The Cyber Resilience Act (CRA) is a horizontal EU regulation—adopted in October 2024—that defines obligations for a supplier in making available products with digital elements (PDEs) in the Single Market. Each PDE placed on the market from 11 December 2027 must comply with the essential cybersecurity requirements of the CRA, and the manufacturer must provide vulnerability support for the PDE throughout its expected lifetime.

EIM welcomes the CRA and the fundamental shift in the paradigm of digital security that it brings with it in the EU—the current level of cybersecurity of PDEs is low and needs to be increased to reduce cyber risks in the sector. The CRA covers the entire life cycle of the product—from planning, design, development or production, testing, maintenance, up to its decommissioning.

Despite being horizontal legislation that applies across many sectors, the CRA contains specific provisions recognising that certain PDEs must comply with sector-specific legislation (such as technical specifications for interoperability (TSIs)) and, as a result, may need to depart from some of the CRA’s essential requirements. To that end, it establishes clear mechanisms that accommodate such situations.

Furthermore, as stated in preamble, the CRA aims to complement the legal framework established by NIS2 Directive by ensuring that hardware and software products used by infrastructure managers meet certain essential cybersecurity requirements.

Read the full Public Statement here :