European Union: Entry into force with grace period of Cyber Resilience Act including cybersecurity requirements for products with digital elements

Description

Entry into force with grace period of Cyber Resilience Act including cybersecurity requirements for products with digital elements

On 10 December 2024, the Cyber Resilience Act entered into force with a grace period. The Cyber Resilience Act aims to enhance the cybersecurity of products with digital elements by establishing uniform cybersecurity requirements across the EU. The regulation applies to all products with digital elements, including hardware and software, that are placed on the EU market, excluding those covered by specific existing regulations like medical devices and motor vehicles. Manufacturers must ensure that their products meet essential cybersecurity requirements throughout their lifecycle, from design to disposal. This includes conducting risk assessments, handling vulnerabilities, and providing secure updates. Under the Act, member States must designate market surveillance authorities to ensure compliance and enforce the regulation. Non-compliance with the regulation can result in administrative fines of up to EUR 15'000'000 or 2.5% of global annual turnover, whichever is higher. The main obligations introduced by the Act will apply from 11 December 2027.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
cross-cutting
Implementation Level
supranational
Government Branch
executive
Government Body
central government

Complete timeline of this policy change

Hide details
2022-03-16
in consultation

On 16 March 2022, the European Commission launched a public consultation for the Cyber Resilience A…

2022-05-25
processing consultation

On 25 May 2022, the European Commission closed the public consultation for the Cyber Resilience Act…

2022-09-15
under deliberation

On 15 September 2022, the European Commission introduced a proposal for the "Cyber Resilience Act" …

2023-07-19
under deliberation

On 19 July 2023, the Council of the European Union reached a common position on the proposed Cybers…

2023-11-30
under deliberation

On 30 November 2023, the Council of the European Union and the European Parliament reached a common…

2024-03-12
under deliberation

On 12 March 2024, the European Parliament adopted the text provisionally agreed on the regulation r…

2024-10-10
adopted

On 10 October 2024, the Council of the EU adopted the regulation on Cybersecurity Requirements for …

2024-12-10
in grace period

On 10 December 2024, the Cyber Resilience Act entered into force with a grace period. The Cyber Res…

2026-06-11
in force

On 11 June 2026, Regulation 2024/2847 on horizontal cybersecurity requirements for products with di…

2026-09-11
in force

On 11 September 2026, Regulation 2024/2847 concerning horizontal cybersecurity requirements for pro…

2027-12-11
in force

On 11 December 2027, Regulation 2024/2847 on horizontal cybersecurity requirements for products wit…