On October 23, 2024, the EU adopted the Cyber Resilience Act (Regulation (EU) 2024/2847), the first legislation to set mandatory cybersecurity standards for products with digital elements sold in the EU. The regulation requires manufacturers to ensure that products remain cybersecure throughout their lifecycle, including the ability to update cryptographic mechanisms as threats evolve.
Beginning in December 2027, products must be designed with the flexibility to update cryptographic components. According to industry analysis, the CRA drives PQC migration by requiring that digital products use recognized security standards and support cryptographic agility. New products should be capable of receiving firmware and software updates signed with quantum-safe algorithms.
Standards work under the CRA is moving toward a model where the European Cybersecurity Certification Group’s Agreed Cryptographic Mechanisms document defines the accepted cryptographic baseline for internet-connected products.