintain trust and regulatory compliance.
Once vulnerabilities are identified, organizations must implement mitigation strategies such as patches, configuration changes, or compensating controls. All mitigation measures should be thoroughly tested to ensure they do not introduce new issues or degrade existing security features. Detailed documentation of identified vulnerabilities, their remediation, and the decision-making process is crucial for traceability, audits, and demonstrating compliance with the CRA. By adopting a structured and proactive approach to vulnerability handling, manufacturers can significantly reduce the likelihood of security incidents and reinforce overall cyber resilience.
