1. What is the Cyber Resilience Act?
With the Cyber Resilience Act (CRA for short), the EU is introducing a regulation for the first time that aims to improve the cybersecurity and resilience of products with digital elements. Unlike an EU directive, the Cyber Resilience Act applies directly as a regulation in all member states - based on the primacy of EU law. This means it does not require transposition into national law, making the CRA particularly effective and relevant for all market participants in the EU.
The CRA is designed to address and prevent two key problems:
- The low level of cybersecurity in many products - caused by widespread vulnerabilities and unclear update practices, and
- The lack of user understanding and access to information for selecting and using secure products.
In December 2024, binding cybersecurity requirements were defined for hardware and software offered on the European market. Full implementation of these requirements will occur gradually by the end of 2027.
2. Which companies are affected by the Cyber Resilience Act?
The CRA and its associated requirements apply to manufacturers, importers, and distributors that place digital products on the EU market. Companies that merely use such products are not directly regulated but may be subject to indirect obligations through other regulatory standards such as NIS-2 or DORA.
3. Which products are covered by the CRA?
The CRA applies to all products with digital elements, i.e., both software and hardware products sold in the EU. This includes:
- Consumer products: smartphones, smart home devices, laptops, etc.
- Industrial products: microprocessors, firewalls, VPN hardware, etc.
- Software products: mobile apps, computer games, security tools (e.g., antivirus), etc
Exemptions include:
- Products in the medical, automotive, aviation, and defense sectors
- Non-commercial open-source software products
The EU also distinguishes between “critical products”, “important products” (Class I & II), and other products. A detailed overview of the classification and associated requirements is provided by the European Commission here: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
4. What does the CRA change for product manufacturers?
Manufacturers whose products fall under the Cyber Resilience Act will be required to meet specific obligations concerning the development, production, and updating of their products. These include, among others:
- Considering cybersecurity measures already during design and development
- Providing security updates for at least five years
- Reporting vulnerabilities and documenting security risks to the competent market surveillance authorities of the respective EU member states - in Germany, this will likely be the Federal Office for Information Security (BSI). The precise reporting structure is currently being defined at the EU level.
- Ensuring that products do not contain known vulnerabilities, for example through access controls, disabled debug functions, and reset mechanisms to secure default configurations
A conformity assessment procedure is also mandatory and may vary in strictness depending on the product category. The detailed requirements are listed by the European Commission here: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
5. What are the implementation deadlines?
The CRA will be implemented in stages:
- End of 2024: Publication in the EU Official Journal and entry into force
- June 2026: Requirements for conformity assessment bodies become effective. These bodies are responsible for verifying compliance with the security standards
- September 2026: Vulnerability reporting obligations come into force
- December 2027: Full applicability of the CRA to all relevant products across all EU member states
6. How does the CRA relate to other regulatory standards?
The CRA is part of a comprehensive EU cybersecurity framework. It complements existing regulatory standards such as NIS-2, DORA, and the CER Directive, and adopts, for example, definitions and reporting obligations from NIS-2.
In some member states - such as France - CRA, DORA, and NIS-2 are being merged into a single law. In Germany, implementation will take place separately.
An overview of the core EU regulatory standards NIS-2 and DORA and why both are so important for companies, can be found in our blogpost https://www.usd.de/en/nis-2-and-dora-why-two-pieces-of-eu-legislation/
7. What does the CRA mean for companies?
Manufacturers, importers, and distributors should now assess whether they are directly affected by the CRA - and if so, determine their specific obligations (e.g., security updates, technical documentation, CE marking, vulnerability management). Companies not directly affected should still take action:
- Use only CRA-compliant products (e.g., by verifying CE marking, support periods)
- Apply regular security updates
- Monitor and document security advisories
Although not explicitly required by the CRA, these measures are crucial for an effective IT security strategy and compliance with NIS-2.
