EU Regulation 2024/2847 establishing mandatory cybersecurity requirements for "products with digital elements" (hardware and software connected to devices or networks) sold in the EU market. The CRA entered into force December 2024, with full applicability by December 2027. It requires manufacturers to ensure products are secure by design, maintain vulnerability management throughout the product lifecycle, provide security updates, and report actively exploited vulnerabilities. Products are classified by risk level (critical, important, or default), with higher-risk products requiring third-party conformity assessment. The CRA applies to most software including AI systems and their components; it intersects with the EU AI Act (which addresses AI-specific risks) and requires SBOM-like documentation of components. Open source software developed outside commercial activity is generally exempt, though commercial products incorporating open source remain in scope.
See: EU AI Act; Security; Supply chain security; Vulnerability / CVE