The EU Cyber Resilience Act – What You Need to Know

The CRA¹ is the first legislation of its kind in the world that aims to enhance the cyber security of products or software with a digital component that are omnipresent in our daily lives (ranging from baby monitors, smart watches, and computer games to firewalls and routers) as well as to enable consumers to make better informed choices when selecting and using IoT devices.

Before the CRA, different laws and initiatives at both Union and national levels only partly dealt with cybersecurity issues and risks. This resulted in a fragmented legislative framework within the internal market. This confusion led to legal uncertainty for both manufacturers and users, and placed an unnecessary burden on companies to meet various requirements for similar products.

Cybersecurity for these products is especially important across borders, as products made in one country are often used by organizations and consumers throughout the entire EU internal market. Once the CRA applies, all products in-scope of this regulation put on the EU market, whether provided by an EU business or one outside, will need to be cyber secure.

How the CRA is intended to raise the level of cybersecurity

The CRA will apply to all products with digital elements (PDEs) whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network, except for specified exclusions such as medical devices, aviation and cars, which are already covered by existing rules. PDEs are defined broadly in the CRA to include any hardware and software products, including its remote data processing solutions, and software or hardware components to be placed on the market separately. 

The CRA will introduce mandatory cybersecurity standards of such products through: (i) harmonised rules when making PDEs available on the market; (ii) essential requirements for the design, development and production of PDEs, and obligations for economic operators in relation to these products with respect to cybersecurity²; (iii) essential cybersecurity requirements for the vulnerability handling processes to ensure the cybersecurity of PDEs throughout their expected lifespan³. 

The CRA classifies PDEs into the categories below, depending on the level of risk associated with the product:

(a) Default products – ie, products without important or critical cybersecurity vulnerabilities (probably most products)⁴.

(b) Important products – PDEs with the vulnerabilities that either: (i) perform critical cybersecurity functions for other products, networks, or services, such as securing authentication, access, intrusion prevention, detection, end-point security, or network protection; or (ii) perform functions that pose a significant risk of causing widespread disruption, control, or damage to other products or the health, security, or safety of users through direct manipulation. This includes central system functions like network management, configuration control, virtualization, or processing personal data. 

Important PDEs are divided into two classes: 

(i) Class I – PDEs with a higher risk than Default products, such as: identity management systems, browsers, password managers, software that searches for, removes, or quarantines malicious software; public key infrastructure and digital certificate issuance software; operating systems; VPN; Routers, modems intended for connections to the internet, and switches; microprocessors and microcontrollers, smart home assistants, security cameras, baby monitoring systems, internet connected toys that have social interactive features (e.g. speaking or filming) or that have location tracking features, wearable products designed to be worn on the body for health monitoring purposes or intended for children⁵.

(ii) Class II – PDEs with a higher risk than Class I products, such as: hypervisors and container runtime systems that support virtual private network (VPN) functions, firewalls, intrusion detection and prevention systems, tamper-resistant microprocessors and microcontrollers⁶.

(c) Critical products – PDEs that have the core functionality of a product category set out in Annex IV to the CRA, ie: hardware devices with security boxes, smart meter gateways within smart metering systems and other devices for advanced security purposes, and smartcards or similar devices (including secure elements)⁷.

What are the essential security requirements?

The CRA sets out crucial security criteria⁸ that PDEs have to comply with, including:

• Security by design and default – appropriate level of cybersecurity based on the risks must be embedded in a PDE from the beginning. A PDE must be placed on the market with a secure-by-default configuration, including the possibility to reset the product to its original state, including a default setting that security updates be installed automatically, with a clear and easy-to-use opt-out mechanism.
• Unauthorised access prevention by appropriate control mechanisms, such as authentication, identity or access management systems;
• Protection of the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state-of-the-art mechanisms;
• Protection of the integrity of stored, transmitted or otherwise processed data, commands, programs and configuration against any manipulation or modification; Minimization of data – process only data, personal or other, that are adequate, relevant and limited to what is necessary in relation to the intended purpose of a PDE;
• Protection of the availability of essential functions, including the resilience against and mitigation of denial-of-service attacks;
• Resilience against service attacks and attack surface limitation to minimise the potential entry points for cyberattacks;
• Vulnerability management – a PDE must be placed on the market without any known exploitable vulnerabilities. Post market-launched vulnerabilities can be addressed through security updates;
• Data portability – users must be provided with the option to securely and easily remove all data and settings and, where such data can be transferred to other products or systems in a secure manner.

What new legal obligations will economic operators face?

The CRA is directed to the economic operators of PDEs, ie, the manufacturer, the authorised representative, the importer or the distributor of such products.

New obligations of economic operators are different. The most important for the manufacturers (ie, entities who develop or manufacture PDEs or have these products designed, developed or manufactured, and market them under their name or trademark, whether for payment or free of charge)  are as follows: 

• Risk assessment – they must ensure that a PDE has been designed, developed, and produced in accordance with the essential requirements. To do this, the manufacturer must assess the risks associated with a PDE and take the outcomes of such assessment into account at every stage of the product's lifecycle, so as to reduce cybersecurity risk from the outset.
• Continuous monitoring and free updates to software – they must monitor their products throughout their expected lifecycle and document relevant cybersecurity aspects. If any vulnerabilities occur, the manufacturer will be obliged to release free update. The support period cannot be shorter than 10 years, except for products which are expected to be in use for a shorter period of time. They should maintain public archives of software versions and inform users about the risks of using unsupported software. The end date of the support period must be clearly specified, and users should be notified when the support period ends.
• Reporting – any actively exploited vulnerabilities and severe incidents must be reported by the manufacturer to the CSIRT and ENISA via the incident reporting platform within tight deadlines, ie, not later than 24 hours of becoming aware of vulnerability or incident for early warning and 72 hours of becoming aware for the complete notification.
• Transparency – the manufacturer will be required to complete certain technical documentation and produce user instructions in a clear and intelligible form as set out in the CRA. Such instructions must be provided in a language which can be easily understood by users and market surveillance authorities.

On the other hand, importers (ie, entities established in the EU who places on the market a PDE that bears the name or trademark of persons established outside the EU) and distributors (ie, entities that makes a PDE available on the EU market without affecting its properties) will be obliged to check whether the manufacturer complies with the requirements laid down in the CRA, including regarding a CE marking carried out by the manufacturer¹⁰.

Timeline

Although the CRA takes effect on 10 December 2024, its full application spread across three important dates:

• 11 June 2026: Conformity assessment bodies must comply (18 months from now).
• 11 September 2026: Manufacturers need to report exploitable vulnerabilities (21 months from now).
• 11 December 2027: The CRA will be fully enforced (36 months from now)

What the CRA means for the ICT sector?

The CRA is a major step towards strengthening the EU's digital sovereignty and resilience in the face of growing cyber threats and challenges. It may also create a level playing field and a competitive advantage for EU businesses that offer secure and trustworthy products and services to their customers.

However, the CRA will also entail significant compliance costs and challenges for economic operators. They will have to adapt to the new requirements and standards, monitor and report any incidents or vulnerabilities, and face potential sanctions or liability in cases of non-compliance or breach. Non-compliance with the essential security requirements and obligations laid down in the CRA may result in a fine between EUR 5-15m or 1-2.5% of the worldwide turnover in the preceding financial year, whichever is higher, depending on the type of violation. In addition to fines, the relevant authorities can require the withdrawal of products from the EU market.

The CRA does not specify how manufacturers should prove their compliance with essential cybersecurity requirements. The CRA will be implemented through harmonised standards developed by European Standards Organizations (ESOs) and endorsed by the European Commission, which will detail the requirements in technical specifications. It is hoped that harmonised standards for PDEs covered together with guidance from the relevant authorities will be available with sufficient time before the CRA applies. 

It is worth noting that on 4 April 2024 the ENISA and the European Commission’s Joint Research Centre published their paper on "Cyber Resilience Act (CRA) Requirements Standards Mapping". This report outlines the existing standards for cybersecurity in products, including both hardware and software, as well as their components within more complex systems, that have been developed primarily by ESOs and international Standards Development Organizations. The main goal of this study is to map these existing cybersecurity standards to the essential requirements listed in Annex I of the CRA. Additionally, the report includes a gap analysis to identify any discrepancies between the current standards and the specified requirements.

The official text of the CRA is available here and the ENISA’s paper is available here.

 

[1] Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).

[2] Set forth in Annex I, Part 1 of the CRA

[3] Set forth in in Annex I, Part 2 of the CRA

[4] See Article 6 of the CRA

[5] See Article 7 and Annex III of the CRA

[6] See Article 7 and Annex III of the CRA

[7] See Article 8 and Annex IV of the CRA

[8] See Part I in Annex I of the CRA

[9] See Articles 13-18 of the CRA

[10] See Articles 19 – 20 of the CRA