Cyber Resilience Act

Cyber Resilience Act aims to increase the overall level of cybersecurity of products with digital elements placed on the EU market and to protect consumers and businesses that purchase or use such products. The Act creates new mandatory cybersecurity obligations for manufacturers, importers, and distributors of covered hardware and software products to address their increasing vulnerability to cyberattacks and other cyberthreats throughout their lifecycle.

What does this mean?

  • Hardware and software products need to be adequately secured against cybersecurity vulnerabilities throughout their lifecycle, e.g., by ensuring that risks are considered in the design, production and maintenance of the products. Each stage of a product’s value chain has to meet specific obligations and security updates are mandatory at regular intervals by default.
  • Before entry into market, products need to undergo depending on their criticality and level of cybersecurity risk they pose more rigorous examination by a notified body or a lighter conformity assessment process, typically managed internally by a manufacturer. Applicable products bear the CE marking.
  • To increase transparency, the Act imposes reporting requirements on manufacturers and distributors, requiring, for example, that the European Union Agency for Cybersecurity (ENISA) is notified if an exploited vulnerability or incident becomes known that could negatively impact the security of the product.
  • Manufacturers and distributors of products with digital elements need to give the end customers information on the cybersecurity of the products and instructions on how to keep the products secure.

Who?

  • The Act applies to manufacturers, importers, and distributors of products with digital elements. However, there are specific exclusions relating, e.g., to open-source software, national security and defense products, and services that are already regulated by existing rules (such as medical devices, aviation, and cars).

Consequences

  • Member States shall adopt rules on effective, proportionate and dissuasive penalties applicable to infringements of the Cyber Resilience Act. According to the Cyber Resilience Act, sanctions for non-compliance include administrative fines, which, e.g., for non-compliance with essential cybersecurity requirements, can be up to €15 million or 2,5 % of total worldwide annual turnover, whichever is higher.
  • Monitoring and enforcement are the responsibility of competent national authorities in each Member State.

Timeline

  • The Act entered into force on 10 December 2024. The main obligations will apply from 11 December 2027. However, some obligations will apply from 11 June 2026 or 11 September 2026.
  • National implementation of the Act is ongoing in both Finland and Sweden. The Finnish Government has given a proposal on national legislation supplementing the Act.

Last updated 15 January 2026.