**Impact of the Cyber Resilience Act: Security of Products with Digital Components**

The recent EU Regulation 2024/2847, known as the Cyber Resilience Act (CRA), represents a significant step towards enhancing cybersecurity protection in Europe. This legislation aims to strengthen the security of products that contain digital components, particularly those connected within the IoT (Internet of Things) ecosystem. The goal is to ensure that such products, throughout the entire supply chain and lifecycle, are protected from vulnerabilities and attacks.

### What the Regulation Entails

The CRA will come into effect on December 11, 2027, but the reporting obligations for incidents that exploit vulnerabilities will begin as early as June 11, 2026. This approach distinguishes between various types of products with digital elements, categorizing them as “normal,” “important,” and “critical.”

#### Normal Products
Defined in Article 6, “normal” products must adhere to minimum security measures outlined in Annex 1. A significant aspect is the obligation to manage vulnerabilities through a process specified in the same annex.

#### Important Products
These products, described in Article 7, include cybersecurity systems and products whose compromise could have significant impacts on other computer systems or on individuals. Starting from December 11, 2025, the European Commission will provide more detailed technical guidance for the classification of such products. The verification of their security must be carried out by notified certification bodies if the relevant harmonized standard is not followed. The checks may include type and production assessments depending on the manufacturer’s choices.

#### Critical Products
Described in Article 8, these products are subject to stricter security requirements. They must be certified with a “substantial” level of reliability in accordance with the Cybersecurity Act, and if no certification schemes are available, a certification body must be involved for compliance verification.

### Objectives and General Requirements

The Regulation establishes that manufacturers must conduct cybersecurity risk assessments related to their products. This includes identifying and implementing technical and procedural security controls. A significant new requirement is the obligation to provide support for at least five years, thereby ensuring ongoing assistance in the event of vulnerabilities.

In addition, the CRA outlines requirements for technical documentation, product tracking, user instructions, and CE marking. The establishment of a notification authority that will approve certification bodies is also planned, with a clear intent to monitor and ensure compliance with the regulation.

### Reporting Vulnerabilities

A crucial element of the regulation is the articles addressing the need to notify security incidents. Manufacturers are obligated to report incidents occurring due to vulnerabilities in their products to the Computer Security Incident Response Team (CSIRT). Furthermore, there is room for external parties to report vulnerabilities, thereby enhancing market transparency and responsiveness.

### Implications for Free and Open Source Software

The CRA does not overlook free and open-source software, highlighting the importance of certification in this area as well. This indicates a growing recognition of the fundamental role that open-source software plays in the cybersecurity landscape.

### Conclusion and Call to Action

The Cyber Resilience Act marks a significant change in the regulation of cybersecurity for products equipped with digital components, imposing robust security obligations and reporting requirements. With the CRA’s multi-layered approach, increased protection for end users and greater accountability for manufacturers are expected.

It is important to stay updated on future developments of this regulation and on the technical standards that will be issued subsequently. Therefore, we invite you to follow our social media profiles.