EU Cyber ​​Resilience Act (CRA) Compliance Updates and Implementation Roadmap

The EU's first comprehensive cybersecurity regulation targeting connected hardware and software—the Cyber ​​Resilience Act (CRA, Regulation No. (EU) 2024/2847—has officially come into effect. This act establishes a uniform baseline for cybersecurity requirements for all "products with digital elements" sold in the EU market, aiming to fundamentally improve the cybersecurity and resilience of digital products.



I. Key Implementation Timeline


December 10, 2024: CRA comes into effect, transition period begins. Companies should immediately begin compliance preparations.


September 11, 2026: Vulnerability reporting obligation comes into effect. Manufacturers must proactively report confirmed product security vulnerabilities through the EU's unified vulnerability reporting platform.


December 11, 2027: Core compliance obligations are fully implemented. After this date, products that have not completed conformity assessment and affixed the CE marking will be prohibited from being placed on the EU market.


II. Product Risk Classification and Compliance Path


The CRA classifies products into three categories based on their cybersecurity risk impact, with compliance requirements increasing progressively:


**Default Products:** Products not listed in the Important or Critical categories. Manufacturers can demonstrate compliance through internal control procedures (self-declaration).


**Important Products:** Listed in Annex III of the Act, such as firewalls, password managers, and smart locks. Their conformity assessment requirements are more stringent:


**Category I Products:** If harmonized standards exist, self-assessment based on those standards is possible; otherwise, a third-party assessment by a notified body is required.


**Category II Products:** Typically require a third-party assessment by a notified body (e.g., EU-type examination).


**Critical Products:** Listed in Annex IV of the Act, such as smart cards, smart meter gateways, and security chips. Compliance must be demonstrated through a third-party assessment by a notified body, or, if conditions are met in the future, through a valid EU cybersecurity certification (e.g., EUCC).


**Important Note:** Manufacturers are responsible for the overall security of their products. Even if a product integrates CE-marked components, it does not exempt them from the obligation to conduct a comprehensive cybersecurity risk assessment of the final product and ensure its compliance with CRA requirements.


III. Overview of Core Manufacturer Obligations


Security Design: Integrate cybersecurity into the entire product design and development process.


Vulnerability Management: Provide free security updates and establish vulnerability handling procedures within the explicitly stated support period (no shorter than the product's expected lifespan and the regulatory-mandated period, typically 5 years).


Technical Documentation: Create and maintain technical documentation, including software bills of materials and risk assessment reports, and retain it for 10 years after the last product is placed on the market.


Conformity Assessment and CE Marking: Complete the appropriate conformity assessment procedures according to the product category and affix the CE marking.


Information Transparency: Clearly inform users of the support period, security update policy, and product security attributes.


IV. Coordination with Existing Regulations (Taking Wireless Equipment as an Example)


The Radio Equipment Directive (RED) 3.3(d)(e)(f) and the Cybersecurity Authorization Regulation EU 2022/30 will be formally replaced by the CRA Cyber ​​Resilience Act on December 11, 2027. For products that have already undergone cybersecurity assessments in accordance with the Radio Equipment Directive (RED) (e.g., based on EN 18031-1/2/3 standards):


Radio equipment placed on the market between August 1, 2025 and December 10, 2027 must still comply with RED 3.3(d)(e)(f), and EU market regulators can still monitor their compliance.


From December 11, 2027, compliance with the CRA (Convention on Radio Equipment and Materials) is mandatory. Existing results can be used as a reference: Previous security testing and assessments can serve as part of the technical evidence for CRA compliance, but they need to be integrated and supplemented to meet the CRA's specific requirements for the entire product lifecycle (e.g., SBOM, clear vulnerability handling procedures, support period commitments, etc.).


Avoid the misconception that RED compliance automatically equates to CRA compliance. Manufacturers must conduct gap analyses against the specific requirements of the CRA to ensure full compliance with the new obligations.


V. Consequences of Violation


Violations will be subject to severe administrative penalties, including:


For serious violations (such as failure to meet basic security requirements), fines of up to €15 million or 2.5% of global annual turnover, whichever is higher.


For other violations of obligations (such as failure to report vulnerabilities in a timely manner), fines of up to €10 million or 2% of global annual turnover, whichever is higher.

评论

发表评论

此博客中的热门博文

Power Bank Safety Upgrade: First Mandatory National Standard Issued

图片
 Power Bank Safety Upgrade: First Mandatory National Standard Issued my country's first mandatory national standard, the "Technical Specification for Safety of Power Banks," was published on March 31, 2026, and will officially take effect on April 1, 2027. This standard aims to end long-standing problems in the power bank industry, such as falsely advertised capacity, substandard battery cells, and frequent safety incidents. The new regulation introduces several stringent technical requirements, mandating that battery cells pass a needle penetration test (without catching fire or exploding), and strengthening thermal abuse testing; it also adds tests for whole-device drop and crushing, requires products to be labeled with a safe service life, and improves various protection mechanisms.
阅读全文

EN IEC 62680-1-3/62680-1-2 EU Electronics Standards

图片
To reduce e-waste, the EU is committed to promoting a unified charging technology and interface that supports a variety of electronic products. On November 23, 2022, the EU issued Directive EN IEC 62680-1-3/62680-1-2, requiring electronic product manufacturers to use USB-C charging interface technology in their products. It also requires small and medium-sized portable electronic devices such as mobile phones, tablets, and cameras, as well as laptops, to comply with the USB-C charging interface requirement by 2024 and 2026, respectively. The IEC 62680 testing equipment GRL-USB-PD-C2-EPR, formerly the USB-IF Association's USB PD certification testing instrument, performs PD protocol certification testing. IEC 62680-1-2 and IEC 62680-1-3 incorporate the USB-IF USB PD and Type-C specifications and are currently used for protocol testing and certification corresponding to IEC 62680. IEC 62680-1-2 primarily defines the USB PD power supply specification; IEC 62680-1-3 is a specification ...
阅读全文

What is FDA Certification & What is FDA Registration?

图片
 What is FDA Certification & What is FDA Registration? I. What is the FDA? The FDA, authorized by the U.S. Congress (the federal government), is the highest law enforcement agency specializing in food and drug regulation. Its full name is the Food and Drug Administration. Strictly speaking, there is no such thing as FDA certification; the FDA itself has stated this. Generally, when people talk about FDA certification, they are referring to the following three types: FDA registration, FDA testing, and FDA approval. ① FDA Registration: Companies exporting food, drugs, and medical devices to the United States must register with the FDA, listing their company and products. Otherwise, customs clearance will be denied; this is a mandatory requirement. ② FDA Testing: FDA testing primarily refers to safety testing of food contact materials, testing of product contact packaging, biocompatibility testing of medical products, and clinical safety testing. ③ FDA Approval: This usually appli...
阅读全文