Cyber Resilience Act

Cyber Resilience Act

Status: In force. Applies from 11 December 2027. However, Article 14 applies from 11 September 2026 and Chapter IV (Articles 35 to 51) applies from 11 June 2026.

EUR-Lex-link: Adopted and published version, including other language versions, can be found here.

Full name: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)

Type: Regulation

Objective and key elements:

  • Setting horizontal baseline for security in the internal market
  • Increasing the overall level of cybersecurity of all products with digital elements by introducing essential cybersecurity requirements for such products
  • Security updates to be made available for at least 5 years
  • Reporting obligations in case of security incidents
  • Possibility to recall products not fulfilling the requirements

Relevant to: Manufacturers, importers, and distributors of products and software including digital elements (excluding services, such as SaaS and certain specifically regulated products (e.g. cars)).

Documents (old versions):

  • Text adopted by the Parliament, link
  • The Council’s proposed amendments on 13 July 2023, link
  • Commission proposal published on 15 September 2022, link

(Last updated 27 October 2025)