EU Cyber Resilience Act: everything your business needs to know starting in 2026

Its phased implementation will begin in June and September 2026. The aim is to balance cybersecurity needs with the technical and economic challenges posed by changes to the regulatory framework. This EU Cyber Resilience Act represents a milestone in the EU’s strategy to strengthen its digital autonomy and protect consumers and businesses in a digital environment increasingly exposed to threats.

Approved by the European Parliament and the Council of the EU, the law was published as Regulation (EU) 2024/284 in the Official Journal of the European Union. It amends other regulations such as Regulation (EU) No. 168/2013, Regulation (EU) 2019/1020, and Directive (EU) 2020/1828, establishing a new cyber resilience framework for these types of products.

The regulation applies to the twenty-seven Member States of the European Union, including Spain, which must provide resources to market surveillance authorities.

The Cybersecurity Resilience Act (CRA) establishes common cybersecurity standards for products containing digital components—whether hardware or software—marketed in the EU. Its purpose is to improve the overall level of cybersecurity to ensure that digital products are designed and developed without vulnerabilities.

The law imposes strict cybersecurity requirements on manufacturers, importers, and distributors to ensure comprehensive cyber resilience throughout the entire lifecycle of each product. This ranges from smart home devices to more complex operating systems in critical national infrastructure.

Additionally, it aims to help users better understand the cybersecurity of the products they use every day. The goal is to reduce risks for both companies and their customers.

The EU Cyber Resilience Act will apply to all products with digital components sold on the European market. Therefore, the products covered include Internet of Things (IoT) devices, such as home cameras, refrigerators, televisions, toys, smartwatches, and fitness trackers. It also includes antivirus software, wearables, and software-as-a-service (SaaS) solutions.

Certain categories, such as medical devices, vehicles, and open-source software, are excluded, as they are subject to other EU regulations.

Affected products must meet a series of essential cybersecurity requirements. Therefore, manufacturers, importers, and distributors must take into account aspects such as:

• Designing and manufacturing products to minimize vulnerabilities
• Conducting a risk assessment
• Maintaining technical documentation
• Providing necessary security updates for at least 5 years (unless the product has a shorter market lifespan)
• Mark the product with the CE marking (European Conformity)
• Have a vulnerability management policy
• Transparently communicate the support period
• Implement protection mechanisms by design as a default
• Assume responsibility if the manufacturer introduces modified products or products marketed under a different brand

Digital elements will also be classified into three categories: general, for which standard measures apply; important, such as firewalls, antivirus software, and network control systems; and critical, those with a direct impact on the security of strategic infrastructure. Important and critical products must undergo more rigorous conformity assessments, and some will require mandatory European certification.

This measure will not be fully implemented until December 11, 2027, although certain provisions, such as the reporting of vulnerabilities, will take effect starting in 2026. As of September 11, 2026, the provisions regarding information from manufacturers will be mandatory, and as of June 11, 2026, those regarding notification by conformity assessment bodies will be mandatory.

A 36-month transition period was established to allow market actors, especially small and medium-sized enterprises, to adapt to the new requirements. Thus, this phased approach to implementation is being applied to balance cybersecurity needs with the technical and economic challenges posed by the changes required to comply with the regulatory framework.

This law addresses growing technological dependence and the associated cyber threats. By establishing security standards from the design phase through to post-sales management, the EU seeks to shield its digital market from cyberattacks to strengthen its technological sovereignty.

More information: Official Journal of the European Union