Ready for the EU Cyber Resilience Act

Individuals or companies who develop, manufacture, or market products that contain digital elements, regardless of whether for payment or free of charge.

Individuals or companies within the EU who place products with digital elements on the market that bear the name or trademark of a natural person or company outside the EU.

Individuals or companies who supply the EU market with products with digital elements without modifying their characteristics, excluding manufacturers and importers.

Companies other than manufacturers that systematically support the development of specific products with digital elements that are considered open-source software for commercial purposes.

Physical electronic systems that process, store, or transmit digital data, including those systems’ components.

Integrated software (embedded software), stand-alone software and commercial software solutions.

Remote data processing solutions, such as cloud services, offered by manufacturers of smart, remote-controlled household appliances.

Today, cybersecurity is more critical than ever for governments, companies and individuals. Acknowledging this, in September, the EU published the Cyber Resilience Act (CRA), which had been adopted by the European Parliament on March 12, 2024. The aim is to introduce binding cybersecurity requirements for “products with digital elements” starting in 2027 to increase resilience to cyberattacks in the EU and ensure the reliability of digital services.

First, the CRA aims to reduce vulnerabilities and weaknesses in products containing digital elements with the goal to help minimize the risk of cyberattacks and associated dangers for users and entire supply chains.

Second, the Cyber Resilience Act will promote more responsibility on the part of manufacturers and suppliers. They are now required to ensure that the design and distribution of their products is secure before those reach the European market. This enhances the security across the entire life cycle of a product.

And finally, the Cyber Resilience Act aims to increase transparency for the users by providing clear information about the security features and the potential risks of digital products. This will allow consumers to make educated decisions and be better informed about how to securely use their digital products.

The Cyber Resilience Act (CRA) and the NIS2 Directive share the same goal of enhancing cybersecurity in the EU. However, each has a different focus.

While the CRA focuses on the security of digital products by setting binding standards for hardware and software sold in the EU, the NIS2 Directive focuses on securing networks and information systems that are vital for critical infrastructures and important services.

Together, the two regulations provide a comprehensive cybersecurity strategy in the EU that covers products as well as infrastructures. Companies that both manufacture products and offer critical services must take the requirements of both regulations into account and coordinate their security measures accordingly.

Violations can result in fines of up to 15 million Euro or 2.5% of the annual global revenue of the company affected, whichever amount is higher. And products with digital elements that do not comply with the CRA requirements once those have come into force may not be placed on the market. They face the risk of being excluded from supply chains and tenders.

Manufacturers are required to comply with comprehensive cybersecurity requirements, which include the continuous identification and documentation of security aspects and the rapid elimination of vulnerabilities. They must also subject their products to a conformity assessment and provide the authorities with the necessary information and notifications.

Open-source software (OSS) administrators also have an important responsibility as they develop a cybersecurity strategy and perform administrative duties such as providing technical documentation. Importers are responsible for ensuring that the products they place on the EU market comply with the CRA requirements. They must verify that manufacturers meet their obligations and take the necessary corrective action in the event of non-compliance.

Both, distributors and importers have a duty to ensure and verify that the manufacturer has met the CRA requirements. If any of these two economic actors makes significant changes to the product, distributors and importers are considered manufacturers under the CRA (they not only assume the manufacturers’ obligations but are also manufacturers in strictly legal terms with regard to the CRA). The “authorized representatives” only assume certain administrative obligations of the manufacturer (not of the importers).

To meet the requirements of the EU Cyber Resilience Act and to ensure their products are secure for the European market, companies should implement a comprehensive cybersecurity strategy. This strategy should include the continuous identification and remediation of vulnerabilities, the encryption of data and the minimization of attack surfaces. A thorough product classification and risk assessment is necessary to identify specific requirements and take targeted action.

Furthermore, it is crucial that companies conduct regular compliance assessments of their products and provide updated technical documentation to demonstrate CRA compliance. Security updates and continuous maintenance throughout the entire product lifecycle are also critical. By training their employees and working with external experts, companies can ensure that their cybersecurity measures comply with the new rules whereby strengthening their position in the European market.