{"id":7267,"date":"2024-10-04T07:47:18","date_gmt":"2024-10-04T07:47:18","guid":{"rendered":"https:\/\/haavind.no\/techinsight-new\/?post_type=tech-insight&#038;p=7267"},"modified":"2026-03-10T17:15:15","modified_gmt":"2026-03-10T17:15:15","slug":"cyber-resilience-act","status":"publish","type":"tech-insight","link":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/","title":{"rendered":"Cyber Resilience Act"},"content":{"rendered":"\t<div class=\"template-tech-insight alignwide has-media wp-block-dekode-hero\">\n\t\t<div class=\"hero__inner\">\n\t\t\t<div class=\"hero__inner_blocks\">\n\t\t\t\t\n<h1 class=\"wp-block-post-title\">Cyber Resilience Act<\/h1>\n\n<p class=\"t2-ingress wp-block-t2-ingress\"><em>Regulation 2024\/2847 on horizontal cybersecurity requirements for products with digital elements<\/em><\/p>\n\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<div class=\"hero__image\">\n\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"460\" height=\"352\" src=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg\" class=\"attachment-ultra size-ultra\" alt=\"\" srcset=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg 460w, https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1-300x230.jpg 300w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/>\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\n\n<div class=\"haavind-tech-info alignleft wp-block-haavind-tech-info\">\n\t\t\t<div class=\"haavind-tech-info__categories\">\n\t\t\t\t<h4>Category<\/h4>\n\t\t\t\t\n\t\t\t<div class=\"t2-post-dynamic-part is-source-term term-tech-insight-category haavind-tech-meta__category wp-block-t2-post-dynamic-part\"><a href=\"https:\/\/haavind.no\/techinsight\/cybersecurity\/\" class=\"t2-post-dynamic-part__term\" rel=\"tag\">Cybersecurity<\/a><\/div>\n\t\t\t<\/div>\n<div class=\"haavind-tech-info__blocks\">\n<h3 class=\"wp-block-heading\" id=\"h-status\">Status<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-eu\"><strong>EU<\/strong><\/h4>\n\n\n\n<p>Date of application in the EU 11 December 2027.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-eea\"><strong>EEA<\/strong><\/h4>\n\n\n\n<p>Pending. The Commission has marked the proposal as EEA-relevant.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"h-norway\"><strong>Norway<\/strong><\/h4>\n\n\n\n<p>Pending.<\/p>\n<\/div>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-scope\">Scope<\/h2>\n\n\n\n<p>The proposal aims to enhance the functioning of the internal market by introducing EU-wide cybersecurity requirements for design, development, production and making available on the market of hardware and software products.<br><br>The Regulation will apply to all manufacturers, representatives, importers and distributors of products with digital elements. Products with digital elements encompasses in principle any software or hardware that are connected, indirectly or directly to another device or to a network (including laptop, sensors and cameras, industrial control systems, mobile applications, CPU units, and software libraries).<br><br>There are some exceptions for products for which cybersecurity requirements are already set out in existing rules, such as medical devices, aeronautical products and cars.<br><br>In addition to crucial cybersecurity requirements, the Regulation will impose obligations on economic operators and introduce provisions for conformity assessment, notification to conformity assessment bodies, and market surveillance. Users of products with digital elements are also required to provide market surveillance authorities with the name and address of any economic operator who has supplied them with a product with digital elements 10 years following such supply.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-relevance\">Relevance<\/h2>\n\n\n\n<p>The objective of the proposal is to address deficiencies, clarify connections, and enhance the overall coherence of existing cybersecurity legislation. Most hardware- and software products are not subject to cybersecurity requirements, even though vulnerabilities in embedded software are often targeted in cybersecurity attacks.<br><br>The regulation aims to ensure the security of products with digital components, such as &#8216;Internet of Things&#8217; (IoT) products, across the entire supply chain and throughout their lifespan which will affect the businesses of both manufacturers, importers and distributors.<br><br>While the regulation is not applicable before 11 December 2027, the reporting and notification obligations are applicable from 11 September 2026.<br><br>On 12 January 2026, the Norwegian government published its intent to implement the regulation, indicating enforcement will occur on 11 December 2027. The Norwegian Communications Authority will be the supervisory authority.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-key-obligations\">Key obligations<\/h2>\n\n\n\n<p>Products with digital elements can only be made available on the EU market only where they meet the essential cybersecurity requirements, such as cybersecurity proportionate to risks, no known exploitable vulnerabilities at launch, and a secure-by-default configuration. Products must for instance enable timely security updates (default automatic), protect against unauthorized access, and ensure confidentiality, integrity, and minimization of data usage. Further, products must be fit to ensure essential functions post-incident, minimize attack surfaces, mitigate exploitation impacts, and provide logging and secure data deletion capabilities for users. New requirements related to identification and mitigation of vulnerabilities in open source components are also introduced.<br><br>Products must undergo a conformity assessment prior to it being placed on the market, resulting in a CE-mark. In addition, businesses must prepare and maintain specified technical documentation related to the product. Products that are considered important (such as identity control systems) or critical (such as smart cards) are subject to a stricter conformity assessments and requirements.<br><br>The regulation also imposes new notification and reporting obligations. An actively exploited vulnerability must be notified by 24 hours, with a follow-up within 72 hours. A final report must be provided within 14 days after a corrective or mitigating measure is available. There are also reporting obligations for &#8220;severe&#8221; incidents, and the notification obligation may apply towards both the supervisory authority, users of products and the European Union Agency for Cybersecurity.<\/p>\n\n\n\n<p><strong>Note: <\/strong>Under the Digital Omnibus Proposal, a single EU-wide entry point for incident reporting will be established by ENISA (the European Union Agency for Cybersecurity). The unified reporting portal will also apply to entities covered under the CRA.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Date of application in the EU (Regulation 2024\/2847)<\/p>\n","protected":false},"featured_media":7662,"menu_order":0,"template":"","meta":{"tech-insight-date":"2027-12-11T09:43:46","footnotes":""},"tech-insight-category":[92],"tech-insight-jurisdiction":[83,84],"tech-insight-status":[86,96],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v24.2 (Yoast SEO v24.2) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cyber Resilience Act - Haavind Tech Insight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Resilience Act\" \/>\n<meta property=\"og:description\" content=\"Date of application in the EU (Regulation 2024\/2847)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/\" \/>\n<meta property=\"og:site_name\" content=\"Haavind Tech Insight\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-10T17:15:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"460\" \/>\n\t<meta property=\"og:image:height\" content=\"352\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/\",\"url\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/\",\"name\":\"Cyber Resilience Act - Haavind Tech Insight\",\"isPartOf\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg\",\"datePublished\":\"2024-10-04T07:47:18+00:00\",\"dateModified\":\"2026-03-10T17:15:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#primaryimage\",\"url\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg\",\"contentUrl\":\"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg\",\"width\":460,\"height\":352,\"caption\":\"Cityscape on dark blue background with bright glowing neon. Technology city background\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/haavind.no\/techinsight\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cyber Resilience Act\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/haavind.no\/techinsight\/#website\",\"url\":\"https:\/\/haavind.no\/techinsight\/\",\"name\":\"Haavind Tech Insight\",\"description\":\"Stay ahead with our digital roadmap of EU Tech regulations\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/haavind.no\/techinsight\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cyber Resilience Act - Haavind Tech Insight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/","og_locale":"en_US","og_type":"article","og_title":"Cyber Resilience Act","og_description":"Date of application in the EU (Regulation 2024\/2847)","og_url":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/","og_site_name":"Haavind Tech Insight","article_modified_time":"2026-03-10T17:15:15+00:00","og_image":[{"width":460,"height":352,"url":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/","url":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/","name":"Cyber Resilience Act - Haavind Tech Insight","isPartOf":{"@id":"https:\/\/haavind.no\/techinsight\/#website"},"primaryImageOfPage":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#primaryimage"},"image":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#primaryimage"},"thumbnailUrl":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg","datePublished":"2024-10-04T07:47:18+00:00","dateModified":"2026-03-10T17:15:15+00:00","breadcrumb":{"@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#primaryimage","url":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg","contentUrl":"https:\/\/haavind.no\/content\/uploads\/sites\/5\/2024\/10\/Cyber-Resilience-Act-460x352-1.jpg","width":460,"height":352,"caption":"Cityscape on dark blue background with bright glowing neon. Technology city background"},{"@type":"BreadcrumbList","@id":"https:\/\/haavind.no\/techinsight\/tech-insight\/cyber-resilience-act\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/haavind.no\/techinsight\/"},{"@type":"ListItem","position":2,"name":"Cyber Resilience Act"}]},{"@type":"WebSite","@id":"https:\/\/haavind.no\/techinsight\/#website","url":"https:\/\/haavind.no\/techinsight\/","name":"Haavind Tech Insight","description":"Stay ahead with our digital roadmap of EU Tech regulations","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/haavind.no\/techinsight\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7267"}],"collection":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight"}],"about":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/types\/tech-insight"}],"version-history":[{"count":16,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7267\/revisions"}],"predecessor-version":[{"id":8050,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight\/7267\/revisions\/8050"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/media\/7662"}],"wp:attachment":[{"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/media?parent=7267"}],"wp:term":[{"taxonomy":"tech-insight-category","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-category?post=7267"},{"taxonomy":"tech-insight-jurisdiction","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-jurisdiction?post=7267"},{"taxonomy":"tech-insight-status","embeddable":true,"href":"https:\/\/haavind.no\/techinsight\/wp-json\/wp\/v2\/tech-insight-status?post=7267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}