New cybersecurity requirements for products with digital components - adoption of the Cyber Resilience Act (CRA)

Context

The Cyber Resilience Act, a new EU Regulation on cybersecurity requirements for products with digital components, has been adopted by the Council on 10 October 2024. The aims of the CRA include (i) ensuring better consumer protection by obliging manufacturers to provide security support and software updates, (ii) improving cybersecurity of connected products, reducing vulnerabilities and increasing user trust and (iii) creating a single set of cybersecurity rules for companies across the EU. Its main provisions will likely become applicable in Q4 of 2027, with reporting obligations for manufacturers likely kicking in Q3 of 2026.

The CRA will apply to software and hardware products that are connected, whether directly or indirectly, to another device or to a network (with exceptions for already regulated products, e.g. medical devices, aeronautical products, and cars) – therefore covering a wide range of connected products from consumer electronics to complex industrial systems.

Obligations

The CRA imposes obligations on manufacturers, distributors and importers of software or hardware products (including remote data processing solutions and components being placed on the market separately), i.a.:

1) To ensure that the products placed on the market in the EU meet the cybersecurity standards set out in the CRA; and

2) To ensure that vulnerabilities and incidents are reported to cybersecurity authorities and, where relevant, users.

The most stringent obligations are placed on manufacturers, amongst others, to:

-Undertake an assessment of the cybersecurity risks associated with a product with digital elements and draw up corresponding technical documentation. The products will bear the CE marking to indicate that they comply with the CRA’s requirements;

For example, essential cybersecurity requirements enshrined in Annex I to the CRA include i.a. ensuring an appropriate level of cybersecurity based on the risks, not having known exploitable vulnerabilities, being made available with a “secure by default” configuration and implementing appropriate control mechanisms.

For certain categories of products, higher levels of cybersecurity are required, e.g.:

• products considered “important” (e.g. password managers, VPNs) must undergo a conformity assessment procedure prior to their placement on the market;
• products considered “critical” (e.g. smart meters or smart cards) must obtain a European cybersecurity certificate at assurance level at least ‘substantial’ under a European cybersecurity certification scheme adopted pursuant to the Cybersecurity Act (Regulation (EU) 2019/881);

-Address and remedy vulnerabilities, including e.g. by handling vulnerabilities effectively during a reasonable support period after the placement of the product on the market and by ensuring security updates are available for minimum 10 years;

-Comply with reporting obligations: manufacturers must notify any actively exploited vulnerability and any severe incident impacting the security of the product to the competent national authority and ENISA via the single reporting platform - via i) an early warning without undue delay and within 24h of awareness, ii) a vulnerability notification within 72h and iii) a final report within 14 days or 1 month as applicable;

-Notify the cessation of operations: in case the manufacturer ceases its operations, thus becoming unable to comply with requirements of the CRA, the manufacturer must alert the market surveillance of authorities and users to the extent possible.

As for importers and distributors, they must i.a. verify the compliance of the products before placing them on the EU market, as well as notify the manufacturer of any discovered vulnerabilities. However, where distributors or importers place the product on the market under their own name or trademark, they will be subject to manufacturer-level obligations. Similarly, any person carrying out a substantial modification of a product with digital elements and making that product available on the market will be subject to manufacturer-level obligations.

Enforcement 

Non-compliance with the obligations imposed on manufacturers may result in administrative fines of up to EUR 15.000.000 or 2,5 % of its total worldwide annual turnover for the preceding financial year, whichever is higher. Non-compliance with the obligations applicable to distributors and importers may be subject to administrative fines of up to EUR 10.000.000 or 2 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.