Insight · Connected products
The EU Cyber Resilience Act
For years, software and connected hardware entered the European market with no baseline cybersecurity law attached to the product itself. The Cyber Resilience Act closes that gap. It treats security as a condition of sale, and it reaches manufacturers wherever they are based, including companies that ship into the EU from the United States.
What it is
A product-security law, not a privacy law
The Cyber Resilience Act, Regulation (EU) 2024/2847, sets mandatory cybersecurity requirements for products with digital elements placed on the EU market. That phrase is deliberately broad: it covers software and hardware that connects, directly or indirectly, to a device or network. A smart appliance, an operating system, a mobile app, and a piece of enterprise software can all fall inside it.
It sits alongside the GDPR rather than replacing any part of it. Where the GDPR governs personal data, the Cyber Resilience Act governs the security of the product. A single connected device can be subject to both at once.
Who it applies to
The primary duty-holder is the manufacturer, meaning whoever develops or produces the product and markets it under their own name. Importers and distributors carry their own verification duties. Critically, the obligation follows the market, not the company's location. A U.S. developer that makes a product available in the EU is a manufacturer for these purposes, the same as a company established in a member state.
The Regulation also distinguishes ordinary products from designated categories of higher-risk products, which face stricter conformity assessment. Most everyday software and devices fall into the standard tier, but the classification is worth confirming early, because it drives how much external assessment a product needs.
Key dates and obligations
The Regulation entered into force in 2024, and its obligations phase in over the years that follow rather than all at once. The reporting duties for actively exploited vulnerabilities and severe incidents apply first, ahead of the full set of product requirements. Companies planning EU sales should treat the timeline as already running rather than distant.
- Security by design and by default across the product lifecycle
- Shipping without known exploitable vulnerabilities
- Providing security updates for a defined support period
- Reporting actively exploited vulnerabilities and severe incidents to the relevant authority within tight deadlines
- A coordinated vulnerability disclosure policy
- Technical documentation and, in most cases, CE marking to demonstrate conformity
Enforcement carries administrative fines set as a proportion of worldwide annual turnover, in line with the EU's other digital-rulebook instruments. The practical exposure is not only financial: a non-conforming product can be restricted or withdrawn from the market.
How it connects to Privello's work
For a company entering the EU, the Cyber Resilience Act is one more instrument that has to be mapped against a product before it ships, alongside the GDPR, the ePrivacy rules, and the wider digital rulebook. The questions overlap: what data does the product handle, where does it go, and what obligations attach to putting it on the market. Privello helps companies see those obligations together rather than in isolation, as part of a structured market-entry assessment.
Begin
Map the Cyber Resilience Act against your product
If you sell connected hardware or software into the EU, tell us what you are shipping. We will outline where the Regulation lands and how it fits the wider compliance picture.