Cyber Resilience Act: security requirements for connected products
Adopted 2026-06-14 · ≈ 1 min read · 
edited by Dirk Baaijen
The Cyber Resilience Act (Regulation (EU) 2024/2847) sets EU-wide security requirements for products with digital elements — from telematics to IoT sensors. Full application on 11 December 2027, reporting duties already from September 2026. What it means for transport and logistics.
Where NIS2 governs the cybersecurity of your organisation, the Cyber Resilience Act (Regulation (EU) 2024/2847) governs the security of the products themselves. For transport and logistics that is no abstraction: telematics, on-board units, trackers, sensors and connected vehicle components are all "products with digital elements".
What the CRA requires
The regulation imposes horizontal, EU-wide cybersecurity requirements on the design, development and placing on the market of products with digital elements. The duties fall on manufacturers, importers and distributors: secure-by-default settings, vulnerability handling, security updates throughout the lifecycle, technical documentation, conformity assessment and CE marking.
The timeline
The regulation entered into force on 12 November 2024 and applies in phases:
- 11 June 2026 — rules on the notification of conformity assessment
bodies.
- 11 September 2026 — reporting duty: manufacturers must report actively
exploited vulnerabilities and severe incidents to ENISA and the national CSIRT.
- 11 December 2027 — full application: all essential requirements,
conformity assessment, CE marking and documentation.
Relation to NIS2 and the Data Act
Three regimes touch the same "connected" field from different angles: CRA = the security of the product, NIS2 = the security of the organisation deploying it, Data Act = who gets access to the data the product generates. Anyone buying or reselling connected hardware will face the CRA — if only through vendor assurance.
What it means for you
- Buying connected products? Ask suppliers about CRA conformity (CE,
updates, vulnerability handling) — soon a procurement condition.
- Placing connected products on the market yourself (including under your
own name)? Then you become a manufacturer under the CRA, with the full set of duties.
Want to know which EU regimes besides the CRA affect your organisation — the Data Act, eFTI, EMSWe, the AI Act, NIS2 — and where your readiness stands? Take the Transport & Logistics scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/2847/oj
Regulation (EU) 2024/2847 (Cyber Resilience Act): security requirements for products with digital elements; full application 11 December 2027. - https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
European Commission — Cyber Resilience Act: scope, obligations and phased entry into application.
Read next
Does my telematics hardware fall under the Cyber Resilience Act?
Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.
Cyber Resilience Act: which deadline applies when?
The CRA (Regulation (EU) 2024/2847) entered into force on 12 November 2024. Key dates: notification of conformity bodies 11 June 2026, reporting obligation 11 September 2026, full application 11 December 2027.
Cyber Resilience Act: what must I require from my suppliers?
Require suppliers of trackers, telematics and IoT to provide proof of CE marking, conformity assessment, secure-by-default configuration and update guarantees. Fix reporting duties and liability in your contracts before full application on 11 December 2027.