Brussels Byte logo Brussels Byte

Cyber Resilience Act Adopted: Hardware Gets a Security Upgrade

35 min read

The EU’s Cyber Resilience Act, adopted in late 2024, introduces a paradigm shift for any product with digital elements. For the first time, manufacturers of everything from smart doorbells to industrial control systems are legally obligated to embed cybersecurity across the entire product lifecycle.

The regulation imposes mandatory vulnerability reporting to EU cybersecurity agency ENISA within 24 hours of exploitation, and requires manufacturers to provide free security updates for the product’s expected lifespan—a minimum of five years. This marks a decisive move away from the industry’s historical pattern of shipping insecure code and patching it later.

For the open-source community, an intense lobbying effort secured a carve-out for non-commercial contributors, though the boundaries remain a point of contention. The compliance timeline is steep, with reporting obligations applying by mid-2026. Manufacturers must now integrate "security by design" into their hardware roadmaps, a process that will fundamentally alter supply chain contracts and product development cycles.

← All articles