EU Cyber Resilience Act – The New Cybersecurity Regulation in Europe
Updated: November 2024
The European Union’s Cyber Resilience Act (CRA) has officially entered a new phase, with its publication in the Official Journal of the European Union.
​
This marks the start of the countdown for compliance timelines. Below, we provide the updated and most accurate details regarding the CRA, reflecting the latest developments.
​
BACKGROUND
In 2021, European Commission President Ursula von der Leyen announced the Cyber Resilience Act, aimed at bolstering cybersecurity measures for products with digital elements. The Act complements the existing European cybersecurity framework, including:
-
Directive on the security of Network and Information Systems (NIS Directive)
-
Cybersecurity Act
-
Delegated Regulation of 29 October 2021 under the Radio Equipment Directive
MOTIVATION
The CRA is a response to the growing economic and societal impact of cybercrime, estimated at a staggering €5.5 trillion. As stated by the European Commission, the regulation aims to address the following key issues:
-
Widespread vulnerabilities in hardware and software products
-
Insufficient and inconsistent security updates
-
Lack of adequate cybersecurity information for end-users to make informed decisions
The CRA introduces a unified framework for all products with digital elements, addressing gaps in the current EU regulatory framework. It ensures cybersecurity requirements cover the entire lifecycle of digital products, unlike previous sector-specific legislation.
​
OBJECTIVES
The CRA has two main objectives:
-
Develop Secure Products: Ensure hardware and software products are designed, developed, and marketed with robust cybersecurity measures.
-
Enhance User Awareness: Provide users with better information to select and securely use products with digital elements.
Additionally, four specific objectives were identified:
-
Mandate manufacturers to integrate security from the design phase through the entire product lifecycle.
-
Create a cohesive cybersecurity framework, easing compliance for manufacturers.
-
Enhance transparency around the security features of digital products.
-
Enable businesses and consumers to securely use digital products.
CURRENT STATUS
The CRA was officially published in the Official Journal of the EU on November 20, 2024, following its adoption by the EU Council. The regulation’s key timelines are as follows:
-
21-Month Transition Period for Incident Reporting: By August 2026, companies must comply with incident reporting obligations.
-
36-Month Full Compliance Period: By November 2027, all provisions of the CRA will become enforceable.
WHICH PRODUCTS?
The CRA applies to most products with digital elements, including software and cloud services, but excludes products already governed by the following EU regulations:
-
EU 2017/745 (Medical Devices Regulation)
-
EU 2017/746 (In Vitro Diagnostic Medical Devices Regulation)
-
EU 2019/2144 (Motor Vehicle Type-Approval Regulation)
-
EU 2018/1139 (Civil Aviation Regulation)
-
Products developed exclusively for national security, military purposes, or processing classified information
ANNEXES OF THE CRA
The CRA includes detailed annexes outlining the following:
-
Essential cybersecurity requirements for products with digital elements
-
Minimum information and instructions to be provided to users
-
List of critical product types
-
EU declaration of conformity details
-
Technical documentation requirements
-
Conformity assessment procedures
These annexes provide the framework for implementation and compliance, making it essential for stakeholders to review them in detail.
OBLIGATED ENTITIES
The CRA defines obligations for various economic operators involved in the lifecycle of digital products, including:
-
Manufacturers: Responsible for integrating security features during design, development, and production.
-
Authorized Representatives
-
Importers
-
Distributors
Manufacturers, in particular, bear the primary responsibility for ensuring compliance with cybersecurity requirements outlined in Articles 10–17 of the Act.
PENALTIES
Non-compliance with the CRA will attract significant penalties:
-
Essential cybersecurity requirements violations: Fines up to €15 million or 2.5% of global annual turnover, whichever is higher.
-
Other obligations violations: Fines up to €10 million or 2% of global annual turnover.
-
Providing misleading information: Fines up to €5 million or 1% of global annual turnover.
KEY TAKEAWAYS
-
The CRA provides a unified regulatory framework to address cybersecurity challenges for products with digital elements.
-
Incident reporting obligations begin in August 2026, and full compliance is required by November 2027.
-
Non-compliance could result in substantial fines, emphasizing the importance of early preparation and adherence.
CONCLUSION
The EU Cyber Resilience Act represents a transformative step toward enhancing the cybersecurity posture of digital products in the EU market. By ensuring comprehensive security measures throughout a product’s lifecycle, the CRA aims to reduce vulnerabilities and empower users. Businesses are strongly encouraged to review the Act’s requirements and prepare for compliance to avoid penalties and ensure market access.
​
This updated summary provides an overview of the CRA based on its latest official publication. For complete details, stakeholders should refer to the official CRA document and its annexes.
​
​
Disclaimer: This document is for informational purposes only and does not constitute legal or business advice. Please consult the official CRA text and seek professional guidance for compliance.