Cyber Resilience Act

Title	Cyber Resilience Act – Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements
	Pending legislation

The Cyber Resilience Act (CRA) is an EU regulation proposed on 15 September 2022 by the European Commission for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates.^[1] Products with digital elements mainly are hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network".^[2]

After publication of the draft proposal, multiple open source organizations criticized CRA for creating a "chilling effect on open source software development".^[3] The European Commission reached political agreement on the CRA on 1 December 2023, after a series of amendments.^[4] The revised bill introduced the "open source steward", a new economic concept, and received relief from many open source organizations due to its exception for open-source software,^[5] while Debian criticized its effect on small businesses and redistributors.^[6] The CRA agreement received formal approval by the European Parliament in March 2024.^[7] As of 20 May 2024^[update], it still requires formal adoption by the Council before being enforced.^[8]

^ "Cyber Resilience Act | Shaping Europe's digital future". digital-strategy.ec.europa.eu. 15 September 2022. Retrieved 17 May 2023.
^ Cite error: The named reference briefing was invoked but never defined (see the help page).
^ Cite error: The named reference crunch was invoked but never defined (see the help page).
^ "Commission welcomes political agreement on Cyber Resilience Act". European Commission. 1 December 2023. Retrieved 22 March 2024.
^ Cite error: The named reference listened was invoked but never defined (see the help page).
^ Cite error: The named reference debianstatement2023dec was invoked but never defined (see the help page).
^ "Cyber Resilience Act: MEPs adopt plans to boost security of digital products | News | European Parliament". www.europarl.europa.eu. 12 March 2024. Retrieved 23 March 2024.
^ European Parliament (20 May 2024), "Horizontal cybersecurity requirements for products with digital elements", Legislative Train Schedule, retrieved 4 June 2024

[cra-1] "Cyber Resilience Act | Shaping Europe's digital future". digital-strategy.ec.europa.eu. 15 September 2022. Retrieved 17 May 2023.

[briefing-2] Cite error: The named reference briefing was invoked but never defined (see the help page).

[crunch-3] Cite error: The named reference crunch was invoked but never defined (see the help page).

[4] "Commission welcomes political agreement on Cyber Resilience Act". European Commission. 1 December 2023. Retrieved 22 March 2024.

[listened-5] Cite error: The named reference listened was invoked but never defined (see the help page).

[debianstatement2023dec-6] Cite error: The named reference debianstatement2023dec was invoked but never defined (see the help page).

[7] "Cyber Resilience Act: MEPs adopt plans to boost security of digital products | News | European Parliament". www.europarl.europa.eu. 12 March 2024. Retrieved 23 March 2024.

[8] European Parliament (20 May 2024), "Horizontal cybersecurity requirements for products with digital elements", Legislative Train Schedule, retrieved 4 June 2024

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]