by Luca Farkas
On 10 October 2024, the Council adopted the European Cyber Resilience Act (CRA)[1] to address growing cybersecurity risks associated with products containing digital components, particularly in an increasingly connected world. As more and more devices become internet-enabled, they pose significant security challenges. Cyberattacks targeting these products can undermine consumer safety, economic stability, and even democratic systems. In response, the Act establishes a comprehensive legal framework to ensure that products with digital elements are secure before they are placed on the market.
A Unified Approach to Cybersecurity
The primary aim of the regulation is to standardize cybersecurity requirements across the European Union, addressing gaps and inconsistencies in existing legislation.[2] It sets clear rules for the design, development, and sale of both hardware and software products, ensuring they meet high security standards throughout their lifecycle. Products that comply will bear the CE marking, signalling to consumers that they meet the EU’s rigorous safety and cybersecurity standards. The regulation addresses two key issues driving costs for users and society: the low cybersecurity of digital products, marked by vulnerabilities and poor updates, and the lack of user awareness, preventing secure product choices and use.
Key Obligations of Manufacturers, Importers, and Distributors
The regulation outlines five key obligations for manufacturers, including conformity assessments, product documentation, customer support, cybersecurity risk assessments, and vulnerability reporting. They also must report any actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours of detection. Products that meet the regulatory requirements must also display the CE marking to indicate compliance.
Additionally, the regulation imposes obligations on importers and distributors. Importers are responsible for ensuring that manufacturers have met all necessary requirements, including conducting conformity assessments. Distributors must ensure that products bear the CE marking and that manufacturers have complied with their obligations.
Who’s Affected? Products Under the CRA’s Scope
The regulation covers all products that are connected directly or indirectly to other devices or networks, with exceptions for products already governed by existing EU cybersecurity rules, such as medical devices, aviation products, and cars. Products are categorized into three classes,[3] each with distinct obligations for manufacturers under the CRA:
1. Non-Critical, Non-Important Products
This category includes for example smart toys, TVs, or fridges, and will cover about 90% of connected devices.[4] Manufacturers of these products can self-assess their compliance with the CRA’s requirements, without needing third-party verification.
2. Important Products (Class I)
This category includes for example operating systems and VPNs.[5] Manufacturers of these products can self-assess compliance, if they fully conform to harmonised standards, common specifications, or have a European cybersecurity certification. If they partially conform or have not applied these standards or certifications, they must undergo a third-party assessment.
3. Critical Products and Important Products (Class II)
This category includes for example firewalls, intrusion detection and prevention systems and smartcards.[6] Manufacturers of these products are required to undergo a third-party assessment regardless of whether they conform to specific standards or certifications.
Penalties and Enforcement: The Price of Non-Compliance
The regulation requires member states to establish market surveillance authorities to ensure compliance. Failure to comply with essential cybersecurity requirements, conformity assessment and reporting obligations may incur fines of up to EUR 15 million or 2.5% of global annual turnover, whichever is higher. Violations of other CRA rules, such as those for authorised representatives, importers, distributors, or CE marking, may result in fines of up to EUR 10 million or 2% of global turnover, whichever is higher.
Connecting the Dots with other EU Regulations
The CRA is part of a broader EU effort to strengthen cybersecurity, complementing existing regulations. One such regulation is the NIS 2 Directive, which focuses on the security and resilience of networks and systems that provide essential services, while the CRA specifically addresses the cybersecurity and certification of digital products placed on the EU market.[7] It’s also crucial to understand that the CRA’s obligations and potential liabilities are not isolated. Since the regulation targets products with digital elements, these products may also fall under the scope of other EU laws, such as the AI Act.[8] Both the NIS 2 Directive and the AI Act are considered lex specialis to the CRA as lex generalis. In the case of high-risk AI systems, the CRA explicitly states that products with digital elements (PDEs) that also qualify as high-risk AI systems under the AI Act will be considered compliant with the AI Act’s cybersecurity requirements, provided they meet the corresponding requirements outlined in the CRA.[9]
What’s Next? Key Dates for Compliance
The CRA includes a phased implementation timeline:
1. Notification of Conformity Assessment Bodies (Chapter VI) will apply from 11 June 2026.
2. Manufacturers' Reporting Obligations will begin on 11 September 2026.
3. All remaining obligations will take effect on 11 December 2027.
Although the regulation is designed to empower consumers to prioritize cybersecurity when selecting digital products,[10] its broad scope and significant penalties are expected to present considerable challenges for companies.
[1] PE-CONS 100/1/23 REV 1, European Parliament and Council, Regulation of the European Parliament and of the Council on Horizontal Cybersecurity Requirements for Products with Digital Elements and Amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act), 23 October 2024, hereinafter CRA.
[2] CRA, Preamble, para. 1.
[3] CRA, Annexes III and IV.
[4] Jones Day, EU Enacts Broad Cybersecurity Requirements for Hardware and Software Products, 23.10.2024. https://www.jonesday.com/en/insights/2024/10/eu-enacts-broad-cybersecurity-requirements-for-hardware-and-software.
[5] CRA, Annex III.
[6] CRA, Annex IV.
[7] Jones Day, 23.10.2024.
[8] Clyde & Co, The Cyber Resilience Act – new cybersecurity requirements for products with digital elements and liability risks, 20.11.2024. https://www.clydeco.com/en/insights/2024/11/the-cyber-resilience-act-new-cybersecurity-require.
[9] DLA Piper, EU: Cyber Resilience Act published in EU Official Journal, 21.11.2024. https://privacymatters.dlapiper.com/2024/11/eu-cyber-resilience-act-published-in-eu-official-journal/; see also CRA, Preamble, para. 51.
[10] World Economic Forum, EU adopts cyber resilience act – and other cybersecurity news to know this month, 15.10.2024. https://www.weforum.org/stories/2024/10/eu-cyber-resilience-act-cybersecurity-news-october-2024/.
