The European Union Cyber Resilience Act Enters into Force
The European Union Cyber Resilience Act (the CRA), which significantly changes cybersecurity requirements for products with digital components, entered into force on December 10, 2024. This regulation aims to enhance the security of digital products and introduces new obligations for manufacturers, distributors, and importers.
The CRA covers a wide range of products with digital elements, including smart home devices, wearable technologies, industrial control systems, software applications, and hardware components. It emphasizes that all such products must meet stringent cybersecurity standards.
Manufacturers are expected to remediate vulnerabilities and integrate secure design principles into their product development processes for at least five years, or the product's life span, if shorter. Furthermore, they must prepare comprehensive documentation on cybersecurity measures and report critical vulnerabilities or incidents to the European Union Agency for Cybersecurity (ENISA) within 24 hours. Importers and distributors, on the other hand, are obligated to verify that products comply with these standards, keep necessary documentation up to date, and inform relevant authorities of any non-compliance or security issues.
The CRA mandates that products undergo a conformity assessment to demonstrate compliance with essential cybersecurity requirements. Stricter rules will apply to high-risk products, and the CE marking will indicate compliance. National market surveillance authorities, responsible for enforcing the CRA, will conduct regular inspections and sweeps. Non-compliance could result in severe penalties, including fines of up to EUR 15 million or 2.5% of the previous fiscal year's global annual turnover.
The serious incident notification obligations under the CRA will commence in September 2026, while most other obligations will take effect in December 2027. During this period, companies are advised to assess the CRA’s implications, review and update their existing cybersecurity measures, renew product documentation, and train their teams to comply with the new requirements.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law (CETS No. 225) (Framework Convention) was opened for signature at a conference of Council of Europe Ministers of Justice in Vilnius, Lithuania...
Regulations on Social Media and Internet Contents Through Law No. 7253
The Regulation on the Amendment to the Regulation on Commercial Communication and Commercial Electronic Messages (“Regulation”) entered into force through publication in the Official Gazette dated 28.08.2020 and numbered 31227...
Pursuant to the Regulation on Commercial Communication and Commercial Electronic Messages, the real and legal persons (“Service Provider”) who would like to send commercial electronic messages shall register with the Message Management System and upload previously collected opt-in consents of commercial...
The deadline to register and upload existing consents to the Message Management System (IYS) is postponed through the Public Statement dated 30.11.2020 which is published in the website of Ministry of Trade. Previously, the deadline to register and upload obtained opt-in consents to the Message Management...
European Commission Proposed the Digital Markets Act to the European Parliament