The European Council officially adopted the Cyber Resilience Act
On October 10, 2024, the European Council officially adopted the Cyber Resilience Act (CRA)—a landmark regulation aimed at ensuring that products with digital features are secure against cyber threats and provide sufficient information about their security. Introduced as part of the 2020 EU Cybersecurity Strategy, the CRA complements existing regulations, such as the NIS2 Framework, and addresses the growing cyber risks associated with digital devices.
Addressing a Critical Need for Security
The CRA applies to all products connected directly or indirectly to another device or network, with exceptions for open-source software and regulated industries like medical devices, aviation, and automobiles. Manufacturers will be required to ensure compliance by 2027, bringing secure digital products to the EU market.
The urgency for this regulation is evident in the rise of cyberattacks targeting hardware and software products, contributing to an estimated global cost of €5.5 trillion in cybercrime annually by 2021. These attacks expose widespread vulnerabilities in products that often lack adequate security features or consistent updates. Users, too, are hampered by insufficient awareness, which prevents them from selecting secure products or using them safely.
Until now, most hardware and software products have not been covered by EU cybersecurity legislation, leaving a significant gap in consumer and business protection. The CRA aims to close this gap by ensuring that both embedded and non-embedded software are secure throughout their lifecycle.
Key Objectives of the CRA
The European Council outlined two primary goals for the CRA:
- Secure Product Development: Reducing vulnerabilities in digital products and requiring manufacturers to prioritize security from design through the product’s lifecycle.
- Empowering Users: Equipping businesses and consumers with the information needed to choose and use secure products effectively.
Additionally, the CRA focuses on:
- Ensuring manufacturers enhance product security from the design phase onward.
- Simplifying compliance for hardware and software producers across the EU.
- Increasing transparency regarding the security features of digital products.
- Enabling businesses and consumers to use products with confidence in their cybersecurity.
CRA’s Role in Consumer and Business Protection
The CRA’s primary goal is to protect both consumers and businesses that use digital products by introducing mandatory cybersecurity requirements for manufacturers and retailers. These requirements address two major issues:
- Inadequate Security: Many products currently lack sufficient cybersecurity measures or timely security updates.
- Difficulty Identifying Secure Products: Consumers and businesses struggle to identify cybersecure products or configure them for maximum security.
By setting harmonized rules for bringing products with digital elements to market, the CRA ensures cybersecurity is integrated from design through development, maintenance, and throughout the entire product life cycle. The regulation will also impose a duty of care on manufacturers to maintain security even after the product’s release.
Scope of the CRA
The CRA will cover a wide range of products, from IoT devices like smart doorbells and baby monitors to networked software systems. It aims to address gaps in current regulations and harmonize cybersecurity requirements across the EU. This unified approach simplifies compliance and helps prevent the introduction of vulnerable products into the market.
Products that meet the CRA’s requirements will carry the well-known “CE” marking, indicating that they comply with the EU’s high standards for safety, health, and environmental protection.
Requirements and Next Steps
The CRA will apply to both hardware and software products, covering their design, development, production, and availability on the market. Certain products—such as medical devices and aeronautical equipment—may be exempt if already regulated under other EU laws. Meanwhile, the UK’s similar Product Security and Telecommunications Infrastructure (PSTI) Act took effect in April 2024, reinforcing the shared commitment to enhancing digital security across borders.
Following its adoption, the CRA will be signed by the presidents of the European Council and European Parliament before being published in the EU’s official journal.
Why Compliance Matters for Providers
Adhering to the CRA is critical for several reasons:
Legal Compliance: Non-compliance could lead to fines and restricted market access. Ensuring CRA conformity allows providers to continue selling products across the European Economic Area (EEA) without legal barriers.
Building Consumer Trust: The CE marking, denoting CRA compliance, boosts consumer confidence, as they are more likely to choose products that meet stringent security standards.
Enhanced Cybersecurity: As cybersecurity threats grow, the CRA helps providers maintain a consistent security standard across their product range, reducing the risk of cyberattacks that could damage reputation or lead to costly breaches.
Market Efficiency: A unified set of cybersecurity regulations across EU member states simplifies the compliance process, allowing providers to operate more efficiently in multiple markets.
Future-Proofing: The CRA ensures that products remain compliant with evolving security demands, safeguarding businesses against future threats and regulatory changes.
The Path Forward
The Cyber Resilience Act represents a crucial step toward securing the digital ecosystem of the EU. By prioritizing security, transparency, and harmonized rules, it positions Europe to better withstand the growing challenges posed by cyber threats—while ensuring that consumers and businesses alike can trust the products they use in an increasingly interconnected world.