Cyber Resilience Act

Call now Email now

What is the Cyber Resilience Act?

Dutch term: Cyber Resilience Act (CRA) | Legal basis: Regulation (EU) 2024/2847

The Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) is an EU regulation imposing cybersecurity requirements on products with digital elements, including hardware and software, placed on the EU market. It applies to manufacturers, importers and distributors and follows the CE marking approach of the New Legislative Framework.

Products must meet essential cybersecurity requirements covering vulnerability handling, security updates, secure default configurations, and protection of data. Manufacturers must carry out a conformity assessment, draw up technical documentation, and provide security updates for the expected product lifetime (minimum five years). The CRA applies from late 2027 for most products, with earlier deadlines for reporting obligations.

Why it matters for international businesses

For IoT manufacturers, software companies and industrial equipment producers, the CRA adds a cybersecurity layer to the existing product compliance framework that must be integrated with CE marking, GPSR and sector-specific requirements.

Related pages: product compliance law firm, Dutch law firm guide, glossary of Dutch legal terms.

Last reviewed: April 17, 2026 by MAAK Advocaten N.V.

General conditions [PDF's]:

Legal information:

Opening hours:

  • Monday 8am - 7pm
  • Tuesday 8am - 7pm
  • Wednesday 8am - 7pm
  • Thursday 8am - 7pm
  • Friday 8am - 7pm
  • Saturday - closed
  • Sunday - closed

Contact information:


Registrations:

Address:

Kraanspoor 34
1033 SE AMSTERDAM
the Netherlands

Useful links:

© 2023 - 2026, MAAK Advocaten N.V., law firm in the Netherlands · Legal information