Cyber Resilience in a Connected World: A Look at the EU’s Groundbreaking Cybersecurity Law

As connected devices continue to shape how we live and work, the cybersecurity risks tied to software and hardware devices have grown significantly. To address those risks, the European Union has introduced the Cyber Resilience Act (CRA)—a first-of-its-kind regulation aimed at improving the cybersecurity of digital products placed on the EU market. Whether it’s a smart sensor, controller, or software application, the CRA sets clear expectations for how products with digital elements should be developed, maintained, and supported.

This new law marks a major step forward in how manufacturers, developers, distributors, and costumers approach cybersecurity—not just in Europe, but globally.

What is Cyber Resilience Act?

The CRA establishes mandatory cybersecurity requirements for hardware and software products that are connected directly or indirectly to the internet or other networks. Its main objective is to make sure those products are more secure throughout their entire lifecycle—from design and development to maintenance and end of life.

It applies to a wide range of products and sets out common rules to:

• Strengthen cybersecurity protections before products hit the market.

• Increase transparency for users.

• Ensure manufacturers stay responsible for product security even after sale.

• Require timely updates and vulnerability handling.

Key Obligations Under the CRA

To comply with the CRA, manufacturers and other stakeholders must take several important steps:

• Conduct risk assessments during the design and development phases.

• Follow secure-by-design practices, building cybersecurity into each stage of production.

• Manage vulnerabilities proactively, including reporting known exploits within 24 hours.

• Provide clear documentation, such as CE marking and technical files.

• Ensure security updates are available for as long as the product is expected to be in use.

The CRA also includes enforcement mechanisms and penalties—non-compliant companies could face fines of up to €15 million or 2.5% of their annual global revenue. In order to avoid penalties, manufacturers must address the following requirements.

Product Support and End-of-Life Implications

• Manufacturers must provide ongoing security support for products during their expected lifecycle, including timely vulnerability management and updates. 
• Products declared End of Support (EoS) before the CRA’s enforcement may still be subject to compliance if placed on the EU market after the regulation takes effect.
• Non-compliant products already in use or in stock may require remediation, withdrawal, or replacement, depending on the risk level and enforcement decisions. 

Legacy and Non-Compliant Products

• Legacy products must meet CRA standards at the time of market placement, regardless of their production date or series. 
• If a security weakness is identified in a non-compliant product, manufacturers are expected to rectify the vulnerability. In some cases, transitioning to a compliant product may be necessary. 

Shared Responsibilities and Security Obligations

• The CRA emphasizes shared responsibility: manufacturers must ensure secure design and post-market support, while customers are expected to maintain physical and network security where products are deployed.
• Responsibility for safeguarding the IT infrastructure lies primarily with the operator or user, but manufacturers must ensure their products do not introduce systemic risks. 

Why It Matters Beyond the EU

Although this is an EU regulation, its implications go well beyond Europe. Any company that sells connected products in the EU—regardless of where they are headquartered—will need to comply. That means manufacturers, developers, and integrators worldwide should be paying attention.

The CRA is expected to become a reference point for other cybersecurity regulations and standards, helping to align global practices around product security and lifecycle responsibility. As the CRA drives global recognition of product cybersecurity, it's likely that countries around the world will introduce similar regulations and best practices.

What’s Next?

The regulation took effect on December 10, 2024. Reporting requirements will apply starting September 11, 2026, with full compliance mandated by December 11, 2027.

Key transition milestones include:

• 36 months for product compliance: all applicable products must meet requirements by December 11, 2027, to remain eligible for sale in the EU market.
• 21 months for reporting obligations: incident and vulnerability reporting becomes mandatory as of September 11, 2026.

For anyone involved in the development, distribution, or integration of connected products, now is the time to start preparing. The CRA is setting a new bar for what secure product development looks like—and while the work may be significant, the payoff is a more resilient and trustworthy digital ecosystem.

J2 Innovations is proactively engaged in the process, ensuring FIN Framework users and OEMs have a seamless transition for compliance. Learn more about how FIN Framework is already "Secure by Design" here.