www.belgium.be Logo of the federal government

The Cyber Resilience Act (CRA)

All about the new legislation making connected products more secure

The Cyber Resilience Act (CRA) is an upcoming EU Regulation that will make all connected products more cybersecure. Once it is formally adopted in the fall of 2024, it is expected to have a long lasting impact on the cybersecurity landscape in Europe, with tangible positive effects on our society and economy. As the national authority for cybersecurity, the CCB is has already initiated national preparations to support economic operators in complying with the new rules.

But what exactly is the CRA? Which products will fall under the new rules? What should manufacturers do exactly? How will the CRA impact consumers? And, most importantly, when will it take effect?

This page provide preliminary answers to these questions and will be updated a the coming months with more detailed guidance.

1. Scope of products covered

The CRA is the first European regulation imposing minimum cybersecurity requirements on all connected products put on the EU market. Its objective : making the so-called “internet of things” (IoT) more secure.

Products to be covered by the CRA range from low-cost consumer products to B2B software and high-end complex industrial systems. More specifically, “products with digital elements” are defined as products that can be connected to a device or network of some sort and include:

  • hardware products with connected features such as for example smartphones, laptops, home cameras, smartwatches, connected toys, but also modems, firewalls, and smart meters,
  • software not embedded in a product and sold on a standalone basis, for example accounting software, online games and mobile apps.

Products NOT subject to the CRA requirements include non-commercial open source software, cloud services and software as a service (SaaS), the last two being already regulated under the NIS2 Directive,

2. Main obligations for manufacturers

All manufacturers placing products on the EU market will have to comply with the CRA even if they are based outside the EU. The new requirements include three main types of provisions:

  • minimum requirements, in line with the principles of “cybersecurity by design” and “cybersecurity by default”, which apply to products before they are put on the market (e.g. ensuring that sensitive data stored in the product is encrypted, that the attack surface is as limited as possible, ...),
  • obligations throughout the whole lifecycle of the connected product, especially as regards vulnerability management (e.g. automatic installation of security updates by default, …)
  • rules on market surveillance and enforcement, with different levels of conformity assessments depending on the importance and criticality of the product, going from self-assessment by the manufacturer to compulsory third party audits or certification.

3. Impact for users

Today, consumers often find it difficult to know whether a connected product is sufficiently secure, or whether it can easily be hacked by third parties. Thanks to the CRA, consumers will have the guarantee that the products they buy in the EU comply with minimum standards and do not have, for example, a major known vulnerability, or weak default settings.

The CRA also empowers consumers to make more informed choices by requiring transparency from manufacturers on the date until which security updates will be provided for the product. In other words, users will be able to compare products not only based on their price and features, but also on the length of the support period – an important indicator to ensure that products can be used in a secure way during their expected lifetime.

4. Find out more

The implementation of the CRA will then occur in different phrases from the end of 2024 to 2027. To find out more, read our CRA Questions and answers