From https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act.
What is the European Cyber Resilience Act (CRA)?
The European Cyber Resilience Act is a legal framework that describes the cybersecurity requirements for hardware and software products placed on the market of the European Union. Manufactures are now obliged to take security seriously throughout a product’s life cycle.
Before the European Cyber Resilience Act, the various acts and initiatives taken at Union and national levels only partially addressed the identified cybersecurity related problems and risks, creating a legislative patchwork within the internal market.
It increased legal uncertainty for both manufacturers and users of those products, and added an unnecessary burden on companies to comply with a number of requirements for similar types of products.
The cybersecurity of these products has a particularly strong cross-border dimension, as products manufactured in one country are often used by organisations and consumers across the entire internal market.
Two major problems are addressed:
1. The low level of cybersecurity of products with digital elements, reflected by widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.
2. The insufficient understanding and access to information by users, preventing them from choosing products with adequate cybersecurity properties or using them in a secure manner.
Under certain conditions, all products with digital elements integrated in or connected to a larger electronic information system can serve as an attack vector for malicious actors.
As a result, even hardware and software considered as less critical can facilitate the initial compromise of a device or network, enabling malicious actors to gain privileged access to a system or move laterally across systems.