Skip to main content

The EU Cyber Resilience Act (CRA)

Are You Ready?

CRA is a new piece of regulation that aims to ensure lifetime security and resilience against cyber threats for all products with digital elements. All manufacturers that sell their products in the EU market are responsible for their product's security throughout its lifetime, including 3rd party components, maintenance, documentation and official assessments.​

Pick a CRA Topic to Learn More*

CRA_webinar2 (1)

Webinar

What the CRA Requirements Mean for You

Cybersecurity is no longer optional - it’s becoming a legal requirement. The CRA is reshaping how products with digital elements that are sold in the EU market are designed, developed, and maintained. With compliance deadlines fast approaching, now is the time to understand what’s required and how to get prepared.

Watch the recording of Qt Group’s webinar from May 28, for tangible examples of what the CRA means for your business - and what you can do today to stay ahead.


Watch the Webinar

Recent CRA Blog Posts

Qt Early Warning List Now Available for Commercial Customers

Qt customers with a commercial license now have the opportunity to sub...

Read more

Qt Group Authorized as a CVE Numbering Authority (CNA) by the CVE Program

Qt Group has been authorized by the Common Vulnerabilities and Exposur...

Read more

Qt 6.8 Software Bill of Materials

TL;DR: The binary packages of Qt 6.8 or later in the Qt Online install...

Read more

CRA Timeline

December 10, 2024

CRA entered into
force

First announced in September 2021, the CRA was proposed by the European Commission on 15 September 2022 to complement the existing EU cybersecurity framework, including the NIS and NIS 2 directives, and EU cybersecurity act. Followed by negotiations and a provisional agreement between the co-legislators in 2023, the Council of the EU adopted the Cyber Resilience Act in December 2024.

September 11, 2026

Reporting requirements apply

The obligations concerning vulnerability reporting will be applied as from September 11th, 2026 - that's 21 months after the entry into force.

NOTE! This applies to all covered products on the EU market at that date, not just those placed on the market for the first time.

December 11, 2027

Full CRA requirements apply

All essential CRA requirements will be applied with a transition period of 36 months. That is, as from December 11th, 2027, all covered products placed on the EU market for the first time must be designed, developed, produced, and maintained in accordance with the essential cybersecurity requirements of the regulation. 

* The information contained on this page and this website does not constitute legal advice. It is provided for informational purposes and discussion of the subject matter only. Content is subject to change and The Qt Group does not guarantee the accuracy or currentness of the contents of this page nor is The Qt Group responsible for the content or operation of any external website that these pages link to—or that may link to—these pages. The information contained here is not, and should not be used as, a substitute for legal advice.