The Cyber Resilience Act (“CRA”) ( Regulation (EU) 2024/2847) entered into force on 10 December 2024, and provides companies with a three-year grace period to put compliant products on the EU market (i.e. by 11 December 2027). It complements the NIS 2 Directive by introducing cybersecurity requirements for manufacturers of "products with digital elements" (“PDEs”), such as hardware and software products that are connected, whether directly or indirectly, to another device or network. These PDEs include products such as baby monitors, smart watches, and computer games to firewalls and routers. Unlike NIS 2 and the EU Data Act, the CRA does not have exemptions based on company size or financial criteria.
According to the EU Commission there is a ransomware attack "every 11 seconds", and the ultimate aim of the CRA is to reduce the number of cybersecurity incidents and with this, the cost of incident handling and reputational damage for companies. As such, it would increase the level of trust consumers and business customers have in companies and products, and so increase the demand for products with digital elements, both within and outside the EU.
However, the CRA will inevitably result in significant compliance costs for in-scope economic operators. They will have to adapt to the new requirements and standards, monitor and report any incidents or vulnerabilities, and face significant sanctions or liability in cases of non-compliance or breach.
What risks does the CRA aim to address?
The CRA aims to tackle two key issues:
(1) the low level of cybersecurity of PDEs and the fact that many manufacturers do not provide updates to address vulnerabilities. While manufacturers of PDEs sometimes face reputational damage when their PDEs lack security, the cost of vulnerabilities is predominantly borne by professional users and consumers; and
(2) the insufficient information available to businesses and consumers to determine which PDEs are secure.
The new rules tackle these two aspects by addressing the issue of updates and providing up-to-date information to customers.
When the CRA enters into force, software and products connected to the internet will bear a CE marking to indicate they comply with the new standards. By requiring manufacturers to prioritise cybersecurity, customers and businesses would be empowered to make better-informed choices, confident of the cybersecurity credentials of CE-marked products.
Scope
Material Scope
The CRA’s material scope is broad. A PDE is defined as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately”. It includes all PDEs that are "made available on the EU market". This encompasses supplying a product for distribution or use within the EU market during commercial activities, whether for payment or free of charge.
The CRA will apply to all products "whose intended purpose or foreseeable use includes a direct or indirect connection to another device or network", except for specified exclusions such as open-source software or services that are already covered by existing rules (such as medical devices, aviation and cars). Free and open-source software is only subject to the CRA to the extent it is intended for commercial activities.
The EU Commission's FAQs on the CRA indicate that software provided as part of a service is not covered by the CRA. However, the NIS 2 Directive, and other sectoraI legislation, ensure that systems provided as a service or developed in-house meet equivalent technical requirements for cybersecurity.
Territorial Scope
The CRA applies to all PDEs made available on the EU market. Accordingly, the CRA has implications for economic operators within and outside the EU, if they make PDEs available on the EU market or seek to significantly modify products already made available on the EU market once the CRA is in effect.
Categorisation of Products
The CRA adopts a risk-based classification system, which dictates the applicable cybersecurity requirements and conformity assessment procedures, based on the PDE’s cybersecurity risk level. The greater the risk level, the stronger the requirements:
- Non-critical PDEs (e.g. photo editing software, text processors, and simple smart home devices) comprise approximately 90% of the market.
- Important PDEs are divided into two subcategories, including: Class I (e.g. identity management systems, browsers, and password managers) and Class II (e.g. firewalls, intrusion prevention systems, and secure microprocessors). Important Class II products present a higher level of risk than important Class I products.
- Critical PDEs are associated with essential entities (as defined under the NIS2 Directive) or critical supply chains (e.g. smart meter gateways, advanced cryptographic devices, and tamper-resistant hardware). Critical PDEs bear the highest level of risk.
Key Obligations
The CRA sets out obligations for various "economic operators" along the supply chain, including manufacturers (along with their authorised representatives), distributors, importers, and any other natural or legal person subject to obligations in relation to the manufacture of PDEs or making them available on the market in the course of a commercial activity (e.g. open-source software stewards).
Manufacturers
The most stringent obligations are placed on manufacturers. In particular, manufacturers are required to ensure that PDEs are designed, developed and produced in accordance with the "essential cybersecurity requirements" set out in Annex I of the CRA. This requires, inter alia, manufacturers to undertake a cybersecurity risk assessment, and design and develop PDEs with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users. PDEs must be made available on the EU market without any known exploitable vulnerabilities, and subject to appropriate policies and procedures in order to detect and remediate potential vulnerabilities; and accompanied with security information and instructions to provide transparency to users.
Manufacturers are also required to conduct a conformity assessment to verify whether the "essential cybersecurity requirements" set out in Annex I have been fulfilled. This can be done via self-assessment or a third-party conformity assessment, depending on the level of risk associated with the product in question.
After performing the relevant conformity assessment procedure, the manufacturer must draw up an EU declaration of conformity and affix the CE marking. The CE marking indicates the conformity of PDEs with the CRA, so that they can move freely within the internal market.
Importers and Distributors
The CRA imposes due diligence obligations for importers and distributors of PDEs.
Importers, in particular, before making a PDE available on the EU market, they must verify that an appropriate conformity assessment has been undertaken by the manufacturer; that adequate technical documentation has been prepared by the manufacturer; that the product has a “CE” marking; and is accompanied by a declaration of conformity; and that the information and instructions to the user can be easily understood by users and market surveillance authorities.
Distributors are subject to a lighter regime. Distributors must act with due care having regard to the requirements of the CRA. In particular, before making a PDE available on the EU market, they must verify that the product has a “CE” marking before making it available on the EU market, and that the manufacturer and importer have complied with their key obligations under the CRE and provided all necessary documentation to the distributor.
Importers and distributors also have certain other obligations, including reporting obligations. For example, upon becoming aware of a vulnerability in the PDE, they must inform the manufacturer without undue delay. Furthermore, where a PDE presents a significant cybersecurity risk, they must inform, without undue delay, both the manufacturer and market surveillance authorities.
Reporting Obligations
The CRA imposes reporting obligations on manufacturers to the European Union Agency for Cybersecurity ("ENISA") and the Computer Security Incident Response Team (“CSIRT”). Manufacturers will need to report any actively exploited vulnerability (defined as a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the owner) contained in the PDE, or any severe incident that impacts the security on the security of the PDE, without undue delay, and in any event within 24 hours upon awareness. The manufacturer must provide any follow-up information as a general rule within 72 hours, and a final report within 14 days (in the case of an actively exploited vulnerability) or a final report within one month (in the case of a severe incident). There are specific rules to determine the competent CSIRT.
The intention is for notifications to be submitted using the electronic notification of the competent CSIRT, which should as a rule simultaneously be accessible to ENISA. Users of the PDE will also need to be informed of an actively exploited vulnerability or a severe incident, and where necessary, about risk mitigation and any corrective measures they might deploy to mitigate the impact, without undue delay.
Supervision and Enforcement
The CRA provides the European Commission, ENISA, and national authorities with comprehensive market monitoring, investigative and regulatory powers. For cross-border matters, the CRA also addresses the different procedures and principles for these authorities to cooperate with each other if disagreements arise in the interpretation and application of the law.
Member States must appoint one or more market surveillance authorities, with responsibility for national enforcement of the CRA. In case of non-compliance, market surveillance authorities may require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to fine companies that do not adhere to the rules.
Administrative Fines for Non-Compliance
The CRA provides Member States with discretion regarding the method for imposing administrative fines. However, it establishes maximum levels for administrative fines, which should be provided for in national laws in cases of non-compliance. It also sets out the criteria to be taken into account for the calculation of administrative fines. In particular:
- Failure to comply with the Act’s essential cybersecurity requirements, conformity assessment and reporting obligations may result in maximum administrative fines of up to €15 million or 2.5% of annual global turnover, whichever is higher.
- Breaches of the other CRA rules, including requirements to appoint an authorised representative, obligations applicable to importers and distributors, and certain requirements for the EU declaration of conformity, technical documentation and CE marking, may result in administrative fines of up to €10 million or 2% of annual global turnover, whichever is higher.
- Organisations which supply incorrect, incomplete or misleading information may face an administrative fine of up to €5 million or 1% of annual global turnover, whichever is higher.
When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account, including the size and market share of the operator committing the infringement.
In addition, non-compliance with requirements may result in corrective or restrictive measures, including market surveillance authorities or the EU Commission recalling or withdrawing products from the EU market.
Overlap with other EU Digital Legislation
The CRA FAQs state that the Act aims to “harmonise the EU regulatory landscape by introducing cybersecurity requirements for products with digital elements and avoid overlapping requirements stemming from different pieces of legislation”.
It is noteworthy that the application of the CRA is subject to certain exclusions where relevant PDEs are already covered by certain regulations, such as NIS 2 and the AI Act. In relation to high-risk AI systems, for example, the CRA explicitly provides that PDEs that also qualify as high-risk AI systems under the AI Act will be deemed in compliance with the AI Act’s cybersecurity requirements where they fulfil the corresponding requirements of the CRA. In addition, the CRA indicates that the application of the CRA may be limited or excluded where PDEs are covered by other EU rules laying down requirements addressing some or all of the risk covered by the essential requirements set out in Annex I CRA, in a manner consistent with the applicable regulatory framework, and where the sectoral rules achieve the same or a higher level of protection as that provided under the CRA.
The CRA FAQs highlights that the CRA aims to complement NIS2. The latter puts in place cybersecurity requirements, including supply chain security measures and incident reporting obligations for essential and important entities, with a view to increasing the resilience of the services they provide. Therefore, the enhanced level of cybersecurity of PDEs would facilitate compliance by the entities in the scope of the NIS2 Directive and would strengthen the security of the entire supply chain.
Next Steps
As an EU Regulation, the CRA is directly applicable in all EU Member states. CRA will commence in full from 11 December 2027. However, certain provisions and requirements will come into effect sooner than this. For example, from 11 June 2026, the CRA's rules on notification of conformity assessment bodies (Chapter VI) will apply. In addition, the reporting obligations of manufacturers for actively exploited vulnerabilities and severe incidents, will apply from 11 September 2026, since they require fewer organisational adjustments that the other new obligations.
Even though most of the obligations imposed by the CRA will not come into effect for another three years, it would be prudent for companies to commence CRA compliance projects now, in light of product development and launch timelines, and the fact that the requirements set out in the CRA will impact these stages of the product lifecycle.
To make it easier for manufacturers – in particular for those that build important products – to apply the essential cybersecurity requirements, the EU Commission will issue a standardisation request, allowing the European Standardisation Organisations to develop technical standards for many of the product categories covered by the CRA. In addition, the EU Commission will issue guidelines to assist economic operators to with complying with their new obligations under the CRA.
Contact Us
Matheson's Technology & Innovation Group is available to guide you through the complexities of understanding your organisation's obligations under the CRA. For more information, please contact Davinia Brennan, Anne-Marie Bohan, Sarah Jayne Hanna, Carlo Salizzo, or your usual Matheson contact.