The increasing digitalisation and networking of products requires enhanced security measures to prevent cyber attacks. The Cyber Resilience Act (CRA) of the European Union addresses this issue and establishes mandatory cyber security standards for products with digital elements. The aim is to minimise the risk of cyber incidents and to strengthen confidence in digital technologies.
The European Union is creating a comprehensive and binding set of rules and regulations to strengthen the cyber security of products with digital elements with the Cyber Resilience Act (CRA). The aim of the regulation is to establish uniform cyber security standards for the European single market and thereby significantly reduce the risk of cyber attacks. At the same time, the confidence of consumers and companies in digital technologies should be strengthened.
The CRA obliges manufacturers, importers and traders to meet cyber security requirements during the entire product life cycle - from design and development through manufacturing and marketing to continuous maintenance and updating. This is to ensure that products are not only safe when they are placed on the market but also meet current security requirements throughout their life cycle.
In principle, the regulation covers all products with digital elements that are manufactured, imported or distributed in the territory of the European Union. Products with digital elements are both software and hardware products and their data teleprocessing solutions, as well as software or hardware components that are placed on the market separately. These include, in particular, products that are capable of processing, storing or transmitting data - such as smart home devices, networked household appliances, mobile devices as well as other internet enabled products. Software products such as firmware, operating systems and applications also fall within the scope.
Products, however, that are covered by already existing, sector-specific EU rules with equivalent cyber security requirements - such as medical devices pursuant to the Medical Device Regulation or certain spare parts that must be manufactured to the exact specifications of the parts to be replaced and, therefore, do not involve any additional cyber security risks, are excluded from the scope of application.
The CRA already came into force on 10 December 2024. The regulation will be implemented in several stages. Conformity assessment bodies should already assess the fulfilment of the requirements of the CRA for products with digital elements as of 11 June 2026. Reporting requirements for specialist units and security incidents will be in place as of 11 September 2026. The transitional period will end completely as of 11 December 2027 so that new cyber security requirements for products with digital elements will be binding as of that date. This applies to new products placed on the market as of 11 December 2027 and for products previously placed on the market that have undergone significant changes.
The CRA does not only oblige manufacturers, but all actors along the value-added chain of a product - among them importers, traders and authorised representatives - to meet cyber security requirements. Companies managing, providing or significantly changing digital products are also covered by the obligations of the regulation. This also expressly applies to developers or operators of open source software, provided that they offer their products under normal market conditions (Art. 3 No. 12 CRA).
A key innovation lies in the legal extension of the so-called capacity as manufacturer. Pursuant to Art. 22 CRA, any natural or legal person is deemed to be a manufacturer who significantly changes a product with digital elements and places it on the market again - regardless of whether the person has previously acted as a trader or importer. The regulation thus follows the system of the European Product Safety Law, according to which the placing on the market of a product is the decisive criterion.
The term "placing on the market" is not linked to a physical handover for purely software-based products. The decisive criterion in these cases is the moment when the software is made available for download, the access code is transmitted or the activation for users becomes technically feasible.
The cyber security requirements of the CRA are primarily aimed at manufacturers. The central message is: Who places digital products on the market, must ensure that they are safe - not only if he has manufactured and/or programmed them himself. The same applies to software components that originate from third parties. Pursuant to Art. 13 (5) CRA, manufacturers must ensure with "due care" that these parts do not endanger the product's safety. Open source software (OSS) also falls within the scope of application of the CRA. This also applies if OSS is available free of charge on the internet and is not offered by companies but by individuals.
Manufacturers of products must meet numerous requirements to guarantee the safety of their products during the entire life cycle.
The cyber security of a product must be guaranteed during the entire so-called "life cycle" of a product, i.e., from development to the end of its useful life. For Software, this means in particular creating a secure architecture, using secure standard configurations and regularly providing security updates. Corresponding processes to continuously ensure product integrity must be set up if they have not been implemented yet.
Manufacturers are obligated to report weaknesses and major security incidents of all products. The report must be addressed to the responsible Computer Security Incident Response Team (CSIRT) as well as to the European Union Agency for Cybersecurity (ENISA). Established deadlines must be observed: Incidents must be reported within 24 hours of becoming known, subsequently further relevant information will be provided.
Before a product is launched on the market, it must be examined whether it meets the requirements of the Cyber Resilience Act. This so-called conformity assessment is mandatory and depends on how the product is classified under the CRA. Depending on how safety-critical it is, varying strict requirements apply. If the product is successfully assessed, it will receive the CE mark - an official evidence that it meets the necessary standards.
Weaknesses in a product must be remedied within a period of at least five years after discovery. This remedy takes the form of security updates and usually must be free of charge. This period corresponds at least to the expected useful life of the product.
The manufacturer is obliged to document compliance with the security requirements for the product. This documentation must be maintained during the entire life cycle of the product and must be kept up to date. The documentation must meet the minimum requirements of the CRA and must be traceable at any time.
Similar to the manufacturer, the importer may only launch his product if the requirements of the CRA pursuant to Art. 19 (1) CRA are met. The importer must be able to ensure and prove that the manufacturer's obligations have already been fulfilled. In addition, he is obliged to provide his contact details on the product (if this is impossible, on the packaging or the enclosed documentation). In case of safety deficiencies, both the manufacturer and the competent authorities must be informed. The user must also be informed when safety deficiencies become known.
At first glance, the trader has less obligations than the manufacturer and the importer. He must only verify whether the CE number, declaration of conformity, end date of the support period and the contact details of the manufacturer and importer are available. If the trader determines that the product is CRA-compliant, he may bring this product onto the market. If this is not the case, the trader must also take measures to combat existing security vulnerabilities. For instance, he is obliged to withdraw the product from the market and to inform the competent authorities.
Manufacturers, importers or traders who violate the new cyber security requirements pursuant to the CRA must, in principle, expect consequences. Pursuant to Art. 64 (3), fines of up to EUR 10 million or of up to 2% of the total worldwide annual turnover of the preceding financial year of a company may be imposed, whichever is higher. Violations of the manufacturer obligations can result in sanctions of up to EUR 15 million or 2.5% of the total worldwide annual turnover. Additionally, further restrictive measures may be taken. Pursuant to Art. 64 (10), exceptions are made for micro and small enterprises and for administrators of open source software. The fine imposed in individual cases will always be based on the specific violation, its gravity and also on the degree of culpability of the actor concerned, i.e., it must be proportionate. Nevertheless, companies should not take this possibility of sanctions lightly. As in data protection law, the same applies to the CRA: In the event of a violation, a good documentation of the cyber security measures taken helps to provide evidence that a company fulfilled its obligations.
Companies that manufacture, import or distribute products with digital elements should check these products for possible cyber risks already now and take appropriate security measures if necessary. In addition, they should prepare themselves for their obligations to provide documentation and evidence. Targeted training courses and raising awareness among employees are also indispensable. Agreements with suppliers should be checked to determine whether the suppliers of components also meet appropriate IT security requirements. In addition, it is recommendable to develop an incident response plan which, among other things, ensures compliance with reporting requirements and clearly defines responsibilities in the company.
Last but not least, the new requirements of the CRA for products with digital elements should already be considered during product design in the development in order that manufacturers will not be taken by surprise by the new cyber security requirements for their products in December 2027. Here, legal and technical expertise have to be combined to find solutions that not only meet the requirements of the CRA but are also practicable and economical.
![[Translate to English:]](/fileadmin/_processed_/a/0/csm_IP_Header_Scott_738ee40874.jpeg "[Translate to English:]")
