The EU Cyber Resilience Act
The Cyber Resilience Act (CRA) mandates that all digital products, including software and hardware that process data, meet standardized cybersecurity requirements before they enter the European market. It strengthens Europe's digital sovereignty by setting high security standards for products sold in the EU market, aiming to protect consumers and businesses from cyber threats.
The CRA was adopted in October 2024 and manufacturers will have to place compliant products on the European Union market by 2027. Products that will not meet the compliance will be barred and the cost of non-compliance can reach 15 million Euros or 2.5% of annual turnover.
Default non-critical products | 90% of products
Any product that is not classified as critical, must still meet compliance requirements through a self-assessment process.
Examples: Digital watches, electronic toys, basic digital kitchen appliances, manual digital thermostats, non-connected car diagnostic tools, handheld electronic game devices, LED lamps with basic electronic controls, electric toothbrushes without connectivity, digital irrigation controllers, non-connected fitness trackers, basic handheld translators, simple e-readers without Wi-Fi, electronic picture frames without internet features, basic digital levels for construction, electronic key finders, portable media players without internet access.
Critical products | 10% of products
As defined in Annex III of the CRA, must achieve compliance through a mandatory third-party assessment process.
Class I (lower risk): Identity management systems software, standalone and embedded browsers, password managers, antivirus software, VPN software, network management systems, network configuration management tools, network traffic monitoring systems, network resource management, SIEM systems, update/patch management software, application configuration management systems, remote access/sharing software, mobile device management software and physical network interfaces.
Class II (higher risk): Operating systems for servers, desktops, and mobile devices, hypervisors, container runtime systems, public key infrastructure, digital certificate issuers, industrial-use firewalls, industrial-use intrusion detection or prevention systems, general purpose microprocessors, microprocessors for programmable logic controllers, routers and switches for industrial use, secure elements, hardware security modules, secure crypto processors, smartcards, smartcard readers, tokens, industrial automation and control systems, industrial IoT devices, robot sensing components and smart meters.
Note: Some products, like medical devices, automobiles, military, and aeronautical products, are not covered by the CRA because they follow separate cybersecurity rules.
Become Compliant
Secure Design and Development
-
Secure-by-design approach – Integrate robust security principles from the initial development phase.
-
End-to-end cybersecurity – Ensure protection throughout the entire product lifecycle, from design to deployment and beyond.
-
Default security settings – Configure products with secure settings enabled by default to reduce user-related risks.
Vulnerability Management
-
Proactive vulnerability management – Identify and remediate security flaws in products.
-
Ongoing risk assessments – Regularly evaluate and address potential cybersecurity threats.
-
Continuous monitoring and response – Track vulnerabilities in software and hardware while managing disclosures from researchers and users.
Software and Security Updates
-
Timely security updates – Address post-market vulnerabilities with prompt updates.
-
Regular, user-friendly updates – Ensure updates are issued consistently and require minimal user involvement.
-
Clear support timeline – Communicate the duration of security update availability, so users know when to expect ongoing patches.
Secure Supply Chain
-
Third-party component security – Ensure all integrated components, such as software libraries and hardware, meet cybersecurity standards and are regularly updated.
-
Vulnerability management – Verify the security of integrated components and issue updates when vulnerabilities are discovered.
-
Cloud service compliance – Ensure any remote data processing services, such as cloud services, comply with cybersecurity requirements.
Incident Reporting
-
Cybersecurity incident management – Implement processes for detecting, responding to, and recovering from incidents.
-
Timely reporting – Notify relevant authorities and stakeholders of significant cybersecurity incidents without delay.
-
Continuous improvement – Use insights from incidents to refine security processes and prevent future breaches.
Data Protection and Privacy
-
GDPR compliance – Protect personal data and ensure adherence to EU General Data Protection Regulation GDPR requirements.
-
Secure data storage – Safely store sensitive security parameters to prevent unauthorized access.
-
Data protection measures – Implement safeguards to protect data from unauthorized access, disclosure, alteration, or destruction.
Documentation and Transparency
-
Clear product information – Provide users with details on cybersecurity features, lifecycle, support period, and safe use, including guidance on vulnerability reporting.
-
End-of-life communication – Clearly state end-of-life dates and ensure ongoing support, including security updates, until the product's end-of-life.
-
Compliance and testing – Ensure all digital products display the CE mark, confirming compliance with CRA cybersecurity requirements and proper testing.
Compliance Requirements
CRA Compliance Counter:
20
Months
Is it relevant to me?
The CRA applies to any product sold within the EU that connects - either directly or indirectly - to another device or a network. All applicable products must be certified and bear the CE marking to demonstrate adherence to EU cybersecurity standards.
If your business involves connected devices, the CRA directly impacts your market access, responsibilities, and potential liabilities. Whether you're a seller, importer, or integrator of such products, compliance is mandatory. Non-compliance could lead to significant fines or market exclusion - so understanding and acting on these requirements is essential. Products under the CRA fall into two categories, ensuring tailored requirements based on risk levels. If you sell, import or integrate such products, they have to be certified and carry CE marking.
-
Manufacturers: must assess the cybersecurity risks associated with a product with digital elements. The outcome of that assessment must be taken into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimizing cybersecurity risks, preventing security incidents and minimizing the impacts of such incidents, including in relation to the health and safety of users.
-
Importers: shall only place on the market products with digital elements that comply with the essential cybersecurity requirements defined by CRA. For example, the imported products must be delivered with a secure by default configuration, including the possibility to reset the product to its original state.
-
Distributors: In case a vulnerability in the product with digital elements has been identified, distributors must inform the manufacturer without undue delay about the vulnerability and work to notify users to mitigate and reduce the potential risk. If the digital elements present a significant cyber security risk, distributors must immediately inform the market surveillance authorities of the Member States in which the product has been made available on the market.