CRA-CYBER-RESILIENCE-ACT
CRA Cyber Resilience Act compliance regulation modern detailed.
Définition
CRA (Cyber Resilience Act) est l'EU Regulation 2024/2847 publie 20 novembre 2024 (entry into force 11 decembre 2024, application 11 decembre 2027 except reporting obligations 11 septembre 2026) qui impose cybersecurity requirements toutes products with digital elements (PDEs) placed on EU market (~hardware + software produits IoT + apps + games + smart home + industrial + medical devices except deja regules NIS2 + DORA + Medical Devices Reg + aviation + cars), incluant secure-by-design + secure-by-default + vulnerability handling + 24/7/365 24-hour incident notification + 5 ans support coverage minimum. Detail technique + scope d'application + obligations conformite + sanctions non-conformite + processus reporting + impact entreprises in-scope + alignement avec regulations adjacentes nationales + internationales + governance + supervisory authorities + timeline implementation + transitions + jurisprudence + best practices documentation industry adoption.
Origine
EU Regulation 2024/2847 CRA published 20 novembre 2024 ; entry into force 11 decembre 2024 ; application 11 decembre 2027 ; reporting obligations 11 septembre 2026.
Exemple en contexte
Smart home device manufacturer Philips Hue sells smart lightbulbs in EU : CRA compliance 2027+ requires (1) Conformity assessment via internal control or notified body (depending product class default standard + critical CRA Annex III), (2) CE marking with cybersecurity assessment, (3) Vulnerability handling + monthly security updates + 5-year minimum support, (4) Actively exploited vulnerability report ENISA within 24 hours discovery + incident report 72 hours, (5) Software Bill of Materials SBOM publication + maintenance.
Termes liés
- NIS2 Directive detail — related cybersecurity regulation.