The Cyber Resilience Act

The Cyber Resilience Act (CRA) aims to establish common cybersecurity standards for ‘products with digital elements’ placed on the European Union market.

The CRA is the first-ever EU-wide legislation of its kind. It introduces common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software.

More precisely, the CRA applies to products with digital elements whose intended or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

Affected businesses

The CRA will apply to ‘products with digital elements’, which means any software or hardware product and its remote data processing solutions – including software or hardware components to be placed on the market separately.

Organisations manufacturing and developing products with a digital element in the EU should therefore be aware of the CRA. Examples of products with a digital element would be:

• End devices: Laptops, smartphones, sensors and smart robots
• Software: Operating systems, mobile apps and desktop applications
• Components (both hardware and software): Computer processing units and video cards

Key impacts

The CRA is expected to have the following impact:

• First, ensuring that products with digital elements placed on the EU market have fewer vulnerabilities, and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle.
• Second, improving transparency on the security of hardware and software products.

To achieve these two goals, the CRA mandates that products with digital elements will only be made available on the market if they meet specific essential cybersecurity requirements. It requires manufacturers to factor cybersecurity into the design and development of products with digital elements.

• A key element of the CRA is the coverage of the whole life cycle of products and, in particular, the provision of obligations for manufacturers and developers to define a support period that reflects the time the product is expected to be in use and to provide security updates during that period.
• Where compliance of the product with the applicable requirements has been demonstrated, manufacturers and developers will draw up an EU declaration of conformity and can affix the CE marking.
• The CE marking will indicate the conformity of products with digital elements with the CRA, so that they can move freely within the internal market.

Enforcement

EU Member States will appoint market surveillance authorities, which will be responsible for the enforcement of the CRA obligations.

In case of noncompliance, the market surveillance authorities could require a company to bring the noncompliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled.

Key timings

The CRA was formally approved by the European Parliament in March 2024 and is set to enter into force in the second half of 2024.

Manufacturers will have to place compliant products on the EU market by 2027 (meaning 36 months to adapt to the new requirements).