Robust cybersecurity measures are becoming increasingly important in software design and development. Cyber threats continue to evolve and become more sophisticated, requiring governments to take action to safeguard vulnerable digital infrastructure.
Over the past decade, several significant cyberattacks have occurred across the public and private sectors. These include the WannaCry Ransomware Attack in 2017, which impacted more than 200,000 people worldwide, and the Kaseya VSA attack, in which hackers used insecure network administration software to disrupt over 100,000 businesses. These incidents (and others) underscored the need for a systemic solution, so the Cyber Resilience Act was developed.
This blog post provides a top-level overview of the EU Cyber Resilience Act, who it will impact, what happens if businesses don’t comply, and when it will be implemented.
What is the EU Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU regulation that requires manufacturers of digital products to satisfy its standards before they can offer those products in EU member states.
Furthermore, the CRA is designed to protect consumers and businesses purchasing software products that include a digital component. This includes hardware products such as smartphones, tablets, smart home devices, computers, laptops, and software products such as mobile apps or cloud services.
The Cyber Resilience Act addresses the insufficient cybersecurity measures in products and the delays in security updates for software and hardware. In addition, the CRA establishes mandatory cybersecurity standards for manufacturers and retailers, regulating these products' planning, design, development, and maintenance. The act also mandates manufacturers to ensure proper support throughout their products' lifecycle.
→ Access the Cyber Resilience Act in all official EU languages
Who is impacted by the Cyber Resilience Act?
While the CRA covers a broad range of areas, its primary focus is on manufacturers of software-enabled devices. However, it will impact organisations throughout the supply chain.
The Cyber Resilience Act outlines three categories of businesses/organisations:
- Manufacturers must ensure their products comply with the regulations.
- Distributors need to verify that the products display the CE mark.
- Importers are responsible for making sure only products that meet CRA requirements (and carry the CE mark) are made available.
When will the Cyber Resilience Act be implemented?
The Cyber Resilience Act came into effect on December 10, 2024, with the primary obligations set to take effect on December 11, 2027.
Cyber Resilience Act Enforcement and Penalties: What Businesses Need to Know
EU member states will appoint market surveillance authorities to enforce the Cyber Resilience Act. The respective national authorities will work alongside an EU-level supervisory structure to ensure the CRA is being observed.
Penalties include product withdrawals from the market. There is also the potential for fines up to €15 million or 2.5% of total worldwide annual turnover (whichever is higher).
How Codethink can help
Ultimately, the Cyber Resilience Act emphasises that manufacturers must integrate stringent cybersecurity measures into designing, developing, and implementing software-enabled digital products. Additionally, the CRA requires these products to maintain cybersecurity standards from production to end-of-life, with support for regular updates.
Codethink specialises in delivering secure and maintainable software systems, aligning with the Cyber Resilience Act's requirements. Codethink's experience in software development and design in safety-critical industries enables manufacturers to bring digital products to market and satisfy regulatory requirements.
Get in touch!
Interested in how Codethink can help your business with the Cyber Resilience Act?
Related Content
Other Content
- Podcast: Embedded Insiders with John Ellis
- To boldly big-endian where no one has big-endianded before
- How Continuous Testing Helps OEMs Navigate UNECE R155/156
- Codethink’s Insights and Highlights from FOSDEM 2025
- CES 2025 Roundup: Codethink's Highlights from Las Vegas
- FOSDEM 2025: What to Expect from Codethink
- Codethink Joins Eclipse Foundation/Eclipse SDV Working Group
- Codethink/Arm White Paper: Arm STLs at Runtime on Linux
- Speed Up Embedded Software Testing with QEMU
- Open Source Summit Europe (OSSEU) 2024
- Watch: Real-time Scheduling Fault Simulation
- Improving systemd’s integration testing infrastructure (part 2)
- Meet the Team: Laurence Urhegyi
- A new way to develop on Linux - Part II
- Shaping the future of GNOME: GUADEC 2024
- Developing a cryptographically secure bootloader for RISC-V in Rust
- Meet the Team: Philip Martin
- Improving systemd’s integration testing infrastructure (part 1)
- A new way to develop on Linux
- RISC-V Summit Europe 2024
- Safety Frontier: A Retrospective on ELISA
- Codethink sponsors Outreachy
- The Linux kernel is a CNA - so what?
- GNOME OS + systemd-sysupdate
- Codethink has achieved ISO 9001:2015 accreditation
- Outreachy internship: Improving end-to-end testing for GNOME
- Lessons learnt from building a distributed system in Rust
- FOSDEM 2024
- QAnvas and QAD: Streamlining UI Testing for Embedded Systems
- Outreachy: Supporting the open source community through mentorship programmes
- Using Git LFS and fast-import together
- Testing in a Box: Streamlining Embedded Systems Testing
- SDV Europe: What Codethink has planned
- How do Hardware Security Modules impact the automotive sector? The final blog in a three part discussion
- How do Hardware Security Modules impact the automotive sector? Part two of a three part discussion
- How do Hardware Security Modules impact the automotive sector? Part one of a three part discussion
- Automated Kernel Testing on RISC-V Hardware
- Automated end-to-end testing for Android Automotive on Hardware
- GUADEC 2023
- Embedded Open Source Summit 2023
- RISC-V: Exploring a Bug in Stack Unwinding
- Adding RISC-V Vector Cryptography Extension support to QEMU
- Introducing Our New Open-Source Tool: Quality Assurance Daemon
- Achieving Long-Term Maintainability with Open Source
- FOSDEM 2023
- PyPI Security: How to Safely Install Python Packages
- BuildStream 2.0 is here, just in time for the holidays!
- A Valuable & Comprehensive Firmware Code Review by Codethink
- GNOME OS & Atomic Upgrades on the PinePhone
- Flathub-Codethink Collaboration
- Codethink proudly sponsors GUADEC 2022
- Tracking Down an Obscure Reproducibility Bug in glibc
- Full archive
