This new EU regulation on “horizontal cybersecurity requirements for products with digital elements” aims at addressing a major source of vulnerability: the low level of cybersecurity of many connected products sold on the European market, from connected toys to smart TVs and from B2B software to complex industrial systems including connectivity features. For the first time, the CRA imposes minimum cybersecurity requirements on these products, both before they are put on the market and afterwards, ensuring that cybersecurity vulnerabilities are addressed throughout the lifecycle of a product.

The initial proposal of Regulation had been tabled by the European Commission on 15 September 2022. As part of the EU legislative process, it was subsequently examined by the Council of the EU and the European Parliament. Both institutions reached an agreement on a revised text about a year later, on 30 November 2023. Following some procedural delays linked to the organisation of the European elections of 9 June 2024, the CRA was only signed into law and published in the Official Journal of the EU on 20 November 2024. The text officially enters into force 20 days after its publication, i.e. on 10 December 2024.

Throughout the whole adoption process, Belgium has played an active role in promoting a proportionate approach for CRA requirements. In line with the CCB’s recommendations, we advocated for simple measures that will have a real impact in reducing vulnerabilities, such as the introduction of a default setting ensuring security are installed automatically by default, or the obligation for manufacturers to inform users about the length of the support period for their connected products (i.e. the date until when they commit to provide security updates).

In practice, a transition period is foreseen to ensure that economic operators have sufficient time to adapt to the new requirements:

• In the first phase, starting 21 months from today, manufacturers of connected products will have to notify public authorities about incidents and vulnerabilities impacting the security of their products. This will create more transparency and ensure a speedy development and deployment of security updates to ensure that vulnerabilities are patched.

• In a second phase, starting 3 years from today, all CRA requirements will apply, including provisions on security by default, user transparency and market surveillance. By that time, connected products will have to undergo a conformity assessment prior to being sold in Europe, no matter where the manufacturer is located. A simplified compliance process based on self-declaration is foreseen for low-risk products whereas the most important and critical products will have to be subject to a detailed assessment by third party auditors (so-called “conformity assessment bodies”).

For more detailed information on the new rules, see our CRA page and the answers to the most frequently asked questions (FAQs) or consult the full text of the Regulation.