What is the Cyber Resilience Act (CRA)?
The Cyber Resilience Act (Regulation (EU) 2024/2847) is the EU’s horizontal regulation on cybersecurity requirements for “products with digital elements” — covering hardware, software, IoT, and connected services placed on the EU market. The CRA aims to address the patchy security landscape of consumer and B2B digital products by setting essential cybersecurity requirements throughout the product lifecycle. Entered into force November 2024; main obligations apply from December 2027.
Scope: products with digital elements
- Hardware: connected devices, sensors, routers, smart appliances.
- Software: consumer applications, B2B software, embedded systems.
- Critical category: identity management, browsers, password managers, antivirus, VPN, smart-meter components — face stricter conformity assessment.
- Excluded: medical devices, motor vehicles, civil aviation (covered by sector-specific regulation).
Core requirements
- Security by design and by default: minimised attack surface from initial release.
- Vulnerability management: coordinated disclosure, security updates throughout support period.
- Documentation: technical documentation evidencing compliance.
- Conformity assessment: CE marking after self-assessment or third-party audit (for critical products).
- Incident reporting: actively exploited vulnerabilities to ENISA within 24/72/14-day windows.
- Support period: manufacturer must provide security updates for the expected product use period (minimum 5 years for many categories).
Türk üreticileri için
AB pazarına IoT, donanım veya yazılım koyan Türk üreticileri CRA kapsamındadır. Mevcut belgelendirme (CE marking) süreçleriyle paralel uyum gereksinimi; yetkili temsilci AB’de olmalı. Bağlantılı cihaz üreten Türk firmalar (Vestel, Arçelik gibi) ve yazılım ihracat eden Türk SaaS’lar baştan CRA-ready ürün tasarlamalı.
Do: start CRA gap analysis now; the December 2027 deadline requires multi-year engineering investments for compliant products.
Don’t: treat CRA as separate from existing security practices — it codifies many existing best practices; alignment is incremental, not greenfield.