The EU Cyber Resilience Act (CRA), officially known as Regulation (EU) 2024/2847, is a multi-institution effort, proposed by the European Union. Proposed in 2022 and applicable from the end of 2024, it was the world’s first comprehensive piece of legislation to set mandatory cybersecurity standards for products with digital elements.
In line with the NIS Co-operation Group and ENISA, the CRA pushes manufacturers towards ‘security by design’ as well as ‘state-of-the-art’ practice, and crypto agility. It’s a key piece of legislation, particularly as the quantum clock is ticking.
On June 23, 2025, the EU also released its co-ordinated roadmap aligning with the CRA. Within the framework of cyber resilience in the EU, the roadmap highlights:
Product support. Products released after the full enforcement of the CRA (2027) should support quantum-safe firmware updates by default
Inventorying. Manufacturers are expected to keep and maintain a CBOM (Cryptographic Bill of Materials) to help rapid migration.
PQC transition timeline. High risk use cases should be quantum-secure by the end of 2030, followed by full migration of all systems from quantum-vulnerable cryptography by 2035.
It’s clear that the CRA empowers the EU, its Member States and citizens, to use, build and govern digital tools that are not dependent on external jurisdictions. With the shortening time-frame, the legislation helps focus technology providers and embeds a competitive advantage in future-proofing hardware against the threats of tomorrow.
For PQShield, the CRA provides another lens that focuses the supply chain on the importance of PQC. Our UltraPQ suite of products is designed for compliance and crypto agility, whether in hardware, software or cloud-based application. In fact, our team helped co-author the PQC standards recommended by NIST and specified by the likes of ENISA as part of the requirements for cyber resilience. It’s our mission to help the global supply chain stay one step ahead of the attackers, in line with the latest compliance requirements, and ahead of the next generation of cybersecurity threats.
For more on the CRA and the EU PQC Co-ordinated Roadmap, see here.