EU Cyber Resilience Act

Introduction

The EU Cyber Resilience Act (CRA) entered into force on December 10, 2024. It sets out cybersecurity requirements for products with digital elements that are made available on the EU market, ranging from common consumer devices to components of critical IT infrastructure.

The CRA is a regulation that will have direct effect in the EU Member States without national implementation being required. Alongside the NIS2 Directive, the Critical Entities Resilience Directive, the Cybersecurity Act, the proposed Cyber Solidarity Act, and sector-specific regulations like the Digital Operational Resilience Act, the CRA represents yet another step in the EU cybersecurity strategy to build resilience to cyber threats and ensure citizens and businesses benefit from trustworthy digital technologies across the EU.

Scope

Products with digital elements

• The CRA applies to products with digital elements that are made available on the EU market. A product with digital elements (PDE) is widely defined as ‘a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately’.
• While the cybersecurity requirements under the CRA are foremost aimed at hardware and software products, remote data processing services that are provided as part and parcel of PDEs are also caught by these requirements. According to the CRA, this concerns data processing at a distance for which the software is designed and developed by or under the responsibility of the manufacturer of a PDE, and the absence of which would prevent the PDE from performing one of its functions.

Connected products

Not all PDEs are regulated by the CRA, only those whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network. In short, the CRA aims to regulate connected products.

Excluded products

Certain PDEs are specifically excluded from the scope of the CRA, including PDEs that:

• are regulated as a medical device under EU Regulation 2017/745 or 2017/746;
• are regulated as part of a motor vehicle under Regulation (EU) 2019/2144;
• have been certified as aeronautical products in accordance with Regulation (EU) 2018/1139;
• fall within the scope of marine equipment regulated by Directive 2014/90/EU; and
• have been developed or modified exclusively for national security or defence purposes or specifically designed to process classified information.

The CRA also does not apply to spare parts that are made available on the market to replace identical components in products with digital elements and that are manufactured according to the same specifications as the components they are intended to replace.

High-risk AI systems

The CRA provides that PDEs that qualify as high-risk AI systems under the EU AI Act must also comply with the essential cybersecurity requirements under the CRA and may, where they are compliant, be deemed to be compliant with relevant cybersecurity requirements set out in Article 15 of the EU AI Act. We refer to our more extensive briefings on the EU AI Act which are available here.

Obligations

The CRA introduces cybersecurity obligations for economic operators that are involved with making PDEs available on the market, which include manufacturers, importers and distributors. Additionally, the CRA imposes obligations on so-called ‘open-source software stewards’ in respect of PDEs comprising open-source software.

Manufacturers, importers and distributors

Obligations of manufacturers include:

• Making sure the PDEs they make available on the market and the vulnerability handling processes they deploy for PDEs meet the so-called essential cybersecurity requirements set out in Annex I to the CRA, during the relevant lifetime of the PDEs concerned (a default support period of five years is stipulated).
• Assessing the cybersecurity risks of PDEs based on their intended purpose and reasonably foreseeable use and taking these risks into account during the design, development, production, delivery and maintenance phases of the PDEs.
• Drawing up technical documentation about the PDEs in respect of their cybersecurity compliance as detailed in Annex VII to the CRA, including information and user instructions as detailed in Annex II to the CRA.
• Performing conformity assessment procedures demonstrating the compliance of PDEs and vulnerability handling processes with the essential cybersecurity requirements, including drawing up an EU declaration of conformity and affixing CE marking before making PDEs available on the market.
• Taking corrective measures to remedy any non-compliance of PDEs with the requirements under the CRA, including the withdrawal or recall of PDEs as appropriate.
• Reporting actively exploited vulnerabilities contained in PDEs and any severe incidents impacting the cybersecurity of PDEs to the relevant national Computer Security Incident Response Team (CSIRT) and the EU Agency for Cybersecurity (ENISA). A single, centralised reporting platform will be established by ENISA for this purpose.

Obligations of importers include:

• Making sure the PDEs they place on the market and the processes deployed by the manufacturer meet the essential cybersecurity requirements.
• Ensuring that the manufacturer carried out the required conformity assessment procedures, has drawn up the technical documentation and that the PDEs bear all required information and markings.
• Notifying the manufacturer and relevant market surveillance authorities if the PDE shows a cybersecurity vulnerability or poses a significant cybersecurity risk, taking remedial measures to address non-compliance of PDEs and – if appropriate – withdrawing or recalling the product.

Obligations of distributors are limited to verifying that PDEs bear the required CE marking and that the manufacturer and importer (as applicable) have met their respective obligations as regards technical documentation, information and markings to be provided on, with or in respect of PDEs.

Where an importer or distributor places a PDE on the market under its own name or trademark or carries out substantial modifications to PDES already placed on the market, it will be subject to the requirements imposed on manufacturers under the CRA.

Open-source software stewards

While the CRA does not regulate open-source software that is made available outside the course of a commercial activity, it does impose light-touch obligations on ‘open-source software stewards’ in respect of PDEs that qualify as free and open-source software and are ultimately intended for commercial activities. These open-source software stewards are defined as legal persons (including, for example, foundations and not-for-profit entities) who provide support on a sustained basis for the development of the aforementioned PDEs and who play a main role in ensuring the viability of those products.

Obligations of open-source software stewards include:

• Developing a cybersecurity policy that promotes the creation of secure PDEs and shows how developers effectively manage vulnerabilities.
• Fully cooperating with market surveillance authorities and reporting potential cybersecurity vulnerabilities to them.

Important and critical PDEs

The CRA singles out important and critical PDEs, according to their criticality in terms of cybersecurity risks:

• Important PDEs are identified in Annex III to the CRA and include a wide range of products, such as identity management systems, browsers, antivirus software, password managers, VPN products, network management and operating systems, routers, smart home products with security functionalities, internet connected toys, personal health-monitoring wearable products, hypervisors and container runtime systems, firewalls and other intruder detection and prevention systems, tamper-resistant microprocessors and tamper-resistant microcontrollers.
• Critical PDEs are identified in Annex IV and include hardware devices with security boxes, smart meter gateways within smart metering systems and other devices for advanced security purposes (including secure crypto processing), and smartcards or similar devices.

Important PDEs may be subject to an EU-type examination or full quality assurance assessment conducted by designated third-party conformity assessment bodies (notified bodies), and critical PDEs must obtain certificates under specific European cybersecurity certification schemes (to be) set up by the European Commission. The compliance of “regular” PDEs with the essential cybersecurity requirements under the CRA can be demonstrated by internal control procedures conducted by manufacturers themselves.

Enforcement and penalties

Each EU Member State will appoint one or more market surveillance authorities to oversee and enforce the CRA. To ensure a uniform application of the CRA, an Administrative Cooperation Group (ADCO) will be established, consisting of representatives of all designated market surveillance authorities.

Depending on the nature of a violation of the CRA requirements, breaches of obligations imposed by the CRA may result in administrative fines up to EUR 15 million or 2.5% of the total worldwide annual turnover, whichever is higher.

Implementation

The CRA will become fully applicable from 11 December 2027. Reporting obligations for manufacturers in respect of actively exploited vulnerabilities and severe cybersecurity incidents in respect of PDEs will apply from 11 September 2026 and the provisions establishing rules for notified bodies will apply from 11 June 2026.