On 20 November 2024, the EU published the Cyber Resilience Act (CRA) in its Official Journal, introducing a new framework to strengthen cybersecurity in digital products. The CRA establishes consistent rules to address vulnerabilities, improve security, and ensure products remain safe throughout their lifecycle.
What Is the Cyber Resilience Act?
The CRA introduces mandatory cybersecurity standards for products with digital elements (PDEs), such as connected devices, software, and IoT technology. It aims to create a unified approach to cybersecurity, replacing fragmented national regulations and reducing the risks posed by insecure products.
Key Objectives
- Enhance Security: Ensure digital products are designed and maintained to address cybersecurity risks.
- Improve Transparency: Require manufacturers to disclose security practices and support timelines.
- Simplify Compliance: Provide a harmonised framework for businesses operating in multiple EU countries.
Who Needs to Comply?
The CRA applies to manufacturers, importers, distributors, and retailers of PDEs in the EU. Exemptions apply to sectors such as medical devices and motor vehicle systems, which are already governed by existing regulations.
What Are the Key Requirements?
Core Obligations
- Secure Design: Products must include measures to protect user data and prevent vulnerabilities.
- Risk Assessments: Manufacturers must evaluate and document cybersecurity risks throughout the product lifecycle.
- Ongoing Updates: Security updates must be provided regularly to address vulnerabilities.
High-risk products, such as firewalls and password managers, will be subject to more rigorous testing, including third-party evaluations to ensure compliance with CRA standards.
Support for SMEs
Recognising the challenges faced by small and medium-sized enterprises (SMEs), the CRA offers simplified compliance guidance. Open-source software projects intended for commercial use will also benefit from reduced regulatory requirements.
How Will the CRA Be Enforced?
Monitoring and Penalties
- Oversight: ENISA and national authorities will monitor compliance through checks and coordinated inspections.
- Penalties for Non-Compliance: Severe breaches can result in fines of up to €15 million or 2.5% of global turnover.
Authorities will also conduct regular “sweeps” to ensure businesses meet the CRA’s standards, with particular focus on cross-border issues.
Timeline for Implementation
- June 2026: Conformity notifications for assessment bodies begin.
- September 2026: Rules for incident reporting take effect.
- December 2027: All CRA requirements become mandatory.
The EU Cyber Resilience Act marks a major step forward in improving the safety and transparency of digital products. Manufacturers and businesses are encouraged to start preparing now by assessing their current practices, identifying gaps, and aligning their processes with the CRA’s requirements. Early action will help ensure a smooth transition and maintain market readiness.