The EU's IT security offensive has been given a new building block: On December 10, 2024, the EU Cyber Resilience Act (“CRA”) came into force. The EU regulation contains strict requirements for the cyber security of networked products and software, which will apply until December 11, 2027. They pose challenges for companies that must already be taken into account in the design and development phase of products. Companies should therefore use the transition period to prepare for the CRA and avoid strict regulatory sanctions (such as product recall orders in the worst case).
Background and scope of application
The Cyber Resilience Act (CRA) is part of the EU's “Digital Decade” initiative to promote digital transformation. Alongside DORA and NIS2, the CRA represents a third major pillar in the area of cyber security. While DORA and NIS2 aim to strengthen the cyber resilience of a company's internal IT infrastructure, the CRA places requirements on the cyber security of products.
All so-called “products with digital elements” that include a data connection to another device or a network are covered by the CRA requirements. The scope of application is therefore extremely broad. This includes, for example, networked machines, smart home products, all products equipped with a sensor that offers its measurement data, e.g. processed in a platform, but also stand-alone software such as computer games or mobile apps. Open source software is exempt from the CRA as long as it is used non-commercially. Software that is provided as a pure Software-as-a-Service service is also exempt, but not the sensor products mentioned (even if the data platform falls under the SaaS services exemption).
Manufacturers, distributors and importers are personally affected by the CRA, with most of the obligations imposed on the manufacturer. Above all, distributors and importers will have to check that the manufacturer has complied with its obligations.
Specific obligations of the CRA for manufacturers
The essential obligations of the manufacturer include the following points:
- The regular performance and documentation of a risk and vulnerability analysis;
- The manufacturer may only design and develop the product in such a way that an appropriate level of cyber security is guaranteed; in particular, the manufacturer may not deliver the product with any known vulnerabilities (“security by design”);
- He must observe the principles of data economy, confidentiality and integrity in the conception and design and provide authentication and encryption systems;
- Cybersecurity must be ensured on an ongoing basis through regular security updates during a product lifetime of at least five years, which must be defined in advance;
- Transparency information as well as instructions for users of the product and technical documentation must be provided;
- Cyber vulnerabilities and security incidents must be reported immediately to the competent authorities and a system for dealing with vulnerabilities must be introduced.
- Conformity assessment: The product must undergo a conformity assessment procedure before it is placed on the market. For many products, this can be carried out by the manufacturer itself using a purely internal inspection procedure. However, some products are classified by CRA as particularly critical and require a control procedure by an external assessment body. This applies, for example, to smart home products with general-purpose or security functions. At the end of the assessment procedure, the European CE mark must be affixed to the product or its packaging. Conformity must also be assured in writing by the manufacturer with a so-called EU Declaration of Conformity and demonstrated to the outside world.
Practical tips
The CRA is inevitably approaching companies: From September 11, 2026, companies will be obliged to report cyber vulnerabilities to the competent authorities. From December 11, 2027, the other requirements of the CRA (see above) will also apply. National implementation laws are not necessary.
The obligations must already be “considered” in the early design phase of products. Companies should thus check their product range for potential impact under the CRA and - if a product falls within the scope of the CRA - enter into a GAP analysis in which the cybersecurity level of the product and its CRA compliance are critically examined. Otherwise, there is a risk of running out of time to implement the necessary changes and improvements in product development.
In the future, the EU agency “ENISA” will publish harmonized European standards for certain products, which will help with the implementation of CRA requirements and may even provide a presumption of conformity. It is important to keep an eye on these developments.
SKW Schwarz prepares you for the Cyber Resilience Act in interdisciplinary cooperation with selected technical partners. The starting point for your cyber resilience project is a joint workshop in which (i) the requirements of the CRA are defined from both a legal and technical perspective and (ii) these requirements are compared with the current cyber security status of your own products. On this basis, any identified gaps can be closed in the further course of the project using an action plan. Such a project approach has already proven its worth in other areas of IT security law, most recently in the area of the NIS-2 Directive.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
