The EU Cyber Resilience Act: A Paradigm Shift for the Technology and Digital Industry

Have you got a question?

The EU Cyber Resilience Act (CRA), Regulation (EU) 2024/2847, published in the Official Journal on November 20, 2024, and entering into force on December 10, 2024, represents a transformative regulation aimed at safeguarding consumers and businesses from cybersecurity threats associated with products with digital elements (PDEs). As the first EU-wide harmonized framework of its kind, the CRA introduces mandatory cybersecurity standards covering the entire lifecycle of PDEs, ensuring that such products are secure by design, resilient against cyberattacks, and compliant with uniform requirements across Member States. This legislation forms a critical pillar of the EU’s Cybersecurity Strategy for the Digital Decade.

Application and Products Covered Under the CRA

Article 2 establishes that the CRA applies to all economic operators involved in the supply chain of PDEs, including manufacturers, importers, distributors, and authorized representatives. As detailed in Article 3(1), PDEs are broadly defined as any hardware or software product and their associated remote data processing solutions that are designed to connect directly or indirectly to devices or networks. This includes consumer products such as smartphones, laptops, smart home devices, smartwatches, and connected toys, as well as business-critical products like firewalls, microprocessors, and intelligent meters. These products fall under the CRA’s jurisdiction due to their potential cybersecurity risks in interconnected environments. Additionally, it extends to software-only products such as accounting software, mobile applications, and video games, all of which must meet the CRA’s stringent cybersecurity standards.

Exemptions and Integration with Other EU Legislation

The CRA excludes non-commercial open-source software, as clarified in its recitals, recognizing its unique development and distribution model. This exclusion forms part of its broader set of exemptions aimed at tailoring regulatory requirements to specific categories of digital products.

The CRA provides specific exemptions for products already regulated under other EU frameworks, such as medical devices, motor vehicle components, and aviation systems. These exclusions recognize that existing regulations sufficiently address cybersecurity requirements for these sectors. Additionally, the CRA aligns with other legislative instruments, such as the NIS2 Directive, the AI Act, and the Digital Operational Resilience Act (DORA), to create a cohesive regulatory environment and minimize redundant requirements for operators. For instance, high-risk AI systems under the AI Act must also comply with relevant CRA cybersecurity requirements, ensuring a comprehensive approach to product safety and security across both frameworks. This harmonized approach simplifies compliance for businesses navigating multiple regulatory frameworks.

Core Obligations for Economic Operators

The CRA mandates that PDEs meet minimum cybersecurity requirements as specified in Annex I. These include ensuring the confidentiality, integrity, and availability of data; incorporating mechanisms to prevent unauthorized access; and maintaining secure configurations by default. The “secure by design” principle obligates manufacturers to integrate cybersecurity considerations throughout the product development process, addressing vulnerabilities at every stage. Complementing this is the “secure by default” approach, which mandates robust security configurations out of the box, banning weak passwords and requiring automatic security updates.

A notable requirement is the maintenance of a Software Bill of Materials (SBOM). The SBOM, as detailed in Annex I, is a detailed inventory of all software components used within a PDE and must be maintained internally to enhance transparency and enable efficient vulnerability management. While not required to be publicly disclosed, the SBOM plays a crucial role in identifying and mitigating cybersecurity risks.

To demonstrate compliance, manufacturers must undertake conformity assessments based on the product’s risk classification. Article 32 of the CRA regulates conformity assessment procedures for products with digital elements. Manufacturers must assess whether their products meet essential cybersecurity requirements as set out in Annex I by employing one of the procedures detailed in Annex VIII. These procedures include internal control, EU-type examination, full quality assurance, or applicable European cybersecurity certification schemes. Annex III classifies products into general, important, and critical categories, determining the stringency of assessment required. General PDEs may rely on self-assessments, important PDEs (e.g., password managers, VPNs) require additional assessments by notified bodies, and critical PDEs (e.g., smartcards, operating systems) must meet ‘substantial’ assurance levels under a European cybersecurity certification scheme.

Responsibilities of Manufacturers, Importers, and Distributors

1. Obligations of Manufacturers

Under Article 13, manufacturers have a critical role in ensuring that products with digital elements (PDEs) comply with the essential cybersecurity requirements. Their responsibilities include:

a. Manufacturers must design, develop, and produce PDEs in compliance with the essential cybersecurity requirements in Annex I. They are required to conduct and document a cybersecurity risk assessment, updating it throughout the product lifecycle, including during the support period.

b. Manufacturers must ensure that third-party components, including open-source software, do not compromise the product’s cybersecurity.

c. Upon identifying vulnerabilities, manufacturers must address them in accordance with Annex I’s requirements, sharing updates and remediation with relevant parties.

d. Manufacturers must determine a support period of at least five years (or the product’s expected use time) and provide security updates for a minimum of ten years after issuance.

e. Manufacturers must draw up technical documentation, undertake conformity assessments, and affix the CE marking to confirm compliance.

f. Manufacturers must provide contact information, instructions for secure use, and ensure a single point of contact for users to report vulnerabilities.

2. Obligations of Importers

Importers are tasked under Article 19 with ensuring that PDEs they place on the EU market comply with CRA standards. Their responsibilities include:

a. Importers must ensure that:

The manufacturer has conducted conformity assessments (Article 32).
The product bears the CE marking and is accompanied by the EU declaration of conformity (Article 13(20)) and user instructions in an accessible language.
The manufacturer has fulfilled key obligations under Article 13, including labeling and providing a support period.

b. Importers must not place non-compliant PDEs on the market and must withhold products until compliance is achieved. If significant cybersecurity risks are identified, importers must notify both the manufacturer and market surveillance authorities.

c. Importers must report any known vulnerabilities to manufacturers and notify authorities of significant cybersecurity risks. They must ensure corrective actions, including product recalls, where necessary.

d. Importers must retain the EU declaration of conformity and technical documentation for at least 10 years or the support period, whichever is longer, and provide this to authorities upon request.

e. Importers must include their contact details (name, address, and digital contact information) on the product, packaging, or accompanying documentation in a manner accessible to users and authorities.

3. Obligations of Distributors

According to Article 20 the distributors ensure that PDEs are compliant before making them available on the market. Their responsibilities include:

a. Distributors must verify that:

i. The product bears the CE marking.

ii. The manufacturer and importer have complied with obligations, set out in Article 13(15), (16), (18), (19) and (20) and Article 19(4), including documentation and user instructions.

b. Distributors must not distribute products if they know or suspect non-compliance. They must inform the manufacturer and authorities if significant cybersecurity risks are identified.

c. Upon identifying vulnerabilities, distributors must notify the manufacturer. For significant cybersecurity risks, immediate notification to market surveillance authorities is required.

d. Distributors must provide documentation and cooperate with market surveillance authorities to address cybersecurity risks.

e. If a distributor learns that a manufacturer has ceased operations, leaving products unsupported, they must notify the relevant authorities and, where feasible, inform users.

Enforcement Framework and Penalties

The CRA establishes a robust enforcement mechanism. Market surveillance authorities, under Article 60, are empowered to conduct coordinated inspections, referred to as “sweeps,” to verify compliance across Member States. In coordination with ENISA, are empowered to conduct coordinated inspections, referred to as “sweeps,” to verify compliance across Member States. These sweeps involve simultaneous, cross-border checks aimed at efficiently identifying non-compliant products. In cases of non-compliance, authorities can mandate corrective actions, including product recalls or withdrawal from the market.

Penalties for breaches of the CRA are significant and tiered, as outlined in Article 64. Breaches of essential cybersecurity requirements, conformity assessments, and reporting obligations may result in administrative fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. Lesser breaches, such as failures in technical documentation or CE marking, may incur fines of up to €10 million or 2% of global turnover. Providing incorrect or misleading information could result in fines up to €5 million or 1% of turnover. These fines aim to ensure compliance while deterring negligence and misconduct.

Steps for Companies to Achieve CRA Compliance

The companies should take the following steps to achieve compliance with the CRA:

1. Conduct a Comprehensive Gap Analysis

Identify discrepancies between current cybersecurity practices and CRA requirements.
Review all products with digital elements (PDEs) to determine compliance with the essential cybersecurity requirements outlined in Annex I.
Assess internal processes for conformity with Annex II (vulnerability handling and security updates).
Examine supply chains and third-party integrations for compliance risks.

2. Establish Product Security Incident Response Teams (PSIRTs)

Develop coordinated vulnerability disclosure policies, as mandated in Annex I, Part II.
Implement response plans for identified risks to ensure prompt remediation.
Ensure systematic documentation of cybersecurity incidents and their resolution.

3. Implement the “Secure by Design” Principle

Embed robust security mechanisms during the planning, design, and production phases.
Ensure products are configured securely by default, as required by the CRA.
Conduct cybersecurity risk assessments that account for intended use and foreseeable misuse.

4. Maintain and Update a Software Bill of Materials (SBOM)

Create a detailed inventory of all software components within PDEs.
Regularly update the SBOM to reflect changes and new components.
Use the SBOM to track and address vulnerabilities in third-party components.

5. Ensure Compliance with Conformity Assessment Procedures

Determine the product’s risk category (general, important, or critical) as outlined in Annex III.
Follow the appropriate conformity assessment procedure (e.g., internal control, EU-type examination, or certification under Annex VIII).
Prepare technical documentation and secure the CE marking for compliant products.

6. Designate Support Periods and Ensure Security Updates

Define a support period of at least five years or the product’s expected usage time.
Ensure availability of security updates for at least 10 years after issuance.
Communicate the support period clearly to consumers at the time of purchase.

7. Build Collaboration with Importers and Distributors

Share technical documentation and SBOMs with importers and distributors.
Ensure they are informed of their responsibilities under Articles 19 and 20.
Establish channels for reporting and addressing cybersecurity risks.

8. Train Staff and Strengthen Awareness

Provide targeted training on CRA requirements for relevant teams.
Raise awareness of the importance of cybersecurity in product design and lifecycle management.

9. Monitor Market Surveillance and Reporting Obligations

Report vulnerabilities and incidents to authorities as required under Article 14.
Cooperate with market surveillance authorities during inspections.
Use data from market sweeps to refine cybersecurity strategies.

10. Leverage Regulatory Sandboxes and SME Support

For SMEs, take advantage of simplified technical documentation requirements and access to regulatory sandboxes.
Use dedicated helpdesks for guidance on meeting reporting and documentation requirements.

11. Develop a Long-Term Compliance Roadmap

Align internal processes with the CRA’s phased timelines, including reporting obligations (2026) and full compliance by December 2027.
Regularly review and update internal policies to align with evolving cybersecurity standards and best practices.

While the CRA imposes stringent obligations, it also provides targeted support for small and medium-sized enterprises (SMEs) to facilitate compliance. These measures include simplified technical documentation requirements, access to regulatory sandboxes for testing innovative solutions, and dedicated helpdesks for reporting obligations. Such provisions aim to balance the regulatory burden with fostering innovation within the EU’s digital economy.

Transition Timeline and Next Steps

The CRA’s phased implementation timeline provides businesses with a structured period to adapt to its requirements. Article 71 specifies that the CRA enters into force on December 10, 2024. However, Article 14 (reporting obligations) applies earlier, starting from September 11, 2026, and Chapter IV (Articles 35 to 51 on market surveillance) applies from June 11, 2026. Full compliance with all provisions is expected by December 11, 2027.

During this transition, companies must prioritize establishing internal processes to meet these deadlines. Early compliance efforts not only mitigate regulatory risks but also position businesses as leaders in cybersecurity, enhancing their market reputation and strengthening consumer trust.

The EU Cyber Resilience Act represents a landmark shift in regulatory approaches to cybersecurity. By establishing a comprehensive framework that prioritizes product security throughout the lifecycle, the CRA sets a global benchmark for safeguarding digital ecosystems. For businesses, compliance is not merely a legal obligation but a strategic opportunity to lead in a rapidly evolving digital landscape.

Feel free to contact us if you would like to discuss this further or require any assistance.