The Cyber Resilience Act is part of a broader EU cybersecurity legislative framework. Understanding how these regulations interact is essential for comprehensive compliance.
The European Union has developed a comprehensive cybersecurity legislative framework to protect citizens, businesses and critical infrastructure against digital threats. The Cyber Resilience Act (CRA) is the latest and most significant addition, specifically targeting products with digital elements. It complements existing regulations such as the NIS2 Directive, the EU Cybersecurity Act and the GDPR. Understanding the interplay between these regulations is critical for organizations operating in the EU market.
The CRA establishes mandatory cybersecurity requirements for all products with digital elements placed on the EU market. It covers the entire product lifecycle from design through to end-of-support, requires manufacturers to provide security updates for at least five years, and mandates vulnerability reporting to ENISA. Full compliance is required by December 11, 2027.
The Network and Information Security Directive 2 (NIS2) sets cybersecurity requirements for essential and important entities, including supply chain security obligations. While NIS2 focuses on organizational security, the CRA focuses on product security — making them complementary. Organizations in scope of NIS2 that also manufacture products will need to comply with both.
The EU Cybersecurity Act establishes the European cybersecurity certification framework and strengthens ENISA's mandate. Under the CRA, critical products may require European cybersecurity certification. The two regulations work together to create a unified approach to cybersecurity across the EU.
The General Data Protection Regulation governs the processing of personal data in the EU. Products with digital elements that process personal data must comply with both the CRA's cybersecurity requirements and the GDPR's data protection requirements. Security by design under the CRA and data protection by design under the GDPR are closely aligned principles.
The CRA introduces significant penalties for non-compliance. Fines can reach up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Market surveillance authorities can order the withdrawal or recall of non-compliant products from the EU market. Beyond financial penalties, non-compliance can result in reputational damage, loss of market access and legal liability for security incidents caused by non-compliant products.
Our regulatory specialists can help you understand which regulations apply to your organization and develop a comprehensive compliance strategy.