The EU Cyber Resilience Act (CRA) introduces cybersecurity requirements for products with digital elements placed on the EU market. It covers hardware and software products, including components placed separately on the market, and establishes expectations across the product lifecycle - from secure design and development to vulnerability handling, security updates, and user transparency throughout the support period and the time the product is expected to be in use.
u-blox helps customers understand how cybersecurity regulations may affect connected products and provides public technical guidance, product documentation, and educational resources across wireless and positioning technologies.
The CRA applies broadly to products and components with digital elements made available on the EU market, including hardware and software products that process digital data and are intended, or can reasonably be expected, to connect directly or indirectly to another device or network.
Examples commonly associated with the CRA scope include connected devices, embedded systems, and other digital products that form part of a larger connected solution.
Certain product categories are addressed under other EU frameworks and may be excluded fully or partially from the CRA scope, including areas such as motor vehicles, medical devices, civil aviation, and marine equipment.
The CRA entered into force on 10 December 2024.
From 11 September 2026, reporting obligations relating to actively exploited vulnerabilities and severe incidents begin to apply.
The CRA becomes fully applicable on 11 December 2027.
Because some obligations begin before full applicability, manufacturers should not treat December 2027 as the first time that action is needed. Early preparation is important for product planning, documentation, vulnerability handling, and lifecycle support readiness.
