The CRA establishes cybersecurity rules for digital products sold in the EU, covering smart devices, routers, software and industrial systems.
It requires continuous security measures and imposes fines up to €15 million or 2.5 % of turnover in case of non‑compliance. These rules apply to manufacturers, importers, distributors and non‑EU companies selling to the EU market, unless sector‑specific regulations apply. The CRA entered into force on 10 December 2024, with its main obligations applying from 11 December 2027.
The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.