On 12. March 2024, the European Parliament approved the Cyber Resilience Act (CRA). The approval follows the agreement on the Act with the Council of the European Union on December 1, 2023. The CRA aims to ensure that products with digital features are secure to use, resilient against cyber threats and provide enough information about their security properties.
It will have to be formally adopted by Council, too, in order to come into law. After publication in the Official Journal of the European Union, obligations will come into effect over a phased transition period:
- vulnerability reporting obligations will go into effect after 21 months (late 2025)
- the remaining obligations will go into effect after 3 years (early 2027).
Lead MEP Nicola Danti (Renew, IT) said: “The Cyber Resilience Act will strengthen the cybersecurity of connected products, tackling vulnerabilities in hardware and software alike, making the EU a safer and more resilient continent. Parliament has protected supply chains ensuring that key products such as routers and antiviruses are a priority for cybersecurity. We have ensured support for micro and small enterprises, better involvement of stakeholders, and addressed the concerns of the open-source community, while staying ambitious. Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years.”
See the official press release here!