The Cyber Resilience Act is an EU regulation that requires many products with digital elements to meet cybersecurity rules before they are sold. It applies to things like software, firmware, connected devices, and some products that depend on manufacturer-controlled online services. The core idea is that security must be built into the product, not added later as a voluntary feature.
In practice, the CRA matters because it links market access to measurable security controls. Vendors may need secure-by-design defaults, vulnerability handling processes, long-term update support, and documentation that proves how risks are managed. If an actively exploited flaw appears, the reporting clock can force rapid notification and follow-up. For defenders, that means software inventories, SBOMs, dependency tracking, and incident playbooks become compliance tools. For attackers, weak default passwords, exposed update systems, and poor patch management are exactly the kinds of gaps the regulation is meant to reduce.