Information & infrastructure security
The Cyber Resilience Act (CRA)
What is the purpose of the CRA?
The CRA is a proposed EU Regulation, meaning that if and when it becomes law, it will take direct effect across all EU Member States without the need for national legislative action. Consumers and businesses are increasingly vulnerable to the effects of security flaws in digital products from Wi-Fi routers and gaming systems to burglar alarms, digital doorbells, smart fridges, and baby monitors. The CRA seeks to introduce common cyber security rules for manufacturers and developers of products with digital elements, including both hardware and software.
Key provisions
- Products with digital elements must meet essential cyber security requirements before being marketed. The use of CE marking will indicate compliance with the CRA.
- Requires manufacturers to integrate cyber security into the design and development of their products – cyber security by design and default.
- Manufacturers will have to report actively exploited vulnerabilities and security incidents to ENISA (the EU agency for cyber security) within 24 hours of becoming aware of them.
- Manufacturers must provide clear and transparent cyber security information.
- New obligations for manufacturers and developers to define a support period for products with digital elements and provide security updates during this period.
The CRA divides the digital products it covers into two main categories, based on their level of risk. The first is default non-critical products, ie hardware and software with a low level of criticality (eg hard drives, smart home assistants or connected toys), and around 90% of products fall into this category.
The second is critical products which are further divided into two sub-categories: class I – lower risk (eg virtual private networks and routers) and class II – higher risk (eg operating systems for desktops and mobile phones or smart meters), reflecting criticality and intended use.
Manufacturers must put products through a conformity assessment to demonstrate compliance with CRA requirements. Depending on a product's risk level, this can be achieved through self-assessment or third-party assessment. Products falling into the 'critical' category must be subject to an external audit. Compliance is indicated by issuing a declaration of conformity and applying CE marks.
Where will the CRA apply?
The CRA applies to products with digital elements that are sold within the European single market.
Who will have obligations under the CRA?
- Manufacturers must ensure that digital products comply with essential cyber security requirements and conformity assessment procedures before placing them on the market. They must preserve technical documentation and meet notification obligations for cyber security breaches.
- Importers must ensure digital products they place on the EU market meet cyber security requirements and are CE marked.
- Distributors must verify that the digital products bear CE marking and have a duty of care to ensure that manufacturers and importers have complied with their obligations.
Are there sanctions for non-compliance?
Yes – market surveillance authorities can:
- prohibit or restrict the availability of non-compliant products
- order the withdrawal or recall of non-compliant products
- impose fines for non-compliance, with fine levels established in national laws.
Maximum fine levels for manufacturers, will be the greater of EUR15 million or 2.5% of their total annual turnover worldwide.
Key dates and deadlines
- 10 December 2024 – in force. Will apply largely from 11 December 2027 with Article 14 (manufacturer reporting obligations) applying from 11 September 2026, and Chapter IV (conformity assessment bodies) applying from 11 June 2026.
- 21 months from adoption – reporting obligations for actively exploited vulnerabilities and incidents will apply.