The European Union's Cyber Resilience Act (CRA) will become legally binding on December 20, 2024. It is part of a suite of new cybersecurity regulations for the EU, including the NIS2 Directive and updated rules for EU institutions. These laws are set to reshape the digital landscape, mandating stronger security measures for hardware, software, and critical infrastructure.

This law has particular implications for those utilizing older operating systems and code bases. The CRA mandates that all products with digital elements, regardless of the age of their underlying technology, must meet stringent cybersecurity requirements before entering the EU market. This regulation forces a shift in product development, emphasizing security as a fundamental aspect of design and functionality.

There are thousands of connected digital products on the market, with more coming out every day - many now featuring AI. The CRA will have a major impact on companies producing and selling these products in the EU market. Of particular note is the requirement for manufacturers to ensure product security throughout the entire lifecycle. This includes a minimum five-year period post-sale during which vulnerabilities must be effectively addressed.

The Act also introduces mandatory cybersecurity risk assessments for all products. This process will likely expose vulnerabilities in older operating systems and code, potentially necessitating substantial updates, redesigns, or even the discontinuation of certain products unable to meet the new standards.

The CRA was passed in the EU, but it will have far-reaching implications. It is the first global regulation to establish comprehensive security requirements for product market entry. As the GDPR did for data privacy, the CRA is likely to set new international benchmarks for cybersecurity practices. Companies worldwide, regardless of their location, will need to comply with the new standards if they wish to sell their products in the EU market. Some manufacturers may opt to universally adopt these practices rather than create different versions of their products for different markets, effectively expanding the CRA's coverage. This could extend the act's impact beyond mere compliance, potentially reshaping the global approach to digital security.