aigovernance.com

Global AI Regulation & Framework Directory

← Directory
RegulationEU

EU Cyber Resilience Act

CRA · European Parliament and Council of the European Union

The EU Cyber Resilience Act establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market, including hardware and software incorporating AI components, covering the entire product lifecycle from design through end-of-life.

Overview

The EU Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, entered into force on 11 December 2024 following publication in the Official Journal of the EU. It represents the first horizontal EU legislative instrument imposing binding cybersecurity obligations on manufacturers, importers, and distributors of products with digital elements (PDEs), a category that encompasses connected hardware devices, standalone software, and increasingly, AI-enabled products. The CRA fills a regulatory gap identified in the EU Cybersecurity Strategy: while sector-specific rules addressed cybersecurity in critical infrastructure and financial services, no baseline applied uniformly to the broad universe of commercial digital products. The regulation is structured around essential cybersecurity requirements covering secure-by-design and secure-by-default principles, vulnerability handling obligations, and mandatory incident reporting to ENISA and national authorities. Products are classified into three risk categories, default, important (Class I and Class II), and critical, each carrying progressively stringent conformity assessment obligations. Default products may self-certify; higher-risk products require third-party assessment or compliance with harmonized European standards. Manufacturers must provide a minimum five-year support period or the expected product lifetime, whichever is shorter, during which they must deliver security updates without charge. The CRA's phased implementation timeline means that the vulnerability and incident reporting obligations apply from 11 September 2026, and the full requirements apply from 11 December 2027. For enterprises deploying AI systems as part of connected products or embedding AI in software distributed in the EU, the CRA interacts significantly with the EU AI Act, particularly for AI systems qualifying as high-risk under Annex III of the AI Act, where conformity assessments may be partially consolidated.

Key Requirements

  • Secure-by-design and secure-by-default product architecture throughout the development lifecycle
  • Mandatory vulnerability disclosure and coordinated vulnerability handling process, including a dedicated point of contact
  • Notification to ENISA and relevant national CSIRTs within 24 hours of becoming aware of an actively exploited vulnerability, with a more detailed notification within 72 hours
  • Provision of free security updates for a minimum of five years or the product's expected operational lifetime
  • Preparation and maintenance of a Software Bill of Materials (SBOM) for all PDEs
  • CE marking to demonstrate conformity with CRA requirements before placing products on the EU market
  • Conformity assessment via self-declaration for default products; third-party assessment for Class I and Class II important products; European cybersecurity certification scheme for critical products
  • Imposition of equivalent obligations on importers and distributors where they materially modify PDEs
  • Documentation of cybersecurity risk assessment and maintenance of technical file for ten years post-market placement
  • Prohibition on placing products with known exploitable vulnerabilities on the EU market

Who It Affects

Manufacturers of hardware products with digital elements sold into the EU marketSoftware publishers distributing commercial software (excluding SaaS and purely cloud-based services) in the EUAI system developers and vendors whose models are embedded in or distributed as products with digital elementsImporters and distributors of PDEs who bear secondary compliance obligationsEnterprise procurement and vendor management functions evaluating supplier CRA conformityOT/IoT product manufacturers and industrial automation vendors operating in EU marketsOpen-source software maintainers whose software is commercialized by third parties (indirect exposure)

Effective Date

2024-12-11

Official source →