The European Union has published Regulation (EU) 2024/2847, the Cyber Resilience Act, establishing horizontal cybersecurity requirements for products with digital elements.
In the final text, it’s stated that “this Regulation should apply from 11 December 2027, with exception of the reporting obligations concerning actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements, which should apply from 11 September 2026 and of the provisions on notification of conformity assessment bodies, which should apply from 11 June 2026.“
The regulation mandates compliance with essential cybersecurity requirements, including vulnerability management, secure product lifecycle design, and CE marking for market access. This applies to a wide range of products, including telecom equipment, consumer electronics, and data networking devices. Manufacturers must ensure that technical documentation, labeling, and user manuals reflect these requirements.
The regulation impacts product certification processes, requiring updated internal procedures, harmonized technical standards, and enhanced post-approval measures such as security updates throughout the product lifecycle. Market surveillance authorities are tasked with ensuring compliance through inspections, further emphasizing the need for manufacturers to maintain updated documentation, such as software bills of materials (SBOMs).
Key timelines and obligations highlight the importance of preparing for conformity assessments and addressing market entry compliance. Products must meet cybersecurity standards before placement on the EU market, with specific conformity assessments required for high-risk categories such as smart home devices and critical infrastructure equipment. Stakeholders involved in product compliance and certification should take immediate action to align with these updated and new requirements to ensure uninterrupted market access.
Full regulation from the OJEU can be found in the attached file.
Impact on Type Approval and Market Access Requirements? – Yes
Impact on Imports, Customs, Trade, or Market Surveillance? – Yes
Impact on Spectrum Management? – No
Impact on Technical Standards? – Yes