• |

Jan. 28, 2026

What International Companies Should Do to Comply With the E.U. Cyber Resilience Act

The European Union’s Cyber Resilience Act (CRA) marks one of the most sweeping global cybersecurity regulations for digital products, imposing secure‑by‑design requirements and ongoing security obligations. Its broad scope captures virtually any software or hardware that connects to a network, and its penalties and regulatory enforcement powers are steep, making the CRA a material operational and financial risk for any company placing connected products in the E.U. “Important” and “critical” products face even tighter controls. With obligations phasing in from June 2026 to December 2027, and mandatory vulnerability reporting beginning September 11, 2026, companies must begin preparations now. In this guest article, Akin senior counsel Rita Heimes and Jenny Arlington outline the CRA’s core requirements and the five priority steps international businesses should take to remain compliant and operational in the E.U. See our two-part series on cybersecurity obligations in the E.U.’s Digital Laws: “AI Act, CRA and NIS2” (Sep. 4, 2024), and “Data Act, DORA and Compliance Steps” (Sep. 11, 2024).

To read the full article

Continue reading your article with a CSLR subscription.

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.