CRA – Bootlin

The EU’s new Cyber Resilience Act (CRA) sets out a comprehensive framework of cybersecurity requirements for products with digital elements. While most of its provisions will apply starting December 11, 2027, certain obligations—most notably, reporting duties for manufacturers—will kick in earlier, on September 11, 2026.

In a previous blog post, we offered an overview of the CRA and its broader context. In this article, we’re narrowing the focus to a key actor in the CRA’s ecosystem: the manufacturer. We’ll explore what qualifies someone as a manufacturer under the regulation, and what responsibilities that role carries under the new law.

Continue reading “Cyber Resilience Act (CRA) – Obligations for manufacturers”

The Cyber Resilience Act (CRA) was adopted by the European Council on October 10, 2024. It was then published in the Official journal of the EU on November 20, 2024 and enters into force today, December 10, 2024. Most of the law will start applying in 3 years, on December 11, 2027.

However, the obligation for manufacturers to report any actively exploited vulnerability or any security incident impacting the security of their product to ENISA will apply from September 11, 2026.
The other parts of the law that will start applying from June 11, 2026 apply to the member states and specify the details of setting up the administrative entities that will assess conformity with the CRA.

At Bootlin, we have been paying close attention to this topic for several reasons. First, the CRA will affect a large number of our clients, as almost every embedded device sold in the EU will need to comply with it. Second, the CRA also affects us directly, for instance as the maintainer of Snagboot.

This post is therefore the first in a series that will present our understanding of the CRA, and clearly lay out what one needs to have in mind in order to be confident of one’s compliance on time.

Continue reading “Cyber Resilience Act (CRA) – overview”