Partner news
Digital Trust Center
The Cyber Resilience Act (CRA) is a European regulation that focuses on improving the security of digital products and services.
The CRA is aimed at manufacturers, distributors and importers of hardware and software that will be placed on the EU market from 11 December 2027. The CRA requires them to ensure that digital products meet essential security requirements. They must also provide security updates to ensure that products remain secure. This way, consumers and businesses can be confident that products they have purchased in the EU are digitally secure.
All products with digital elements must comply with the CRA from 2027. These are not only physical products such as IoT devices, firewalls or network equipment, but also software such as video games, mobile apps or operating systems such as Windows and components such as video cards and software libraries.
More information on the RDI website.
The most important requirements of the CRA are placed on the products that are placed on the market. But there are also requirements for the processes that manufacturers have set up to develop, design, manufacture and maintain their products.
In order to prevent security issues, the manufacturer of a product must determine the functionality and intended operation of the product. The manufacturer carries out a risk analysis, which must form the basis for the safe design of the product. It is important that all vulnerabilities and real risks are eliminated. In the event of serious incidents or actively exploited vulnerabilities, the manufacturer will be obliged from 11 September 2026 to report to the national CSIRT (in the Netherlands the NCSC) and to inform and advise the affected users. The law also requires the manufacturer to set up a process to respond to vulnerabilities and to be able to address them immediately, for example by providing a security update. These obligations apply for the entire expected useful life of the product, but for a minimum period of five years.
Nederlands