Cyber Resilience Act Compliance in Belgium

The Cyber Resilience Act (Regulation (EU) 2024/2847) is the European Union's first regulation that directly addresses the cybersecurity of products with digital elements. Before CRA, EU cybersecurity law (NIS2, GDPR) focused on operators and data controllers — not the products themselves. CRA shifts responsibility upstream to manufacturers: any company that designs, develops, or places a product with digital elements on the EU market must ensure that product is secure by design and by default, supported for vulnerabilities throughout its lifecycle, and transparent about known security issues. CRA entered into force on December 10, 2024, with most obligations applying from December 11, 2027. It represents a fundamental change in how software and hardware vendors must approach product security — moving from voluntary best practices to mandatory, auditable requirements backed by significant penalties.

CRA applies to any manufacturer, importer, or distributor that places a "product with digital elements" on the EU market, regardless of where they are headquartered. This includes: (1) Software vendors: enterprise software, operating systems, browsers, productivity tools, and mobile applications. (2) Hardware manufacturers: IoT devices, routers, smart home products, industrial control systems, network equipment. (3) Embedded software developers: firmware for medical devices (once excluded categories are clarified), industrial automation, connected vehicles in non-EASA/automotive-specific scopes. (4) Importers and distributors: companies that import products from non-EU manufacturers bear CRA obligations if the manufacturer has not designated an EU representative. Open source software used commercially may also fall within scope unless it meets the "free and open source" exemption criteria. If you sell any connected product — physical or software — into the EU market after December 11, 2027, CRA compliance is mandatory.

Article 3 of CRA defines a product with digital elements as "any software or hardware product and its remote data processing solutions, including software or hardware components placed on the market separately." This encompasses a broad range of products: (1) Consumer IoT: smart speakers, home security cameras, connected thermostats, fitness trackers. (2) Industrial/Enterprise: SCADA systems, network switches, routers, firewalls, industrial sensors. (3) Software products: operating systems, security software, virtualization platforms, database software, communication tools. (4) Mobile applications that communicate with a backend service. (5) Cloud-connected devices: any hardware or software that communicates with EU users' data or infrastructure. Excluded from CRA scope: medical devices (covered under MDR/IVDR), motor vehicles (UN Regulation No. 155), aviation equipment (EASA regulation), and national security/defense equipment. CRA distinguishes between default-class, important-class (Category I), and critical-class (Category II) products — the latter requiring mandatory third-party conformity assessment.