The EU Cyber Resilience Act (CRA) entered into force in December 2024, and the provisions on notification of Conformity Assessment Bodies (Notified Bodies) start to apply from June 2026. It is expected that a sufficient number of Notified Bodies will be available and operational before December 2026.
The EU Cyber Resilience Act aims to ensure the safety of all digital products from cyber threats. It requires that devices and software are designed, updated, and maintained to protect users in our increasingly digital world.
The main obligations introduced by the Act will take effect on 11 December 2027, with reporting obligations taking effect as of 11 September 2026. Therefore, all products with digital elements placed on the EU market must comply with CRA requirements before they can be lawfully placed on the market. This includes completing the appropriate conformity assessment procedure and CE marking.
The implementation of the CRA in several regards is still challenging, for instance, the absence of harmonised (product) standards.
There are several activities by the European Commission and ENISA in this context.
EA is organizing, with the European Commission and ENISA, an online workshop on the CRA. The workshop will take place on 30 March 2026 from 15:00 – 17:00 (CEST) and is open to EA National Accreditation Bodies.
You can find more information about conformity assessment in the context of the EU Cyber Resilience Act on the European Commission’s website here.
EA has published a directory of National Accreditation Bodies that intend to offer accreditation of verifiers for EU CBAM.
The references of the “EN ISO 20387:2020 Biotechnology – Biobanking – General requirements for biobanking” are published in the Official Journal of the EU as of 23 February 2026.
