On October 14, 2024, the European Commission adopted a new regulation on cybersecurity requirements for products with digital elements, ensuring they are safe before being placed on the market. This includes routers, smart home products, firewall systems, and smartcards. The regulation guarantees that digital products, such as Internet of Things (IoT) devices, are secure throughout their supply chain and lifecycle.

The Cyber Resilience Act (CRA) was published in the EU Official Journal on November 20, 2024. Regulation EU 2024/2847 establishes EU-wide cybersecurity requirements for the hardware and software’s design, development, production, and market availability.

Products covered by the CRA, including software and hardware, will display the CE mark to demonstrate compliance with the regulation’s standards. The CE mark, recognized in the European Economic Area (EEA) and Türkiye, signifies compliance with safety, health, and environmental protection requirements and standards.

Accreditation is vital in implementing the Cyber Resilience Act by ensuring that Conformity Assessment Bodies (CABs) seeking notification (Notified Bodies) are competent, impartial, and trustworthy. CABs verify that in the case of the CRA, hardware, and software products – listed as important and critical – meet the regulation’s cybersecurity requirements, enabling manufacturers to apply the CE marking. This harmonized approach enhances trust across EU Members, lifts trade barriers, reduces redundant certifications, and ensures products are secure throughout their lifecycle.

The regulation shall apply from 11 December 2027. The requirements on Notified Bodies shall apply from 11 June 2026.

Click here to read the regulation and here for further information on the European Commission’s website.