European Commission Releases Draft Guidance for Cyber Resilience Act

The European Commission has opened a feedback period for its draft guidance on the Cyber Resilience Act (CRA), after the delay of the deadline. This move is designed to help businesses navigate new security standards for digital products. 

“With today’s guidelines, the Commission supports the effective application of the Cyber Resilience Act.” said Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy for the official site of the European Commission. 

She has emphasized that the guidelines are a vital step in securing everything from baby monitors to smartwatches, ensuring that all digital elements entering the EU market are resilient against cyber threats.

The draft provides critical clarity on the scope of the rules, specifically targeting the needs of microenterprises and small-to-medium-sized businesses. Key focus areas include the management of remote data processing, the treatment of free and open-source software, and the definition of mandatory “support periods” for products. Additionally, the guidance addresses how the CRA interacts with existing EU legislation to prevent regulatory overlap.

Stakeholders have until March 31 to provide input, allowing the Commission to align these rules with real-world market challenges. While the CRA officially entered into force on December 10, 2024, the timeline for compliance is staggered. Companies must prepare for reporting obligations starting September 11, 2026, while the broader technical requirements will become mandatory on December 11, 2027. This initiative arrives alongside a wider cybersecurity package proposed earlier this year to further bolster the EU’s digital defences.

Add a comment

Leave a Reply