The Cyber Resilience Act (CRA) is a legislation covering almost all products with software – from embedded systems and IoT to server software, PC software to mobile applications for phones and tablets.
The CRA applies all digital products sold in the EU, regardless of where the manufacturer, importer or distributor is located. If you sell to customers in the EU, you will be affected by the CRA.
The CRA shifts responsibility for cyber security on to the vendor. The vendor gets responsibility for security during a product’s lifetime. CRA mandates free security updates, public disclosure of vulnerabilities and reporting to authorities if a vulnerability is exploited. The legislation enforces a lifecycle process, with Cybersecurity being part of the process from design to decomission.
The European CE mark that now also applies to software, indicates compliance with the legislation.