EU regulation

Cyber Resilience Act

EU-wide cybersecurity requirements for products with digital elements (Regulation (EU) 2024/2847), fully applicable from 11 December 2027.

Key obligations

CE marking and conformity assessment
The CRA requires CE marking and a conformity assessment as evidence that the product meets the essential requirements; request this at procurement.
Secure-by-default configuration
The CRA requires secure default settings on delivery and products free of known exploitable vulnerabilities (security by design).
Security updates and vulnerability management
The CRA mandates vulnerability management and security updates throughout the lifecycle; set out responsibility for and the period of updates in the contract.
Technical documentation and user information
The CRA requires technical documentation and user information, and where applicable insight into the product's software components.
Reporting duty for vulnerabilities and incidents
From 11 September 2026 there is a duty to report actively exploited vulnerabilities and serious incidents to ENISA and the CSIRT; ensure your suppliers inform you without delay.
Interplay with the AI Act
For high-risk AI, the AI Act (Art. 15) requires an appropriate level of cybersecurity alongside the CRA; combine both in a single risk assessment (incl. data poisoning, adversarial attacks).

Follow this topic

Get an email whenever something changes here. No account needed; confirm by email (double opt-in).

We use your email address only to send updates about this topic. You can unsubscribe at any time. See our privacy policy.

← Back to Trusq