On 30 November 2023, the European Parliament and the Council reached a political agreement on the Cyber Resilience Act (CRA).
However, the co-legislators agreed to propose certain adjustments about:
- the scope of the CRA, with a simpler methodology for the classification of digital products to be covered;
- the support period was amended to at least five years (except for products which are expected to be in use for a shorter period);
- the reporting of actively exploited vulnerabilities and incidents must be made to competent national authorities, while ENISA’s central role in this scope was strengthened;
- the Conformity Assessment, with products must undergo either self-assessment or third-party assessment processes, to receive a CE marking; and
- the support for SMEs, which receive support for awareness-raising and training activities, testing, and conformity assessment procedures.
The work will continue in technical meetings in the coming weeks to finalize the text of the CRA. The finalized text will be adopted by the European Parliament and the Council, presumably by April 2024. It will be published in the Official Journal of the European Union, probably by June 2024, and will enter into force on the 20th day following its publication. After this date, manufacturers, importers, and distributors of hardware and software products will have 36 months to adapt to the new requirements, but manufacturers will only have 21 months to comply with the reporting obligation for incidents and vulnerabilities.
The official press release can be read here.