Cyber Resilience Act

About

Recitals

Chapter I – General provisions (Art. 1-12)
Art. 1CRA - Subject matter
Art. 2CRA - Scope
Art. 3CRA - Definitions
Art. 4CRA - Free movement
Art. 5CRA - Procurement or use of products with digital elements
Art. 6CRA - Requirements for products with digital elements
Art. 7CRA - Important products with digital elements
Art. 8CRA - Critical products with digital elements
Art. 9CRA - Stakeholder consultation
Art. 10CRA - Enhancing skills in a cyber resilient digital environment
Art. 11CRA - General product safety
Art. 12CRA - High-risk AI systems
Chapter II – Obligations of economic operators and provisions in relation to free and open-source software (Art. 13-26)
Art. 13CRA - Obligations of manufacturers
Art. 14CRA - Reporting obligations of manufacturers
Art. 15CRA - Voluntary reporting
Art. 16CRA - Establishment of a single reporting platform
Art. 17CRA - Other provisions related to reporting
Art. 18CRA - Authorised representatives
Art. 19CRA - Obligations of importers
Art. 20 CRA - Obligations of distributors
Art. 21CRA - Cases in which obligations of manufacturers apply to importers and distributors
Art. 22 CRA - Other cases in which obligations of manufacturers apply
Art. 23 CRA - Identification of economic operators
Art. 24CRA - Obligations of open-source software stewards
Art. 25CRA - Security attestation of free and open-source software
Art. 26CRA - Guidance
Chapter III – Conformity of the product with digital elements (Art. 27-34)
Art. 27CRA - Presumption of conformity
Art. 28CRA - EU declaration of conformity
Art. 29CRA - General principles of the CE marking
Art. 30 CRA - Rules and conditions for affixing the CE marking
Art. 31CRA - Technical documentation
Art. 32CRA - Conformity assessment procedures for products with digital elements
Art. 33CRA - Support measures for microenterprises and small and medium-sized enterprises, including start-ups
Art. 34CRA - Mutual recognition agreements
Chapter IV – Notification of conformity assessment bodies (Art. 35-51)
Art. 35CRA - Notification
Art. 36CRA - Notifying authorities
Art. 37CRA - Requirements relating to notifying authorities
Art. 38CRA - Information obligation on notifying authorities
Art. 39CRA - Requirements relating to notified bodies
Art. 40 CRA - Presumption of conformity of notified bodies
Art. 41CRA - Subsidiaries of and subcontracting by notified bodies
Art. 42CRA - Application for notification
Art. 43CRA - Notification procedure
Art. 44CRA - Identification numbers and lists of notified bodies
Art. 45CRA - Changes to notifications
Art. 46CRA - Challenge of the competence of notified bodies
Art. 47CRA - Operational obligations of notified bodies
Art. 48CRA - Appeal against decisions of notified bodies
Art. 49CRA - Information obligation on notified bodies
Art. 50CRA - Exchange of experience
Art. 51CRA - Coordination of notified bodies
Chapter V – Market surveillance and enforcement (Art. 52-60)
Art. 52CRA - Market surveillance and control of products with digital elements in the Union market
Art. 53CRA - Access to data and documentation
Art. 54CRA - Procedure at national level concerning products with digital elements presenting a significant cybersecurity risk
Art. 55CRA - Union safeguard procedure
Art. 56CRA - Procedure at Union level concerning products with digital elements presenting a significant cybersecurity risk
Art. 57 CRA - Compliant products with digital elements which present a significant cybersecurity risk
Art. 58 CRA - Formal non-compliance
Art. 59CRA - Joint activities of market surveillance authorities
Art. 60 CRA - Sweeps
Chapter VI – Delegated powers and committee procedure (Art. 61-62)
Art. 61CRA - Exercise of the delegation
Art. 62 CRA - Committee procedure
Chapter VII – Confidentiality and penalties (Art. 63-65)
Art. 63CRA - Confidentiality
Art. 64CRA - Penalties
Art. 65CRA - Representative actions
Chapter VIII – Transitional and final provisions (Art. 66-71)
Art. 66CRA - Amendment to Regulation (EU) 2019/1020
Art. 67CRA - Amendment to Directive (EU) 2020/1828
Art. 68 CRA - Amendment to Regulation (EU) No 168/2013
Art. 69CRA - Transitional provisions
Art. 70CRA - Evaluation and review
Art. 71CRA - Entry into force and application
Annexes
Art. Annex I CRA - Essential cybersecurity requirements
Art. Annex II CRA - Information and instructions to the user
Art. Annex IIICRA - Important products with digital elements
Art. Annex IVCRA - Critical products with digital elements
Art. Annex VCRA - EU declaration of conformity
Art. Annex VI CRA - Simplified EU declaration of conformity
Art. Annex VII CRA - Content of the technical documentation
Art. Annex VIIICRA - Conformity assessment procedures

Chapter VIII – Transitional and final provisions (Art. 66-71)

Art. 66 CRA – Amendment to Regulation (EU) 2019/1020
In Annex I to Regulation (EU) 2019/1020, the following point is added:

‘72. Regulation (EU) 2024/2847 of the European Parliament and of the Council^(*1).

^{(*1) Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj).}
Art. 67 CRA – Amendment to Directive (EU) 2020/1828
In Annex I to Directive (EU) 2020/1828, the following point is added:

‘69. Regulation (EU) 2024/2847 of the European Parliament and of the Council^(*2).

^{(*2) Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ L, 2024/2847, 20.11.2024, ELI: http://data.europa.eu/eli/reg/2024/2847/oj).}
Art. 68 CRA – Amendment to Regulation (EU) No 168/2013
In Part C1, in the table, of Annex II to Regulation (EU) No 168/2013 of the European Parliament and of the Council⁽³⁸⁾, the following entry is added:

‘

16

18

protection of vehicle against cyberattacks

x

x

x

x

x

x

x

x

x

x

x

x

x

x

’.

^{(38) Regulation (EU) No 168/2013 of the European Parliament and of the Council of 15 January 2013 on the approval and market surveillance of two- or three-wheel vehicles and quadricycles (OJ L 60, 2.3.2013, p. 52).}
Art. 69 CRA – Transitional provisions
1. EU type-examination certificates and approval decisions issued regarding cybersecurity requirements for products with digital elements that are subject to Union harmonisation legislation other than this Regulation shall remain valid until 11 June 2028, unless they expire before that date, or unless otherwise specified in such other Union harmonisation legislation, in which case they shall remain valid as referred to in that legislation.

2. Products with digital elements that have been placed on the market before 11 December 2027 shall be subject to the requirements set out in this Regulation only if, from that date, those products are subject to a substantial modification.

3. By way of derogation from paragraph 2 of this Article, the obligations laid down in Article 14 shall apply to all products with digital elements that fall within the scope of this Regulation that have been placed on the market before 11 December 2027.
Art. 70 CRA – Evaluation and review
1. By 11 December 2030 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. Those reports shall be made public.

2. By 11 September 2028, the Commission shall, after consulting ENISA and the CSIRTs network, submit a report to the European Parliament and to the Council, assessing the effectiveness of the single reporting platform set out in Article 16, as well as the impact of the application of the cybersecurity-related grounds referred to Article 16(2) by the CSIRTs designated as coordinators on the effectiveness of the single reporting platform as regards the timely dissemination of received notifications to other relevant CSIRTs.
Show Related Recitals
- Recital CRA 125
  The Commission should periodically evaluate and review this Regulation, in consultation with relevant stakeholders, in particular with a view to determining the need for modification in the light of changes to societal, political, technological or market conditions. This Regulation will facilitate the compliance with supply chain security obligations of entities that fall within the scope of Regulation (EU) 2022/2554 and Directive (EU) 2022/2555 that use products with digital elements. The Commission should evaluate, as part of that periodic review, the combined effects of the Union cybersecurity framework.
Art. 71 CRA – Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2. This Regulation shall apply from 11 December 2027.

However, Article 14 shall apply from 11 September 2026 and Chapter IV (Articles 35 to 51) shall apply from 11 June 2026.
Show Related Recitals
- Recital CRA 126
  Economic operators should be provided with sufficient time to adapt to the requirements set out in this Regulation. This Regulation should apply from 11 December 2027, with exception of the reporting obligations concerning actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements, which should apply from 11 September 2026 and of the provisions on notification of conformity assessment bodies, which should apply from 11 June 2026.

Chapter VII – Confidentiality and penalties (Art. 63-65)

Annexes

AI

Proposal

Final

Consumer & E-commerce

Proposal

Final

Cybersecurity

Proposal

Final

Data

Proposal

Final

Digital Privacy

Proposal

Final

Digital Services

Proposal

Final

Cyber Resilience Act

About

Chapter VIII – Transitional and final provisions (Art. 66-71)