All focus topics

Cyber Resilience Act (CRA)

kommunikation@skwschwarz.de

What is it about?

The CRA contains requirements for the cybersecurity of products with digital elements. The implementation of these requirements will be ensured through market surveillance and significant threats of sanctions. 

Current status and timeline

In December 2023, the Council and Parliament informally agreed on the text of the regulation, which was adopted by Parliament on March 12, 2024. Formal approval by the Council is still required for it to enter into force. The provisions of the CRA will apply 36 months after entry into force, but certain reporting obligations will apply after just 21 months.

Who is affected?

The requirements for products with digital elements and the processes for dealing with vulnerabilities do not only affect product manufacturers. Importers and distributors are also subject to certain investigation and verification obligations. There are no company size-related exceptions. However, manufacturers of medical devices and vehicle safety systems are exempt from the CRA.

Challenges for companies

The CRA covers a wide range of requirements for "products with digital elements". These are all software and hardware products as well as "remote" data processing solutions without which an intended function of the respective product with digital elements could not be carried out. The requirements include, among others

  • Compliance with cybersecurity requirements throughout the manufacturing process, i.e. in the planning as well as in the design, development, production and distribution phases.
  • Conformity assessments based on harmonised EU standards, documentation by the CE mark.
  • Establish processes for dealing with cybersecurity vulnerabilities, including free provision of security updates. 
  • Information obligations towards users and the European Cyber Security Agency (ENISA).
  • Inspection obligations for importers and distributors with regard to the manufacturer's compliance with the requirements of the CRA.

Our legal services:

SKW Schwarz is ideally positioned to help companies comply with the expected requirements of the CRA. These include:

  • Compliance check: We review your current business practices to ensure that they comply with the new regulations and provide recommendations for action for any adjustments.
  • Advice on reporting requirements: We guide you through the new reporting requirements and help you establish processes for accurate reporting.
  • Contract management: We support you in drafting and reviewing contracts for products with digital elements in line with the new requirements.
  • Avoiding fines: Our team will help you avoid fines by guiding you through the requirements of the new law and helping you implement necessary compliance measures.
  • Crisis management and prevention: We stand by you in the event of cyber incidents as well as legal disputes and develop preventive strategies to minimise risks.
  • Training, seminars and internal guidelines: We provide training and seminars and create internal guidelines to educate companies and their employees on the requirements of the CRA and provide recommendations for implementation.

Are you ready to take on the challenges of the Cyber Resilience Act (CRA)?

Set up a consultation with our experts today.

Contact us