The Cyber Resilience Act mandates manufacturers of hardware and software to test products for vulnerabilities before market placement and throughout the lifecycle, and to promptly fix any discovered vulnerabilities.

Omissions

• The claim does not specify that the obligations apply to 'products with digital elements' rather than all hardware and software generically, though in practice this covers virtually all connected hardware and software.
• The claim does not mention the phased enforcement timeline — the CRA entered into force on 10 December 2024, with full obligations applying from 11 December 2027, though vulnerability reporting obligations apply from 11 September 2026.

Sources

• PrimaryEUR-Lex — Regulation (EU) 2024/2847Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements. The regulation sets out essential cybersecurity requirements in Annex I: Part I covers security properties of products — including that products be made available without known exploitable vulnerabilities; Part II covers vulnerability handling requirements — including identification, documentation, remediation without delay, regular testing and reviews throughout the product lifecycle, and public disclosure of fixed vulnerabilities.
• PrimaryEuropean Commission — Shaping Europe's Digital FutureThe CRA requires manufacturers to handle vulnerabilities during the lifecycle of their products. It mandates that products with digital elements be designed, developed and produced to ensure an appropriate level of cybersecurity, and that manufacturers put in place vulnerability handling processes throughout the product lifecycle.
• SecondaryEndor Labs — How the EU Cyber Resilience Act (CRA) rewrites the rules of software liabilityWhen manufacturers discover a vulnerability, they must remediate it 'without delay.' The CRA applies these requirements throughout the product lifecycle.