EU CRA
EU Cyber Resilience Act (Regulation (EU) 2024/2847)
Mandatory cybersecurity requirements for all products with digital elements placed on the EU market, including AI software. Requires security by design, vulnerability handling, incident reporting to ENISA, software bills of materials, and CE marking for market access.
Jurisdiction
European Union
Enacted
Nov 20, 2024
Effective
Dec 11, 2027
Enforcement
National market surveillance authorities; ENISA for vulnerability reporting
Entered into force December 10, 2024. Vulnerability reporting obligations begin September 11, 2026. Full product compliance required by December 11, 2027.
European CommissionWhy It Matters
Applies cybersecurity requirements to AI systems as 'products with digital elements.' AI software placed on the EU market must meet security-by-design requirements, maintain vulnerability handling processes, and bear CE marking. Non-compliant products lose EU market access entirely.
Recent Developments
Entered into force December 10, 2024. Vulnerability reporting deadline approaching September 2026. Complements EU AI Act and NIS2 Directive.
At a Glance
Applies to
Who Must Comply
- Manufacturers of products with digital elements (including AI software)
- Importers and distributors of digital products in the EU
- All entities placing products with digital elements on the EU market
Safety Provisions
- Security by design: security must be addressed during design and development phases
- Vulnerability handling and management processes required
- Incident and vulnerability reporting to ENISA
- Software Bill of Materials (SBOM) generation required
- CE marking required for EU market access
- Security updates throughout product lifecycle
- Technical documentation for conformity assessment
Exemptions
Medical Devices
Medical devices and in vitro diagnostic devices regulated under separate EU frameworks
- • Regulated under MDR/IVDR
Motor Vehicles
Motor vehicles and components covered by type-approval regulations
- • Regulated under vehicle type-approval framework
National Security/Defense
Products for national security or defense purposes
- • Exclusively for national security or defense
Compliance & Enforcement
Key Dates
Sep 11, 2026
Vulnerability and incident reporting obligations to ENISA begin
Dec 11, 2027
Full compliance required: all products with digital elements must meet essential cybersecurity requirements and bear CE marking
Penalties
€15M or 2.5% revenue (whichever higher)
View on map
European Union
Focus Areas
Cite This
APA
European Union. (2024). EU Cyber Resilience Act (Regulation (EU) 2024/2847).
Related Regulations
EU GPAI Code
Voluntary code enabling general-purpose AI model providers to demonstrate compliance with EU AI Act GPAI obligations. Three chapters cover transparency (model documentation), copyright compliance, and safety/security for systemic-risk models. Adherence creates legal presumption of conformity.
EU AI Act
World's first comprehensive risk-based regulatory framework for AI systems. Classifies AI by risk level with escalating requirements from prohibited practices to high-risk obligations.
Poland Draft AI Act
Poland's draft law implementing EU AI Act domestically, creating KRiBSI (national AI authority), regulatory sandboxes, and binding opinions mechanism.
FR SREN
France's 2024 "digital space" law strengthening national digital regulation and enforcement levers via ARCOM across platform safety and integrity issues.
DE JuSchG §24a (KidD)
Requires providers of certain telemedia services to implement provider-side precautionary measures ("Vorsorgemaßnahmen") with regulator-facing evaluability via published BzKJ criteria.
Switzerland FADP
Switzerland's revised data protection law with Article 21 automated decision transparency requirements, human review rights, and fines up to CHF 250,000.
Last updated March 23, 2026. Verify against primary sources before relying on this information.