EU Cyber Resilience Act

The EU Cyber Resilience Act (CRA) was formally adopted by the European Council on October 10, 2024. Its main goal is to enhance cybersecurity and cyber resilience across the EU by establishing common cybersecurity standards for digitally enabled products, such as required incident reports and automatic security updates. This includes, for example, connected home products (cameras, fridges, toys), password managers, firewalls, and VPNs.

To whom does the CRA apply?

The CRA targets manufacturers, regardless of their location, who develop or produce products with digital elements for the EU market. Given the varying cybersecurity risks associated with different digital products, they are categorized into three main groups, with the level of obligations escalating based on the product’s potential cybersecurity incident impact. These categories are:

1. Providers a)Products with digital elements: This default category encompasses products not specifically identified as “important” or “critical” with digital elements, covering both B2C and B2B products available in the EU market.
2. Important products with digital elements: Divided into two classes based on criticality level: Class I of Annex 3 of the CRA (e.g., password managers, VPN products, boot managers, routers, smart home assistants) and Class II of Annex 3 of the CRA (e.g., firewalls, hypervisors, tamper-resistant microcontrollers/ microprocessors).
3. Critical products with digital elements: Due to their critical importance in cybersecurity, these products are subject to the most rigorous cybersecurity requirements. Examples include hardware devices with security boxes, smart meter gateways, smartcards, and similar devices, including secure elements (Annex IV of the CRA).

Key obligations

Annexes I and II of the CRA outline the key requirements for manufacturers of digitally enabled products. Annex I includes:

• Designing products to ensure an appropriate level of cybersecurity (by design);
• Releasing products without known exploitable vulnerabilities and with secure default configurations;
• Addressing vulnerabilities through security updates;
• Protecting products from unauthorized access by appropriate control mechanisms and ensuring data confidentiality through encryption;
• Preventing unauthorized data manipulation or modification and reporting corruptions;
• Adhering to data minimization principles;
• Implementing resilience and mitigation measures against denial-of-service attacks;
• Identifying and documenting vulnerabilities with a software bill of materials;
• Promptly remediating vulnerabilities, including through security updates;
• Regularly testing and reviewing product security;
• Publicly disclosing information about fixed vulnerabilities;
• Establishing and enforcing a coordinated vulnerability disclosure policy;
• Facilitating information sharing about potential vulnerabilities;
• Distributing updates to fix or mitigate vulnerabilities promptly; and
• Ensuring the timely dissemination of security updates to address identified issues.

Compliance with the CRA

Beyond risk assessment and security by design, manufacturers must perform a conformity assessment before market placement or significant product updates to ensure compliance with the Annex I requirements. These assessments can be self-conducted or performed by third- party entities. Products listed in Annex 3, Class II, and Annex 4, however, require third-party assessments due to their higher cybersecurity risk. Manufacturers must create an EU declaration of conformity confirming CRA compliance, as detailed in Annex V. Upon validation, manufacturers must affix the CE marking to their products, signifying CRA compliance.

Noncompliance with the CRA

The CRA imposes substantial administrative fines for noncompliance, including:

• Up to 2.5% of a company’s global annual turnover or 15 million EUR for failing to meet cybersecurity requirements in Annex I;
• Up to 2% of global annual turnover or 10 million EUR for other obligations or requirements breaches;
• Up to 1% of global annual turnover or 5 million EUR for providing incorrect, incomplete, or misleading information to EU and national authorities upon

When does the CRA become applicable?

The CRA entered into force on Dec. 10, 2024. The regulation will be enforceable 36 months after coming into force, with certain provisions becoming applicable at 18 and 21 months after its entry into force.