Clifford Chance

The EU Cyber Resilience Act (CRA) is now a reality.

Published in the Official Journal of the European Union on 20 November 2024, the CRA notably establishes mandatory cybersecurity requirements for products with digital elements (PDEs) within the EU market.

The CRA pursues four key objectives:

1. Ensuring cybersecurity standards for the design, development and production of PDEs and throughout their life cycle;
2. Ensuring a coherent cybersecurity framework for PDEs across the EU;
3. Enhancing transparency including as regards the security properties of PDEs; and
4. Enabling businesses and consumers to use PDEs securely, including through requirements for vulnerability and incident handling.

The CRA enters into force on 10 December 2024, with a phased application of its requirements thereafter. Whilst the majority of obligations under the CRA become applicable from 11 December 2027, others kick in sooner.

We have developed this briefing to provide key takeaways on the CRA, including as regards, scope, key requirements, enforcement, timing and business readiness.