The Cyber Resilience Act (CRA) is a legislation covering almost all products with software – from embedded systems and IoT to server software, PC software to mobile applications for phones and tablets.

The CRA will likely come into act for all products sold in the EU, regardless of where the manufacturer, importer or distributor is located. If you sell to customers in the EU, you will be affected by the CRA.

The CRA will shift responsibility for cyber security on to the vendor. The vendor gets responsibility for security during a product’s lifetime. CRA mandates free security updates, public disclosure of vulnerabilities and reporting to authorities if a vulnerability is exploited.