What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is a European regulation designed to strengthen the digital security of all products containing software or Internet connectivity.
It applies to manufacturers, distributors, importers and business users. Its goal is to ensure that any connected device — from a computer or router to management software — meets minimum security requirements and remains protected throughout its life cycle.
Who does this regulation affect?
Although the CRA is primarily aimed at large technology manufacturers, SMEs must also comply if they:
-
Develop or sell products with digital components.
-
Offer online services that process personal or business data.
-
Use third-party software that must meet cyber-security standards.
This includes companies across many sectors — from advisory firms or e-commerce businesses to workshops and professional services using digital platforms in their daily operations.
Adaptation deadlines and penalties
The CRA entered into force on 10 December 2024 and will become mandatory from 11 December 2027.
During this period, SMEs will need to review their IT systems, technology providers and internal protocols to ensure protection against vulnerabilities and cyber-attacks.
Non-compliance may result in fines of up to €15 million or 2.5 % of annual turnover, depending on the seriousness of the breach.
How to prepare now
It is advisable for companies to start as soon as possible with a cybersecurity assessment and a review of their contracts with technology providers.
t is also essential to:
-
Document software-update procedures.
-
Ensure incident traceability.
-
Implement data-protection policies and staff training programmes.
Early planning will reduce costs and risks once the regulation comes into force.
Leave A Comment
You must be logged in to post a comment.