The Cyber Resilience Act (CRA) has become reality: it has been published in the Official Journal of the EU on 20 November 2024 and will enter into force on 10 December 2024. This new Act that is part of the EU’s Digital Strategy (see our overview here) aims at protecting consumers and businesses from products connected to the internet and software with insufficient cybersecurity features and introduces a range of new compliance requirements for businesses placing these products on the EU market.
In this blogpost, we will summarize the main obligations for manufacturers, importers and distributors of these digital products that are coming with the CRA, the dates when compliance will be required, and some practical tips on the actions your organization should take to ensure you are compliant on time.
Products in scope
The CRA applies to “products with digital elements”. The definition includes products that are connected either directly or indirectly to another device or to a network, like connected fridges, toys or smart home devices. “Products” could be misleading as it does not only relate to physical products, but also includes software that provides a locally stored component (e.g. an app) and connects to the internet. The scope of application is therefore comparably broad. (In the following, we’ll use the term ‘connected products’ when speaking about any product in scope of the CRA.). A majority of these products will also be in scope of the updated Product Liability Directive adopted in October 2024 (for details and consequences see our blogpost)
All stakeholders in the value chain are in scope – with main obligations for the manufacturer
The CRA covers the entire life cycle of connected products. Manufacturers, importers and distributors of such products will be subject to the new regulatory regime.
The main obligations under the CRA will have to be fulfilled by the manufacturer of the connected products. They include, inter alia, the following:
- Cybersecurity risk assessment: Manufacturers of products with digital elements must undertake an assessment of the cybersecurity risks associated with the product and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product.
- Essential cybersecurity requirements: The manufacturer must ensure that the connected product has been designed, developed, and produced in accordance with the essential requirements laid down by the CRA (including, e.g. a secure by default configuration and protection from unauthorized access).
- Conformity assessment: Manufacturers must assess the conformity of connected products and the processes put in place to determine whether they meet the essential requirements. Generally, this can be done by a self-assessment, while for products that are deemed “important” (e.g. certain smart home devices or password managers) or ”critical” (e.g. smart meter gateways or smartcards) stricter rules apply and a third-party assessment may be mandatory.
- Vulnerability handling process: The manufacturer must monitor its connected products throughout their expected use time, but generally at least for five years, and document relevant cybersecurity aspects. Where a vulnerability is identified, the manufacturer has to address and remediate vulnerabilities without delay, including by providing security updates (which shall be provided separately from functionality updates).
- Information/transparency obligations: The manufacturer has to draw up technical documentation and provide user instructions in a clear and intelligible form in a language which can be easily understood by users and market surveillance authorities.
Further, the CRA provides certain due diligence obligations for importers and distributors of connected products:
- Importers must ensure that connected products comply with essential cybersecurity requirements and bear the CE marking.
- Distributors must verify the CE marking and ensure that
manufacturers and importers complied with their labelling and instruction obligations.
Reporting obligations for all stakeholders
The CRA sets out a staggered reporting obligation for manufacturers in case an actively exploited vulnerability has been identified. The reporting system consists of three different stages: (1) an early warning within 24 hours of becoming aware, (2) a vulnerability notification within 72 hours, and (3) a final report within 14 days after a corrective or mitigating measure is available. The users must be informed in a timely manner. Importers and distributors must report actively exploited vulnerability to the manufacturer without undue delay.
Time to act – dates for compliance are approaching
While the CRA will be in force on 10 December 2024 and it will generally only apply from 11 December 2027, it is already time to get prepared. From now on it is advisable to consider the CRA when starting to develop a product that will fall within its scope and that you expect to place on the market after 11 December 2027 to ensure conformity when the CRA starts to apply. For products that are placed on the market before that day, the CRA will only apply if the products are substantially modified.
However, manufacturers will already have to comply with the reporting obligations for exploited vulnerabilities from 11 September 2026 independent of when the product has been placed on the market.
Action items for the compliance journey
The bulk of the work to ensure compliance with the CRA lies with manufacturers. We have listed a couple of first steps manufacturers should put on their list to be prepared:
- Scoping: Reviewing the product portfolio against the scope of the CRA and assessing which products are planned to launch from 11 December 2027 that will fall under the CRA. Setting up a process to monitor products that are already on the market to track modifications that can lead to the applicability of the CRA.
- Essential cybersecurity requirements: Assessing whether the organization’s technical, operational and organizational measures meet the essential cybersecurity requirements under the CRA and preparing measures to mitigate the identified gaps.
- Implementing a vulnerability handling and a reporting process: Determining the relevant support periods for each product and establishing procedures to ensure that vulnerabilities for each product are effectively addressed as well as appropriately reported in the future.
Risks of non-compliance
The CRA grants national market surveillance authority with extensive competences to mitigate risks that arise by non-compliance with the CRA, including the possibility to withdraw products from the market. The authority will also be entitled to issue fines of up to 2.5 percent of the annual worldwide turnover of a company for infringements of essential cybersecurity obligations.