Back to blogs

Blog | OCT 30, 2024

An Introductory Guide to the Cyber Resilience Act

Cyber Resilience ActIndustrial IoT

Cybersecurity is no longer just a technical concern but a regulatory one. In this blog post, we walk you through the most frequently asked questions about the EU’s Cyber Resilience Act (CRA), what it means for your products, when it applies, and how to prepare for its upcoming obligations and enforcement.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act (CRA) is a regulatory framework established by the European Union to enhance the cybersecurity of products with digital elements. The CRA’s primary aim is to create a harmonized approach to cybersecurity requirements across the EU, addressing security vulnerabilities in digital products to protect both users and critical infrastructures from cyber threats. The regulation mandates that manufacturers, distributors, and importers ensure cybersecurity standards are met throughout the entire lifecycle of these products, from initial design to post-market monitoring and support.

What Are the Key Objectives of the CRA?

The key objectives of the Cyber Resilience Act are to strengthen cybersecurity, accountability, and long-term protection for digital products across the EU. The core objectives for the CRA including:

  • Enhancing cybersecurity for digital products by enforcing strict standards.

  • Improving transparency and accountability for manufacturers, importers, and distributors in the EU market.

  • Ensuring long-term vulnerability management through security updates.

  • Standardizing cybersecurity practices across the EU, creating a harmonized, resilient digital single market.

The CRA aims to reduce risks for users and businesses alike, making the EU a leader in global cybersecurity standards.

Which Products Are Affected by the CRA?

Your next question might be: Am I Affected? The CRA applies to a broad range of "products with digital elements", covering both hardware and software components. Key categories include:

  • Connected Consumer Devices: IoT devices like smart home products, wearables, and consumer electronics that are internet-connected.

  • Industrial IoT Products: Machinery, sensors, and devices used in manufacturing and infrastructure that are connected to the internet.

  • Software Products: Any software that interacts with data or networks and may be vulnerable to cybersecurity threats, including operating systems, productivity software, and web applications.

  • Networked Products and Services: Routers, servers, and other devices central to communication networks.

The CRA’s scope is wide-reaching, capturing nearly all IoT devices and digital products that could pose cybersecurity risks in the EU market. However, certain sector-regulated and non-digital products, such as medical devices, automotive, aviation and marine equipment, national security and defence systems, and purely mechanical tools, are excluded, as they are already covered by their own dedicated regulatory frameworks.

What Is the Timeline for the CRA?

The Cyber Resilience Act was adopted by the European Commission on 20 November 2024 and came into force on 11 December 2024. Now that the Regulation has been adopted, manufacturers of IoT products will have 36 months to comply, with the main obligations coming into force on 11 December 2027. However, the reporting requirements will become enforceable 21 months after the date of entry into force, and the technical requirements will become enforceable after a further 15 months.

CRA Timeline

What Happens if You Don’t Comply with the CRA?

Non-compliance with the CRA can have serious consequences, as the EU aims to enforce cybersecurity rigorously. Penalties for non-compliance include:

  • Fines: Companies can face substantial fines, potentially up to €15 million or 2.5% of global annual turnover, whichever is higher.

  • Product Recalls: The CRA allows authorities to demand the recall of non-compliant products, potentially removing them from the EU market.

  • Market Access Restrictions: Non-compliant products may be banned from the EU market entirely, significantly impacting revenue and brand reputation.

These penalties underscore the importance of compliance for companies targeting the EU market.

What are the requirements enforced by the CRA?

The start of the journey to CRA compliance is a cybersecurity risk assessment of the product with digital elements. Based on the results of this assessment manufacturers need to comply with 13 essential cybersecurity requirements, 8 vulnerability handling requirements and provide extensive product documentation.

13 ESSENTIAL CYBERSECURITY REQUIREMENTS

(a) No Known Exploitable Vulnerabilities

(b) Secure by Default Configuration

(c) Security Updates and Opt-Out

(d) Protection from Unauthorised Access

(e) Protecting the Confidentiality of Data

(f) Protecting the Integrity of Data and Functions

(g) Data Minimisation

(h) Resilience and Availability

(i) No harm to connected systems

(j) Limiting Attack Surfaces

(k) Mitigation of Incident Impact

(l) Logging of security-relevant activity

(m) Secure Deletion and Data Transfer

8 VULNERABILITY HANDLING REPORTING REQUIREMENTS

(1) Identify & Document Vulnerabilities

(2) Risk Management & Security Updates

(3) Security Testing

(4) Notification for Security Updates & Vulnerability Disclosure

(5) Coordinated Vulnerability Disclosure Policy

(6) Vulnerability Sharing & Reporting

(7) Security Update Distribution

(8) Update Distribution and User Guidance

DOCUMENTATION OBLIGATIONS

Manufacturers must provide extensive product documentation, including: technical documentation covering the risk assessment, design choices, and how each CRA requirement is met, an EU declaration of conformity describing the applicable standards and chosen conformity assessment route, and clear user information & instructions for secure installation and use, update and support periods, and how to report vulnerabilities.

What are the options for CRA conformity assessment procedures?

Manufacturers can choose the conformity assessment procedure depending on the classification of the IoT product. Only products that are within the “default category” can be self-assessed by the manufacturer according to Module A.

For Important and Critical products, a third-party assessment by a notified body is mandatory, typically using Module B (EU-type examination) together with Module C (conformity to type) or Module H (full quality assurance). As an alternative, once available, manufacturers may also rely on a European cybersecurity certification scheme at assurance level at least “substantial” to demonstrate conformity.

Get more information about the Cyber Resilience Act from our CRA Knowledge Hub.

CRA Learning Path

Get the CRA Newsletter and unlock everything you need to stay compliant with CRA regulations: