i46

i46 logo white
Menu
Free Compliance Assessment

The Cyber Resilience Act: A revolution in the world of IoT cybersecurity.

Read more on the CRA

What is the CRA ?

The Cyber Resilience Act (CRA) is a disruptive legislation at the EU-level, which establishes a set of uniform cybersecurity regulations applicable to the makers and creators of products that feature digital components, encompassing both software and hardware. As the number of IoT devices continues to soar, it has become crucial to address the issue of low-level cybersecurity and device vulnerability by offering regular updates and continuous support.

It was signed into law on October 10th, 2024, and will be published in the Official Journal of the European Union. It will enter into force 20 days after its publication. A 36-month transition period will be in place, giving manufacturers time to adapt their products and processes to the new requirements. During this period, manufacturers can continue to sell products that do not fully comply with the CRA, but they will need to take steps to bring them into compliance as soon as possible. After the transition period ends, all products placed on the EU market must comply with the CRA.

The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products.

Why cyber resilience matters?

Benefits for both businesses and consumers

Harmony

The regulation will ensure an harmonized approach to IoT device security within the EU, making it easier for manufacturers to comply with the requirements and avoid overlapping regulations.

Security

The risk of cyber-attacks will significantly lower, protecting businesses and consumers, from potential data breaches, financial losses, and reputational damage.

Economy

The implementation of cybersecurity features enables to avoid the significant costs of handling data breaches, which can run into millions of dollars.

Reliability

With the increased security provided by the CRA, there will be an increase in customer's trust, leading to increased demand for products with digital elements.

Profitability

This increase in demand can translate to higher profitability for manufacturers.

Transparency

The regulation will improve transparency by making it easier to access clear information on the device, leading to better-informed purchasing decisions and customer satisfaction.

Privacy

A better protection of fundamental rights such as data and privacy protection by ensuring that data collected with IoT devices are secure and protected from potential breaches.

Manufacturers requirements
Developers requirements
Distributors requirements

To whom does the CRA apply ?

The Cyber Resilience Act applies to economic operators such as manufacturers, distributors, or importers who supply digital products within the European single market. The regulation requires that products with digital elements meet specific essential security requirements before they can be made available on the market. Manufacturers of digital products must take into account cybersecurity features during the design and development phase of their products to comply with the CRA. It is important to note that software provided as a service is not covered by the CRA. However, the Directive on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) and other sectorial legislation ensure that systems provided as a service or developed in-house, such as electronic health record (EHR) systems, meet equivalent technical requirements for cybersecurity and provide the same level of protection against cyber threats.
The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products. Within the next few years, the CRA will require all IoT device manufacturers operating in the European Union to comply with the regulation, ensuring that their devices are equipped with state-of-the-art cybersecurity features. By harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.
Compliance checklist

Requirements and obligations

The Cyber Resilience Act imposes specific requirements and obligations on manufacturers of digital products. 

First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.

Manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data. 

Products must be updateable and patchable to address vulnerabilities that might appear. Information about products’ cybersecurity features to users must also be provided in a clear and comprehensive way.

If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the European Union Agency for cyber-security (ENISA) within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.

Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as 15 millions euros or 2.5% of annual turnover.

The legislation aims to guarantee higher levels of security for all wired and wireless items that are connected to the internet, as well as software that is available on the European single market, while mandating that manufacturers bear the responsibility for cybersecurity throughout a product’s lifespan. It will also enable customers to receive accurate and comprehensive information about the cybersecurity features of their products. Within the next few years, the CRA will require all IoT device manufacturers operating in the European Union to comply with the regulation, ensuring that their devices are equipped with state-of-the-art cybersecurity features. By harmonizing the regulatory landscape, overlapping requirements will be avoided, making it easier for device manufacturers to comply with the regulation.

Get started now, for free

Take i46 free assessment
en_USEnglish
zh_CNChinese en_USEnglish