What are the next steps?

Once the proposal is formally adopted and enters into force in 2024, economic operators and Member States will have 36 months to adapt to the new requirements.

An exception to this rule is the reporting obligation on manufacturers for actively exploited vulnerabilities and incidents, which would apply 21 months from the entry into force, since they require fewer organisational adjustments than the other new obligations.

To make it easier for manufacturers – in particular for those that build important products – to apply the essential requirements, the Commission will issue a standardisation request, allowing the European Standardisation Organisations to develop technical standards for many of the product categories covered by the Cyber Resilience Act.

The Commission will periodically review the Cyber Resilience Act and report on its functioning.