European Union
EU Cybersecurity Laws & Regulations Tracker
The EU Cybersecurity Laws and Regulations Tracker is a dedicated resource that monitors laws and regulations relating to cybersecurity across the European Union. It provides a structured, up-to-date overview of legal instruments, regulatory proposals, and enforcement frameworks that affect businesses, policymakers, and legal professionals.
Designed as a practical reference tool, the tracker organises developments by dates and formulating organisation, enabling users to quickly identify relevant information on cybersecurity reforms. The EU Cybersecurity Laws and Regulations tracker consolidates complex information into an accessible and searchable format, supporting research, compliance planning, and strategic decision-making.
The EU Cybersecurity Laws and Regulations tracker is updated regularly to ensure accuracy and reliability, making it a trusted resource for anyone monitoring the European cybersecurity regulatory environment.
EU Cyber Resilience Act
The EU Cyber Resilience Act is a comprehensive regulation that introduces uniform cybersecurity requirements for digital products and connected services placed on the European market. Its aim is to ensure that hardware and software products are developed, manufactured, and maintained with built-in protections against cyber risks. The EU Cyber Resilience Act fosters greater trust in digital technologies and enhances the resilience of the European Union’s internal market.
The EU Cyber Resilience Act applies to a broad range of products with digital elements, ensuring that manufacturers, importers, and distributors are accountable for compliance. The regulation aims to reduce vulnerabilities, strengthen consumer protection, and establish a consistent framework that supports innovation while safeguarding users.
| Date | Organisation | Further details |
|---|---|---|
| 11 Dec 2027 | Forthcoming (TBC) | Application date. |
| 11 Sep 2026 | Forthcoming (TBC) | Application of manufacturers’ reporting obligations - website. |
| 11 Jun 2026 | Forthcoming (TBC) | Application of Rules on Notification of Conformity Assessment Bodies - website. |
| 13 Mar 2025 | European Commission | On 13 March 2025, the European Commission launched a consultation seeking feedback on implementing regulations that will outline technical descriptions for important and critical products with digital elements under the EU Cyber Resilience Act (CRA). The purpose of the consultation is to define which products may undergo enhanced conformity assessment procedures as stated in Article 32. Stakeholders are required to submit their feedback using the Commission's specified template format. The implementing regulation will provide detailed specifications for the products listed in Annexes III and IV of the Act. The consultation period will be open until 15 April 2025. |
| 10 Dec 2024 | European Union | Entry into force of the Cyber Resilience Act. |
| 20 Nov 2024 | OJEU | Regulation (EU) 2024/2847, known as the EU CRA, has been published in the Official Journal of the European Union (OJEU). The regulation will enter into force on 10 December 2024 and will take effect from 11 December 2027. However, Article 14, which outlines manufacturers' reporting obligations, will take effect on 11 September 2026. Additionally, Chapter IV, concerning the notification of conformity assessment bodies, will take effect on 11 June 2026. |
| 10 Oct 2024 | Council of the EU | The Council of the EU has adopted the EU Cyber Resilience Act. This legislation will apply to all products that are directly or indirectly connected to another device or a network. Its goal is to make it easier for consumers to identify products with appropriate cybersecurity features. The EU CRA will soon be published in the Official Journal of the European Union (OJEU) and will come into effect 20 days after publication. It will then become applicable 36 months after it takes effect, except for certain provisions that will take effect earlier. |
| 17 Apr 2024 | European Commission | The European Commission has published a request for standardization to European Standards Organizations regarding the EU CRA. |
| 12 Mar 2024 | European Parliament | The European Parliament has formally adopted the EU Cyber Resilience Act. The text will have to be approved by the Council of the EU before being adopted and published in the OJEU. |
| 1 Jan 2024 | Council of the EU | The Belgian presidency of the Council of the EU has stated in its program that it will aim to finalize any outstanding work on amending the Cybersecurity Act and the EU Cyber Resilience Act (CRA), as well as conclude efforts on the Cyber Solidarity Act. |
| 20 Dec 2023 | Permanent Representatives Committee (COREPER) of the Council of the EU | COREPER has endorsed the final compromise text, which is subject to formal approval by the European Parliament and the Council of the EU. Refer to the letter sent to the European Parliament by the Council of the EU regarding the CRA. |
| 30 Nov 2023 | Council of the EU and European Parliament | The co-legislators have reached a political agreement on the EU Cyber Resilience Act (CRA). This act standardizes cybersecurity for digital products across the EU, requiring manufacturers to manage the security throughout the lifecycle of products marked with the CE (Conformité Européenne) label. It applies to all products that are connected, either directly or indirectly, to another device or network, as long as they are distributed within the EU. The new rules will take effect three years after the EU CRA is enacted, which is expected to be in the spring or early summer of 2027. For more information, refer to the News Analysis: Political Agreement on the Cyber Resilience Act. |
| 19 Jul 2023 | Permanent Representatives Committee (COREPER) of the Council of the EU | Representatives of the Member States (Coreper) have reached a common position on the proposed EU Cyber Resilience Act (CRA). The Council of the EU's stance largely aligns with the Commission's proposal, highlighting the responsibility of manufacturers, processes for handling vulnerabilities, transparency, and market surveillance. However, the Council's amendments include several changes:
- The scope of the legislation, particularly regarding the specific categories of products that must comply with the regulation's requirements.
- Reporting obligations for actively exploited vulnerabilities or incidents, which would be directed to the competent national authorities (known as Computer Security Incident Response Teams or CSIRTs), rather than the EU Agency for Cybersecurity (ENISA), which will establish a single reporting platform.
- Elements for determining the product lifetime established by manufacturers.
- Support measures for small and micro enterprises.
- A simplified declaration of conformity. |
| 19 Jul 2023 | European Parliament’s Committee | Members of the European Parliament (MEPs) on the Industry, Research and Energy Committee have approved the EU Cyber Resilience Act (CRA). They propose clearer definitions, feasible timelines, and a fairer distribution of responsibilities within the legislation. The draft rules categorize products based on their criticality and the level of cybersecurity risk they pose. MEPs suggest expanding the list of covered products to include identity management systems, password managers, biometric readers, smart home assistants, smartwatches, and private security cameras. They also emphasize that products should receive security updates automatically and separately from functionality updates. Additionally, MEPs voted to begin negotiations with the Council of the EU—a decision that will require approval from the European Parliament during an upcoming plenary session. |
| 23 Jan 2023 | The European Consumer Organisation (BEUC) | The BEUC has released its position paper on the EU Cyber Resilience Act (CRA) proposed by the Commission. They welcome the proposal, as BEUC members have found that many connected products sold in the European market lack even the most basic security features, putting consumers at risk. BEUC supports the introduction of mandatory cybersecurity requirements for manufacturers, distributors, and importers of digital products, as well as their related services. However, they note that the proposal requires significant improvements to ensure it effectively protects consumers and meets its intended purpose. |
| 17 Jan 2023 | MedTech Europe | MedTech Europe has published its feedback on the EU Cyber Resilience Act (CRA) in response to the Commission's request for input. The feedback emphasized that the EU CRA will serve as the cornerstone for cybersecurity across a wide range of connected products entering the EU market. MedTech also urged legislators to ensure that the EU CRA is aligned with all other relevant existing legislation, including the principles of the New Legislative Framework and the ‘Blue Guide’ regarding the implementation of EU Product Rules for 2022. |
| 10 Nov 2022 | European Data Protection Supervisor (EDPS) | The European Data Protection Supervisor (EDPS) has published its opinion on the proposed Cyber Resilience Act. In its response, the EDPS welcomed the regulation and emphasized the importance of the EU’s General Data Protection Regulation (GDPR), Regulation (EU) 2016/679. The EDPS highlighted the need for an appropriate level of security in the processing of personal data by both controllers and processors. Additionally, it stressed that data protection principles should be integrated into the technologies developed for processing personal data. The EDPS made a strong recommendation to include the principles of data protection by design and by default as essential components of the proposed requirements. Furthermore, it urged for greater clarity regarding the relationship between the proposed regulation and existing EU data protection laws. |
| 17 Oct 2022 | Council of the EU | The Council of the EU has announced that Member States have approved conclusions aimed at enhancing the security of the EU’s information and communication technologies (ICT) supply chains. These conclusions outline various actions, including the strengthening of public procurement processes and the development of foreign direct investment screening frameworks. They also highlight how existing and forthcoming legislation, such as the proposed revision of the Network Information Security Directive, the Cybersecurity Act, and the proposed EU Cyber Resilience Act, can bolster ICT supply chain security. Member States emphasized the importance of incorporating cybersecurity-related criteria in public procurement and urged the Commission to issue guidelines that promote attention to the cybersecurity practices of bidders and their subcontractors. Additionally, there is a call for the establishment of an ICT Supply Chain Sandbox. |
| 19 Sep 2022 | European Commission | The European Commission has launched a feedback period on its proposed implementation of the EU Consumer Rights Act (CRA), which aims to safeguard consumers and businesses across the EU from digital products with inadequate security features. Feedback can be submitted until midnight Brussels time on January 23, 2023. |
| 15 Sep 2022 | European Commission | The European Commission has released a proposal for a European Union Cybersecurity Regulation (EU CRA), aimed at safeguarding consumers and businesses throughout the EU from digital products with inadequate security features. The objective of the EU CRA is to create uniform security standards for products and software that include a digital component. This new proposal complements the existing cybersecurity framework established by the NIS Directive and the EU Cybersecurity Act. It is designed to address market demands and shield consumers from insecure products and services by imposing cybersecurity requirements that manufacturers and retailers must adhere to throughout the entire product lifecycle. The proposed regulation outlines a framework of cybersecurity requirements that cover the planning, design, and development phases of products, along with a duty of care obligation throughout the product's lifecycle. Once the regulation comes into effect, internet-connected software and products will be marked with the CE symbol to demonstrate compliance with the new standards. Companies that fail to comply with the EU CRA may face fines of up to €15 million or 2.5% of their global turnover, whichever is greater. |
| 25 May 2022 | MedTech Europe | MedTech Europe has released its response to the European Commission’s request for input regarding an impact assessment on the proposal for a Regulation concerning horizontal cybersecurity requirements for digital products and associated services (the EU CRA). MedTech emphasizes the need for public initiatives to tackle the significant cybersecurity shortfall within public healthcare institutions, recommending the establishment of comprehensive organizational and targeted cybersecurity strategies. |
| 16 Mar 2022 | European Commission | The European Commission has launched a consultation regarding the EU Cyber Resilience Act (EU CRA). This initiative aims to address market demands and safeguard consumers from insecure products and services by establishing cybersecurity requirements that manufacturers and vendors must adhere to. The EU CRA will enhance the current cybersecurity framework, which includes the Directive on the Security of Network and Information Systems and the Cybersecurity Act. In 2020, the EU introduced its cybersecurity strategy for the digital decade, promoting the development of new overarching rules for connected products and their related services sold in the internal market. Furthermore, the EU CRA will work alongside the Delegated Regulation of 29 October 2021 under the Radio Equipment Directive by introducing streamlined cybersecurity requirements that span a diverse array of digital products and their associated services. This encompasses both tangible and digital products (both wireless and wired) as well as non-embedded software, covering their entire life cycle. The consultation period will conclude on 25 May 2022. |
EU Cyber Solidarity Act
The EU Cyber Solidarity Act is a legislative initiative designed to strengthen the Union’s collective resilience against large-scale cyber incidents. It establishes mechanisms for cooperation, preparedness, and coordinated responses among Member States, with a focus on protecting critical infrastructure and digital services. The Act promotes information sharing, testing, and joint exercises across borders. It sets out clear structures for prevention, detection, and crisis response. The Cyber Solidarity Act contributes to a more reliable and secure digital environment across the EU, supporting both public institutions and private sector operators.
| Date | Organisation | Further details |
|---|---|---|
| 4 Feb 2025 | European Union | Entry into force and application of Regulation (EU) 2025/38. |
| 15 Jan 2025 | OJEU | Regulation (EU) 2025/38, known as the EU Cyber Solidarity Act, has been published in the Official Journal of the European Union (OJEU). This regulation will take effect on February 4, 2025. |
| 2 Dec 2024 | Council of the European Union | The Council of the EU has officially adopted the EU Cyber Solidarity Act. This legislative act will take effect 20 days following its publication in the Official Journal of the European Union (OJEU). Also see the amendment concerning managed security services in the EU Cybersecurity Act. |
| 24 Apr 2024 | European Parliament | The European Parliament has officially adopted the EU Cyber Solidarity Act. For it to become law, the text still needs formal approval from the Council of the EU. |
| 6 Mar 2024 | European Parliament and Council of the EU | The European Parliament and the Council of the EU have come to a preliminary agreement on the Cyber Solidarity Act. This agreement will need approval from both the Council and the European Parliament before it can be formally adopted. See official press release. |
| 20 Dec 2023 | Council of the European Union | The Council of the EU has adopted its position on the EU Cyber Solidarity Act. This common position will enable the incoming presidency of the Council to engage in negotiations with the European Parliament regarding the final version of the proposed legislation. |
| 8 Dec 2023 | Council of the European Union | The Belgian presidency of the Council of the EU states in its agenda that it aims to finalise the outstanding tasks related to the amendment of the Cybersecurity Act and the Cyber Resilience Act, as well as to complete the discussions on the Cyber Solidarity Act. |
| 7 Dec 2023 | European Parliament’s Committee | The Industry, Research and Energy Committee of the European Parliament has adopted its position on the Cyber Solidarity Act, which aims to enhance the EU's capacity to detect, prepare for, and respond to cybersecurity threats and incidents. This proposal aims to enhance the EU's overall awareness of cyber threats, strengthen preparedness and response measures, and promote European technological independence in the field of cybersecurity. Members of the European Parliament emphasised the need for increased resilience among small and medium-sized enterprises, microenterprises, and startups, while also advocating for better cooperation between Member States and the private sector. The Act's goals will be pursued through the establishment of a pan-European network of Security Operations Centres, as well as the introduction of a new Cyber Energy Mechanism and a European Cybersecurity Incident Review Mechanism. |
| 8 May 2023 | European Cybersecurity Competence Centre | The European Cybersecurity Competence Centre has officially opened its new headquarters on the campus of the Polytechnic University in Bucharest, Romania. This Centre is dedicated to fostering innovation and shaping industrial policy in the realm of cybersecurity. It will also spearhead various EU cybersecurity initiatives and oversee projects related to Security Operations Centres. This effort is part of the Commission's broader strategy to create a European Cyber Shield, which aligns with the proposed EU Cyber Solidarity Act. Additionally, the Centre will work in collaboration with a network of National Coordination Centres to establish a robust ecosystem that promotes cybersecurity innovation and competitiveness throughout the EU. |
| 20 Apr 2023 | European Commission | The Commission has initiated a consultation regarding the EU Cyber Solidarity Act. This consultation will conclude on June 19, 2023. |
| 18 Apr 2023 | European Commission | The European Commission has adopted a proposal for the EU Cyber Solidarity Act, designed to enhance cybersecurity capabilities throughout the EU. This legislation aims to improve the detection, preparation, and response to major or large-scale cybersecurity incidents by establishing a European Cybersecurity Shield alongside a robust Cyber Emergency Mechanism. The Commission detailed that the Cyber Emergency Mechanism will facilitate: —preparedness initiatives —the establishment of a new EU Cybersecurity Reserve —financial support for collaborative assistance. |