The Cyber Resilience Act (CRA) is a regulation of the European Union that aims to establish uniform cybersecurity standards for networked products within the EU. The CRA is directly applicable EU law that requires no national implementation. It applies equally to manufacturers, distributors, and operators of digital products, thus creating a comprehensive legal framework.
The main objective of the CRA is to significantly improve the cybersecurity of products with digital components. This is intended to protect both consumers and businesses from risks that may arise from inadequate security measures. The regulation establishes binding requirements that cover the entire lifecycle of these products - from planning and development through maintenance to decommissioning.
The regulation came into effect on December 10, 2024, with the main obligations becoming applicable from December 11, 2027. From this date, CE marking becomes mandatory for compliant products, and manufacturers must provide ongoing security updates.
The CRA should not be viewed in isolation but complements existing regulatory frameworks such as the NIS2 Directive. It represents an important building block of the EU's strategy for a secure digital future. This regulation establishes comprehensive cybersecurity standards in the European digital market that go far beyond existing regulations.
Scope of Application
Material Scope
The CRA applies to a wide range of products with digital elements, as defined in Article 3, Paragraph 1 of the CRA. This includes both hardware and software and digital components, provided they are necessary for essential product functions (Article 3, Paragraph 2 CRA). Specific examples include:
Hardware with network functions: Smartphones, laptops, and smart home devices fall under this category because they have network interfaces and are therefore potentially vulnerable to cyber attacks.
Software products: Mobile apps, computer games, and accounting software are also affected, as they contain digital elements and can pose security risks.
Digital components: Microprocessors and firewalls are examples of digital components that are integrated into other products and must ensure their security.
Open-source software is only exempt if it is used non-commercially. Manufacturers are responsible for the security of integrated third-party components, including open-source components (Article 13, Paragraph 5 CRA). This represents a significant expansion of previous responsibilities.
Pure SaaS solutions (Software as a Service) are excluded from the CRA, unless they serve as a functional component of a product with digital elements. This distinction is important in order to clearly define the scope of the CRA.
Geographical Scope
The CRA affects all products with digital elements that are placed on the market in the EU internal market. The country of manufacture is irrelevant (Article 2, Paragraph 1 CRA). This means that even products manufactured outside the EU must meet the requirements of the CRA if they are offered on the European market.
Personal Scope
The CRA distinguishes between different economic operators and defines their responsibilities:
Manufacturers: They are primarily responsible for compliance with the CRA requirements.
Authorized representatives: They can be appointed by manufacturers to take on certain tasks related to conformity.
Importers and distributors: They also bear responsibility for ensuring that only compliant products enter the market.
Maintainers of open-source software: They have specific obligations in connection with the security of open-source components.
Consumers and micro-enterprises: Article 3, Paragraph 12 of the CRA also takes into account the interests of consumers and micro-enterprises.
Exclusions
Certain product groups are excluded from the scope of the CRA, provided that specific security requirements are already regulated by other regulations. These include:
Medical devices covered by Regulations (EU) 2017/745 and (EU) 2017/746.
Motor vehicles subject to Regulation (EU) 2019/2144.
Aviation products regulated by Regulation (EU) 2018/1139.
Maritime products subject to Directive (EU) 2014/90.
Products intended for national security or defense.
Spare parts manufactured to the same specifications as the original parts (Article 2, Paragraphs 2-4, 7, Article 12, Paragraph 6 CRA).
Central Requirements and Obligations of Manufacturers
Basic Security Requirements
Manufacturers must ensure that their products meet the basic security requirements detailed in Annex I of the CRA. These requirements include:
An appropriate level of security: Products must have a level of security that is appropriate to the potential risks. They must be free from known vulnerabilities, although the exact definition of this "freedom" still requires clarification. In particular, it is unclear whether the knowledge of the vulnerability must relate to the manufacturer or the broader security scene.
Secure default configuration: Products must be delivered in a secure configuration to minimize the risk of attacks.
Update capability: Products must have secure mechanisms for software updates. These updates should ideally be able to be carried out "over-the-air" (wirelessly), and there should be an option to postpone updates if necessary.
Protection against unauthorized access: Products must implement effective measures against unauthorized access, denial-of-service attacks, and manipulation.
Confidentiality, integrity, and data minimization: These principles must be taken into account during the development and operation of the products.
Data logging: Products should log security-relevant events, with users having the option to deactivate this logging (opt-out).
Secure handling of personal data: Products must offer an option for the secure deletion of personal data.
Software Bill of Materials (SBOM): Manufacturers must create and maintain a detailed list of all components used in the software.
Regular security checks: Manufacturers are obliged to carry out regular security checks and to quickly rectify any vulnerabilities discovered.
Security by Design
The CRA requires that security aspects be integrated into product development from the outset ("Security by Design"). This includes:
Risk analyses: Manufacturers must carry out comprehensive risk analyses in order to identify and assess potential security risks.
Encryption of data: Data should be encrypted wherever possible and sensible in order to protect it from unauthorized access.
Minimization of attack surfaces: The attack surface of products should be kept as small as possible in order to reduce potential vulnerabilities.
Ensuring secure default settings: Products should be delivered with secure default settings in order to minimize the risk of misconfigurations.
Documentation and Evidence
Manufacturers must create extensive technical documentation and keep it for ten years. This documentation includes:
EU Declaration of Conformity: A declaration that the product meets the requirements of the CRA.
User information and instructions: Clear and understandable information for users about the safe use of the product.
Life cycle-wide risk assessment: A detailed assessment of the security risks over the entire life cycle of the product.
The complete documentation of all third-party components (SBOM) is an often underestimated but essential obligation.
Ongoing Obligations
During the expected useful life of a product, manufacturers are obliged to take the following measures:
Provision of security updates: Manufacturers must provide security updates for at least five years to fix known vulnerabilities.
Continuous monitoring and remediation of vulnerabilities: Manufacturers must continuously monitor their products for vulnerabilities and fix them.
Reporting of security incidents: Security incidents must be reported to the competent authorities within 24 hours.
Information to end users: End users must be informed about security-relevant incidents.
Product Classification and Conformity Assessment
The CRA divides products into three categories to take into account the different levels of risk:
Standard products: For these products, manufacturers can carry out a self-assessment of conformity.
Important products (Class I): These include, for example, browsers, password managers, and VPN software. Self-assessment is also generally provided for these.
Critical products (Class II): This category includes products such as industrial firewalls and hypervisors. For these products, a conformity assessment by designated bodies is required.
Conclusion
The Cyber Resilience Act sets uniform and binding cybersecurity standards for connected products in Europe. Manufacturers must expect considerable implementation effort, particularly with regard to the extensive documentation and update obligations. Early and comprehensive preparation is crucial to ensure compliance with the CRA in good time and thus avoid legal and economic risks. The CRA represents a paradigm shift in product security and will sustainably change the development and distribution of digital products in Europe.