The EU Cyber Resilience Act (CRA) imposes cybersecurity and vulnerability management requirements on digital products. While exemptions apply, products such as laptops, smartphones, and smart home gadgets will likely be covered.
In an article for the IAPP, Mayer Brown Partner Ana Bruder examines the key requirements of the CRA, including ensuring products are designed to meet cybersecurity standards, delivered free of known vulnerabilities, and equipped with robust security measures. Manufacturers must actively identify and address vulnerabilities, provide timely security updates at no charge, and have a policy for vulnerability disclosure to enhance transparency and user awareness.
The CRA will soon be published in the Official Journal and take effect 20 days later. Reporting obligations will start 21 months after the act's enforcement, likely in summer 2026, with additional provisions following 36 months later, around Autumn 2027.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
