Cyber Resilience Act
| European Union regulation | |
| Text with EEA relevance | |
| Title | Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) |
|---|---|
| Made by | European Parliament, EU Council |
| Made under | Treaty on the Functioning of the European Union, and in particular Article 114 thereof |
| Journal reference | OJ L, 2024/2847, 20.11.2024 |
| History | |
| Date made | 23 October 2024 |
| Entry into force | 12 November 2024 |
| Applies from | 11 December 2027 |
| Current legislation | |
The Cyber Resilience Act (CRA) is an EU regulation for improving cybersecurity and cyber resilience, through common cybersecurity standards for products that have digital elements. For example, it requires incident reports and automatic security updates. Digital elements are, mainly, hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network".
The European Commission proposed the CRA on 15 September 2022. Subsequently, multiple FLOSS organizations criticized the CRA for creating a "chilling effect on open source software development". After a series of amendments, the European Commission reached political agreement on the CRA on 1 December 2023. The revised bill includes an exception for open-source software. This was welcomed by many open source organizations, though Debian criticized its effect on small businesses and redistributors. The revised bill also introduced the "open source steward", a new economic concept. The European Parliament formally approved the CRA in March 2024. It was adopted by the Council on 10 October 2024.