Den Cyber Resilience Act verstehen

The Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that introduces mandatory cybersecurity requirements for products with digital elements (PDEs) placed on the EU market. It entered into force on 11 December 2024.

The CRA applies throughout the product lifecycle — from design and development through to end of support. It establishes essential security requirements (Annex I), documentation obligations, a vulnerability reporting regime, and conformity assessment procedures. The goal is to ensure that hardware and software products are secure by design and remain secure throughout their supported life.

The CRA applies to any economic operator that:

• Manufactures products with digital elements and places them on the EU market — including hardware with embedded software and standalone software products
• Imports products from non-EU manufacturers and places them on the EU market under their own name or trademark
• Distributes products on the EU market without altering them
• Open-source stewards who systematically provide free/open-source software intended for commercial use

Non-EU manufacturers who sell products into the EU are fully in scope. They must appoint an authorised representative established in the EU (Article 17).

A product with digital elements (PDE) is any software or hardware product and its remote data processing solution, that has a direct or indirect data connection to a device or network. This intentionally broad definition covers:

• Consumer IoT devices (smart home, wearables, routers)
• Industrial hardware with network connectivity
• Standalone software applications (desktop, mobile, server)
• Operating systems and hypervisors
• Software components and libraries placed on the market
• Cloud-connected devices where the manufacturer controls the backend

Certain sectors are partially or fully excluded, including medical devices under MDR/IVDR, motor vehicles under type-approval regulation, civil aviation, and marine equipment.