On October 10, the Cyber Resilience Act (CRA) cleared a crucial hurdle in the European Council—and will establish a minimum level of cybersecurity for all connected products on the European market in the future. Among other things, the CRA stipulates that products must meet strict cybersecurity standards starting from the development phase and throughout their entire lifecycle. Non-compliant companies face fines.
Digitalization and globalization are advancing at a rapid pace, which is also exacerbating cybersecurity threats. Companies and public institutions are increasingly becoming targets of cyberattacks, while the number of discovered software vulnerabilities continues to grow. Last year alone, an average of over 2,000 new security vulnerabilities were reported each month—a 25% increase compared to the previous year, according to the Federal Office for Information Security – a 25% increase compared to the previous year, according to the Federal Office for Information Security. Providers of digital products often fail to address these vulnerabilities in a timely manner, or they leave their products unprotected from the outset.
In light of these developments, a clear, binding legal framework is essential. This is precisely where the CRA comes in: It establishes new, mandatory safety standards for products with digital elements in Europe in order to effectively address the challenges of the digital world.
From microchips to smart coffee makers
The CRA applies to a wide range of entities, including European manufacturers, importers, and distributors of products containing digital elements. Even smaller companies and public institutions are not exempt from the CRA’s requirements, as there are no size restrictions.
Whether it’s software or hardware: With the Cyber Resilience Act, there are now, for the first time, mandatory security requirements for all connected devices—and that includes your own smart coffee maker.
Security by Design
The CRA requires manufacturers, importers, and distributors to ensure that their products meet the specified cybersecurity requirements. The core requirements include:
- Security Standards: Products must be designed with cybersecurity in mind as early as the development phase in order to minimize security risks.
- Regular Updates: Manufacturers are required to provide security updates throughout the product’s entire lifecycle and to address known vulnerabilities.
- Marking: Products must bear the CE mark, which confirms that they comply with safety requirements.
- Reporting Requirements: Companies must strengthen their reporting to the European Union Agency for Cybersecurity (ENISA) and report security incidents.
Timeline
The CRA will take effect 20 days after its publication in the Official Journal of the EU. Within three years, all products must then comply with the CRA requirements in order to be sold within the European Union. The projected timeline is as follows:
- May 2026: Conformity assessment bodies (CABs) may test products in accordance with the CRA.
- August 2026: Reporting Requirements for Vulnerabilities and Security Incidents.
- November 2027: All CRA requirements are mandatory.
Future-Proof Cybersecurity
At a time when our data is among our most valuable assets, it is essential to protect it from unauthorized access. Therefore, the CRA is an important and necessary step toward improving cybersecurity in Europe.
Compliance with the new security standards is not only a legal obligation but also a strategic opportunity, because investments in cybersecurity are more than just compliance.
Furthermore, promoting cybersecurity will help create a sovereign digital landscape in Europe. A uniform level of security not only fosters competition among companies but also drives innovation.
Try leitzcloud now.
With the Cyber Resilience Act, cybersecurity is becoming a critical competitive factor. leitzcloud helps companies reliably protect sensitive data—with end-to-end encryption, zero-knowledge privacy, and a secure cloud infrastructure. This way, you’re not only investing in data security but also in the future viability of your business.
