What is the Cyber Resilience Act?

Who does the CRA apply to?

The CRA applies to all economic operators involved in placing products with digital elements on the EU market. Each role in the supply chain has specific obligations designed to ensure end-to-end cybersecurity.

Manufacturers carry the primary responsibility. They must ensure products are designed, developed and maintained with appropriate cybersecurity measures. This includes conducting risk assessments, creating technical documentation, providing security updates and reporting vulnerabilities.

Importers must verify that the manufacturer has carried out the proper conformity assessment, that the product bears the CE marking and that all required documentation is available. They serve as a crucial checkpoint before products reach the EU market.

Distributors must act with due care when making products available on the market. They need to verify CE marking, ensure proper documentation is available and report any known non-compliance to market surveillance authorities.

Product categories

Product classification under the CRA

The CRA classifies products with digital elements into four categories, each with different conformity assessment requirements. The higher the risk classification, the stricter the assessment procedure.

Default products

The majority of products with digital elements fall into this category. These products can be self-assessed by the manufacturer through an internal conformity assessment based on the essential requirements set out in Annex I of the CRA.

Important products - Class I

Products with a higher cybersecurity risk, such as password managers, VPN software, network management systems, and smart home devices. These require either the application of a harmonised standard or a third-party assessment.

Important products - Class II

Higher-risk products including firewalls, intrusion detection systems, microprocessors with security features, and industrial automation systems. These require a mandatory third-party conformity assessment.

Critical products

The highest risk category, covering products such as hardware security modules, smart cards, smartcard readers, and secure elements. These require European cybersecurity certification under the EU Cybersecurity Act framework.

Obligations

What do you need to do?

Security by design

Integrate cybersecurity into every stage of product design and development. Products must be delivered with secure default settings and minimize the attack surface.

Risk analysis

Conduct a thorough cybersecurity risk assessment for each product. Identify potential threats, evaluate their impact and implement proportionate mitigation measures.

CE marking

Affix the CE marking to products only after completing the appropriate conformity assessment procedure. The CE marking signals compliance with all applicable EU requirements.

Security updates

Provide security updates for at least five years after placing the product on the market, or for the expected product lifetime if shorter. Updates must be free of charge.

Vulnerability reporting

Establish procedures for coordinated vulnerability disclosure. Actively exploited vulnerabilities must be reported to ENISA within 24 hours of discovery.

Technical documentation

Prepare comprehensive technical documentation including the design, development process, risk assessment results and a complete Software Bill of Materials (SBOM).

What is the Cyber Resilience Act?

The Cyber Resilience Act explained

Key dates and deadlines

December 10, 2024

September 11, 2026

December 11, 2027