Cyber Resilience Act

The Cyber Resilience Act (CRA) establishes a comprehensive, cross-sectoral framework that introduces mandatory cybersecurity requirements for all “products with digital elements” (hardware and software) marketed in the EU. It was adopted to address systemic vulnerabilities arising from insecure connected devices and fragmented national standards. The Regulation enshrines security-by-design and security-by-default principles, mandates continuous vulnerability management, and requires prompt incident reporting to competent authorities. For AI-related technologies, this framework is particularly relevant because the CRA explicitly covers “software" and "remote data processing solutions” that include AI-based or algorithmic components when these are integrated into products or systems. Its lifecycle approach, requiring manufacturers to manage vulnerabilities, provide security updates, and ensure conformity through CE marking, applies equally to AI-enabled products, complementing the AI Act’s focus on trustworthy model governance. By entering into force in 2024 (with staged application from 2026–2027), the CRA, together with NIS 2 and the forthcoming AI Act, forms a triangular foundation for EU digital safety and AI governance, marking the first globally coordinated regulatory model for product-level cybersecurity with potential extraterritorial impact.

Full name (additional link): Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)