Cyber Resilience Act (CRA) officially adopted
Cybersecurity for IoT Devices
The CRA establishes mandatory security requirements for digital products manufactured, imported, or sold in the EU, ensuring consistent safety across the lifecycle of these devices.
Key points:
Security requirements: Manufacturers must ensure that their products meet the cybersecurity criteria and remain secure throughout their entire lifecycle.
CE marking: Connected products must bear the CE marking certifying compliance with the cybersecurity standards.
Reporting requirements: Vulnerabilities and cyber incidents must be reported within 24 hours; detailed reports will follow within 72 hours to ENISA.
Updates and support: Manufacturers are obliged to provide free security updates during the expected lifespan of the products.
Timetable: The CRA will come into full effect from November 2027, while the first reporting requirements will apply from August 2026.
Source and further links:
Cyber Resilience Act: European Union