The European Union's Cyber Resilience Act (CRA), which received final trilogue approval in late 2024, has entered its first enforcement phase in January 2025. The regulation establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU and represents the most comprehensive product cybersecurity legislation enacted anywhere in the world.
What the CRA Requires
The CRA establishes a tiered regulatory framework with three product categories:
Default Class (most consumer products): Manufacturers must implement security-by-design, ensure products ship without known exploitable vulnerabilities, provide security updates for the entire support lifecycle (minimum 5 years), maintain a Software Bill of Materials (SBOM), and provide clear vulnerability disclosure processes.
Class I Critical (industrial automation, VPNs, firewalls, password managers, smart meters): All default requirements plus mandatory third-party conformity assessment before CE marking.
Class II Critical (HSMs, smart cards, industrial SCADA, safety systems): Certification by EU-notified bodies required.
Enforcement Mechanisms
National market surveillance authorities (MSAs) in each EU member state are responsible for enforcement. Penalties include:
MSAs can also issue market withdrawal orders requiring non-compliant products to be pulled from shelves across the entire EU single market.
Industry Response
Industry groups have welcomed regulatory clarity while flagging implementation challenges including SBOM tooling maturity and capacity of EU-notified bodies for Class II certification. The regulation includes a 36-month transitional period.
Global Implications
The CRA's extraterritorial scope means US, Asian, and other non-EU manufacturers must comply or exit the EU market. Security experts expect the CRA to function as a 'Brussels Effect,' raising cybersecurity standards for connected products globally.