Cyber Resilience Act (CRA)
The Cyber Resilience Act (CRA) aims to strengthen the cybersecurity of products with digital elements in the EU by ensuring that these products are designed, developed and maintained in accordance with certain minimum cybersecurity requirements. These minimum requirements apply during the entire life cycle of the product.
The CRA is thus a key element of digital product safety legislation in the EU.
Key Facts:
- Subject-Matter and Objective: The aim of the CRA is to ensure the cybersecurity of products with digital elements in the EU. This is to be achieved by means of various essential requirements for the design, development, manufacturing and marketing of products with digital elements. In addition, the CRA is intended to improve transparency for users in the area of cybersecurity when selecting and using products with digital elements.
- Application and Transitional Periods: The CRA was adopted by the European Parliament in March 2024 (see here for more information) and must now be finally confirmed by the EU Council before it can take effect. Once it comes into force, the CRA will be directly applicable in the EU member states. However, the CRA currently provides for a transitional period of 36 months before it comes into force. The reporting requirements in the event of exploited vulnerabilities will take effect after 21 months.
- Regulated Products: The CRA applies to all products with digital elements that can be connected either directly or indirectly to another device or network. This includes a wide range of connected products, such as IoT devices and applications. In principle, websites, cloud computing services and cloud service models, such as software as a service, are not covered. The latter may primarily fall under the NIS2 Directive. However, an exception is made for those cloud services that support the operation or use of the respective product with digital elements – these are also covered by the CRA. This means that clear documentation of the entire ecosystem is necessary.
- Addressees: The CRA is aimed at various economic operators, namely manufacturers (and, where applicable, their authorized representatives), importers and distributors of products with digital elements. These actors each have different obligations, with the manufacturer at the center of the regulatory framework. The manufacturer must consider cybersecurity from the design and development of products and ensure it throughout the entire product life cycle.
- Security Requirements: Manufacturers must ensure that the products they place on the market comply with the essential requirements regulated in the CRA during the design, development and manufacturing. These include, in particular, the implementation of the specified cybersecurity requirements and compliance with the requirements for handling of vulnerabilities (see here for more information).
- Security Update Obligation: During the life cycle, manufacturers must identify cybersecurity risks and vulnerabilities through regular testing and address them with free security updates. The update period is based on the usual support period but must be at least five years. If there is an incident that could affect the security of a product, or if a vulnerability is exploited, this must be reported to the relevant authority within a maximum of 24 hours. In addition, appropriate measures must be taken to rectify the problem.
- CE-Marking and Documentation: Products with digital elements must bear a CE marking which indicates compliance with the minimum cybersecurity requirements of the CRA before they can be placed on the market, so that customers and users are informed about the security level of the products and can make informed purchasing decisions. Furthermore, manufacturers must provide users with detailed technical documentation.
- Rules for Third Party Software: Free and open-source software (FOSS) is regularly used in the development and operation of software and hardware components, each of which is subject to its own license conditions. The CRA contains special requirements for manufacturers for handling FOSS. It also establishes obligations for so-called open-source software managers (i.e., providers of online repositories).
- Conformity Assessment: Manufacturers must carry out a conformity assessment before placing their products on the market. Depending on the classification as an important or critical device, the CRA provides for different conformity assessment procedures. Essentially, these procedures differ to the extent that involvement of the notified bodies is only required for critical class I and class II devices.
- Supervision and Sanctions: In the event of a violation of the CRA, the national market surveillance authorities are authorized to take surveillance and enforcement measures. These include, for example, the authority to prohibit the distribution of the respective product. In addition, serious penalties in the form of fines may be imposed for violations of the CRA. These may be up to 15 million euros or 2.5% of the worldwide annual turnover, depending on which amount is higher.
Our Services include:
- Determining whether certain products fall within the scope of the CRA, as well as evaluating and defining the applicable obligations for the regulated economic operators.
- Advising and supporting with the implementation of new and adapting of existing measures and business processes to comply with legal requirements throughout the entire life cycle of a product.
- Training of management, security staff (ISO, CISO) and employees, in particular with regard to new responsibilities and duties under the CRA.
- Support in drafting and negotiating contracts with external service providers and contracts between the individual economic operators to regulate the supply and distribution chain, taking into account the CRA requirements.