Summary
The European Union has released a draft implementing regulation focused on the Cyber Resilience Act (CRA), aimed at enhancing the cybersecurity of products with digital elements. This regulation classifies certain digital products as “important” or “critical,” implying stricter conformity assessment procedures and potential certification requirements for manufacturers.
The consultation ran from 13th March to 18th April 2025 and highlighted categories of products that fall under these classifications, such as operating systems, VPNs, and smart home devices. The CRA, which came into force on 10th December 2024, will enforce reporting obligations in approximately 21 months, with technical requirements following shortly after.
Key Points
- The CRA establishes rules for the cybersecurity of products with digital elements.
- Products are classified into “important” and “critical” categories, each with varying levels of regulatory scrutiny.
- A public consultation took place in early 2025 to gather feedback on draft regulations.
- Key examples of classified products include identity management systems, routers, and certain wearable health products.
- Reporting obligations under the CRA will be enforceable by around mid-2026, with technical requirements to follow in late 2027.
Why should I read this?
If you’re involved in the tech sector or handle products with digital elements, this article is a must-read! The draft regulations are pivotal as they will shape how your products will be assessed for cybersecurity and compliance. Knowing these changes now can save you a heap of trouble down the road!