European Union: Implemented Regulation 2024/2847 amending the Cyber Resilience Act (2020/1828) including reporting obligations of manufacturers

On 11 September 2026, Regulation 2024/2847 concerning horizontal cybersecurity requirements for products with digital components, which amends Regulations (EU) No 168/2013 and (EU) No 2019/1020 as well as the Cyber Resilience Act (2020/1828), enters into force. The aforementioned EU Regulation (2024/2847) pertaining to the Cyber Resilience Act aspires to enhance the cybersecurity framework for products with digital components by establishing uniform cybersecurity requirements across the European Union. The regulation is applicable to all products featuring digital elements, including both hardware and software, that are made available on the EU market, with the exception of those regulated under specific existing legislation, such as medical devices and motor vehicles. Manufacturers are mandated to report actively exploited vulnerabilities and significant incidents to the relevant authorities, facilitated by a reporting platform managed by the European Union Agency for Cybersecurity (ENISA). Furthermore, member states are required to appoint market surveillance authorities to oversee compliance and enforce the regulation. These authorities are empowered to conduct surveillance activities and coordinated efforts to verify compliance and address instances of non-compliance. Non-compliance with the regulation may result in administrative fines reaching up to EUR 15,000,000 or 2.5% of the global annual turnover, whichever amount is greater.