As part of the broader EU Cybersecurity Strategy, the EU Regulation 2024/2847 of 3 October 2024 on horizontal cybersecurity requirements for products with digital elements (the ‘Cyber Resilience Act’ or ‘CRA’) was formally adopted on 23 October 2024. In this edition, we dive into the key components of this new regulation and its expected impact on the market.
1. What is the main objective?
The Cyber Resilience Act aims at introducing a set of harmonised safeguards for consumers and businesses buying software or hardware products with a digital component.
It does so by imposing cybersecurity requirements on manufacturers and retailers throughout every stage of the value chain, ensuring that products are placed on the market with fewer vulnerabilities.
2. What products are concerned?
The CRA applies to all “products with digital elements, the intended purpose or reasonably foreseeable use of which includes a direct or indirect logical or physical data connection to a device or network.” The CRA broadly defines the notion of a product with digital elements as “a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately”. This for example includes connected wearables, password managers, internet of things devices, home assistant, apps and connected software, browsers, VPN, or even connected toys.
Adopting a risk-based approach, the CRA distinguishes those products into three categories to which different level of requirements apply:
- all products with digital elements;
- important products with digital elements, which are products that present more cybersecurity risks by nature due to their core functionality. They include products that have a core functionality such as access management, internet browser, password managers, VPN, operating systems, smart home assistants, personal wearable or products with security features.
- critical products with digital elements, which are products that have a cybersecurity-related functionality and perform a function which carries a significant risk of adverse effects in terms of its intensity and ability to disrupt, control or cause damage to a large number of other products with digital elements through direct manipulation. These are limited to hardware devices with security boxes, smart meter gateways within smart metering systems and other devices for advanced security purposes, including for secure crypto-processing, and smart cards or similar devices, including secure elements.
3. Who is affected?
The CRA distinguishes different levels of responsibility among stakeholders, divided into three categories: manufacturers, importers and distributors:
- Manufacturers (entities that develop or manufacture the products) are responsible for ensuring that products meet security-by-design principles, conducting conformity assessments, and maintaining cybersecurity updates throughout the product lifecycle.
- Importers (entities that place the product on the EU market) are required to verify that non-EU products comply with the CRA before placing them on the market, ensuring they meet all certification and reporting standards.
- Distributors (other entities than the manufacturers or importers of products within the supply chain that make the products available) must ensure that only compliant products reach consumers and provide necessary documentation and security information as required (and as provided to them by manufacturers and importers).
These regulated stakeholders must work in coordination to uphold cybersecurity standards and mitigate potential threats, ensuring a safer and more resilient digital ecosystem across the EU.
On their end, end users of products with digital elements have no obligations.
4. What are the key obligations?
As highlighted above, the CRA applies broadly to any kind of product with digital elements that is put on the EU single market. Unlike sector-specific regulations, the requirements of the CRA will apply across industries to ensure that cybersecurity is integrated from the design phase throughout the entire product lifecycle. Consequently, manufacturers, software developers, importers, and distributors operating in various industries must comply with its cybersecurity standards.
The majority of the obligations foreseen under the CRA are obligations borne by manufacturers. The new framework includes amongst others the obligations below for manufacturers:
- Conformity obligations: manufacturers must ensure that their products adhere to essential cybersecurity requirements before being introduced to the EU market. Conformity obligations involve conducting risk assessments, incorporating security-by-design principles, and maintaining comprehensive technical documentation. In specific cases, third-party conformity assessments may be necessary to verify compliance with the CRA’s legal provisions.
- EU CE marking: products that meet the CRA’s cybersecurity requirements must bear the CE marking, signifying their compliance with EU safety, health, and environmental protection standards. This marking facilitates market access within the EU and assures consumers and businesses of the product’s security integrity.
- Vulnerability monitoring and incident reporting: manufacturers must implement a robust vulnerability management system to continuously monitor and mitigate cybersecurity risks linked to their products. Manufacturers must provide timely security updates and patches throughout the product’s lifecycle. Furthermore, any significant cybersecurity incident or vulnerability must be reported to the designated competent authorities.
- Security updates: as part of the vulnerability handling requirements, manufacturers must ensure that the necessary security updates are installed on the products and available to the users for the duration of the product lifecycle. Importers and distributors also play an important role in ensuring that products with digital elements meet essential cybersecurity requirements, however, obligations of importers and distributors are lighter and directly linked to the one of the manufacturers.
Importers must verify that manufacturers have completed the necessary conformity assessments, provided technical documentation, and included the CE marking and declaration of conformity. They must not sell non-compliant products and must report significant cybersecurity risks to both manufacturers and authorities. Additionally, importers must display their contact details, take corrective actions when needed, and retain compliance documents for at least 10 years. If a manufacturer ceases operations, importers must notify authorities and, where possible, inform product users.
Similarly, distributors must act with due care when making products available on the market. They must check that the CE marking is present and confirm that both the manufacturer and importer have met their obligations. If a product does not comply with cybersecurity regulations or poses a risk, distributors must not sell it and must notify the relevant parties. They are also responsible for addressing non-compliance issues, reporting vulnerabilities, and cooperating with market surveillance authorities. Should a manufacturer cease operations, distributors must inform authorities and, if possible, notify users. Together, importers and distributors ensure that digital products remain safe and compliant throughout the supply chain.
5. What is the timeline?
The CRA was formally adopted on 23 October 2024 and will follow a phased implementation timeline to allow businesses and regulatory bodies to better prepare to its full application.
According to this phased application, the CRA will enter into application as follows:
- As of 11 September 2026: the initial requirements, such as vulnerability monitoring and reporting obligations, become mandatory.
- As of 11 December 2027: the full application of all CRA requirements, including conformity assessments and market surveillance obligations.
6. What is the expected impact?
As the CRA sets new cybersecurity standards and sets the bar high in terms of compliance requirements, the CRA is expected (at least in the long term) to have a positive impact on any business involved with digital products.
However, manufacturers will need to allocate resources to align with the CRA’s cybersecurity requirements. This includes investments in risk assessments, continuous software updates, and regulatory reporting mechanisms. While larger manufacturers may adapt more easily, smaller businesses could face financial and operational challenges in meeting these obligations.
Furthermore, the CRA is expected to enhance consumer confidence in digital products. Users will benefit from more secure products, increased transparency regarding security risks, and improved access to security updates. Efficient adherence to CRA requirements will facilitate control with regards to access to the EU market, whereas non-compliant entities risk legal penalties.
Lastly, the CRA is also expected to drive more innovation and competitiveness in cybersecurity technologies and services. As organisations seek efficient ways to achieve compliance, demand for security solutions such as automated vulnerability detection, compliance management software, and cybersecurity consulting is anticipated to increase.
Overall, while the CRA imposes significant regulatory challenges, it also provides a critical opportunity to enhance cybersecurity resilience across industries. By prioritising compliance, businesses can not only meet legal obligations but can also contribute to a more secure and trustworthy digital ecosystem.
If you have any questions or would like to discuss the potential impact of the Cyber Resilience Act on your business, feel free to reach out to us at jca@simontbraun.eu.
***
This newsletter does not constitute legal advice or a legal opinion. Please consult with a legal counsel before taking any action based on the information provided.
