On November 20, 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the European Union, marking the beginning of a phased implementation of its obligations. The CRA is a landmark regulation aimed at safeguarding consumers and businesses from cybersecurity threats by establishing uniform cybersecurity standards for hardware and software products with digital elements (PDEs) on the EU market. This initiative is a critical part of the EU’s Cybersecurity Strategy for the Digital Decade.

The CRA fills a regulatory gap by imposing mandatory cybersecurity requirements for the design, development, production, and market availability of PDEs, covering the entire product lifecycle. It applies to manufacturers, importers, distributors, and any other entity placing PDEs on the EU market. With few exceptions, the CRA covers all products with direct or indirect connections to devices or networks, including smart devices, software, and hardware components. Notably, it excludes products already certified under EU cybersecurity schemes, as well as medical, aviation, and certain automotive devices subject to existing certification regimes.

Manufacturers have the most extensive obligations under the CRA. They must ensure PDEs are designed, developed, and produced to meet the essential cybersecurity requirements outlined in the regulation. This includes protecting against unauthorized access, minimizing attack surfaces, and preserving the confidentiality and integrity of data. Manufacturers are required to conduct risk assessments throughout the product lifecycle, document cybersecurity aspects, and ensure third-party components do not compromise the PDE’s security. Additionally, they must maintain a vulnerability handling process, provide timely updates, and report active vulnerabilities to the relevant authorities, including ENISA, within 24 hours. Products classified as “critical,” such as web browsers, operating systems, and CPUs, must undergo third-party conformity assessments before being placed on the market.

The CRA also imposes obligations on importers and distributors. They must verify that PDEs meet conformity assessment requirements, bear the CE marking, and are accompanied by user information on cybersecurity and security updates. If a product presents a significant cybersecurity risk, importers and distributors must notify market surveillance authorities.

Enforcement of the CRA involves active monitoring and investigation by public authorities, including ENISA and national bodies. Authorities are empowered to conduct “sweeps” — unannounced, cross-border inspections to verify compliance. Non-compliance with the CRA can result in substantial penalties. Breaches of essential cybersecurity requirements, conformity assessments, or reporting obligations may lead to fines of up to €15 million or 2.5% of the company’s global turnover, whichever is higher. Lesser infractions, such as incorrect documentation, may result in fines of up to €5 million or 1% of global turnover. Regulatory authorities may also impose corrective measures, such as product recalls or market withdrawals.

The CRA introduces a phased implementation schedule. Obligations for conformity assessment bodies take effect on June 11, 2026, while reporting obligations for manufacturers begin on September 11, 2026. Full compliance with all other obligations will be required by December 11, 2027. To prepare for these changes, companies must review their cybersecurity practices, ensure conformity with the new standards, and be ready for compliance checks by notified bodies. The CRA aims to harmonize cybersecurity rules across the EU, reducing regulatory overlaps with other laws, such as the AI Act and the NIS2 Directive. However, its interaction with certain regulations, like DORA, remains ambiguous, creating potential legal uncertainties.

The CRA is a significant shift in EU cybersecurity policy, requiring companies to adopt a proactive approach to cybersecurity. It establishes a harmonized regulatory framework for PDEs, ensuring safer digital products for consumers and businesses alike.