The CRA is not a mere recommendation: it is a European legislative revolution. For the first time, legal responsibility for IT security rests with the manufacturer.

1. Why does the CRA change everything?

The Cyber Resilience Act (CRA) is the first legislative framework at the European level that imposes mandatory cybersecurity rules for products with digital elements. Unlike previous directives, the CRA is a regulation of direct application.

Note: 90% of connected software and hardware products fall under this legislation.

2. The Triptych of Compliance

To obtain the required CE marking, companies must validate three pillars:

  • Cybersecurity by design: No more security added as an afterthought.
  • SBOM: Full transparency on open-source components.
  • ENISA Reporting: Vulnerability reporting within 24 hours.
"Lack of compliance is no longer an option. Fines can paralyze a company in a single regulatory decision."

3. Implementation Timeline

The rollout is gradual:

  • Late 2025: Publication of harmonized standards.
  • 2026: Start of reporting obligations.
  • December 2027: Full application and sales ban for non-certified products.