A woman sitting at a table, using a laptop and a smart speaker for work and communication.

The EU Cyber Resilience Act: Planning for Compliance


The EU Cyber Resilience Act (CRA) establishes stringent cybersecurity requirements for all products with digital elements sold on the European market, ensuring they remain cybersecure both in the design phase and throughout their lifecycle.

Approved on March 12, 2024 by the European Parliament, this legislation requires compliance readiness from manufacturers, distributors, and importers across the EU. After the Act is formally adopted by the Council, manufacturers will have 36 months to achieve compliance.

This article will outline the key components and steps required for compliance with the Cyber Resilience Act, helping you prepare your supply chain and avoid the penalties of noncompliance.

Why Compliance with the EU Cyber Resilience Act Matters

Compliance with the CRA is critical to protect your products – and consumers – from cyberattacks, and to avoid the penalties of non-compliance.

The CRA addresses two critical issues. Firstly, it tackles the prevalent cybersecurity vulnerabilities in digital products due to low cybersecurity standards and ensures that manufacturers remain responsible for the cybersecurity of their product throughout its lifecycle. Secondly, it aims to improve users' access to and understanding of cybersecurity information, empowering them to make informed choices regarding the cybersecurity of the products they use and how to securely set them up.

Failure to meet the cybersecurity obligations can result in legal repercussions, including fines, and have a detrimental impact on your reputation and market access within the EU. While the exact penalties will be decided by individual Member States, it's crucial to align your operations with the Act's provisions to avoid such penalties.

Scope of the Act

The CRA applies to manufacturers of hardware and software products with digital elements sold in the EU.This includes, but is not limited to, devices and components such as:

Under the CRA, manufacturers and developers of these products are subject to cybersecurity requirements that regulate both the design phase as well as security updates.

The following types of products are not covered under the scope of the CRA:

These exclusions help avoid regulatory overlap and ensure that products are regulated under the most appropriate framework for their specific use cases and risks.

Requirements of the Cyber Resilience Act

Annex I of the CRA lays out essential cybersecurity requirements for manufacturers to support products’ ability to withstand cyberattacks and operate securely.

Under Part I, manufacturers must ensure:

Under Part II, manufacturers must:

Annex II of the CRA lays out requirements for the information and instructions that must be provided to users for products with digital elements, including, but not limited to:

The requirements laid out above are a summary of the most important requirements laid out in the CRA, but are not a comprehensive list. For the full list of requirements, see the full adopted text of the CRA.

Steps to Compliance

Manufacturers must undergo the following steps to ensure compliance.

1. Risk Assessment: Identify and evaluate cybersecurity risks for your digital products.

2. Design Integration: Incorporate essential cybersecurity measures during product design and development.

3. Conformity Assessment: Choose between self-assessment and third-party evaluation based on your product's risk profile. The Act splits the products covered into three categories. “Default” products are those without cybersecurity vulnerabilities. Manufacturers of default products can perform a self-assessment of their cybersecurity vulnerabilities.

The remaining products, listed in Annex III and IV, are identified as "Important," or "Critical", as they have higher levels of risk. These products are further divided into two risk classes, Class I and Class II. Class I products, such as password managers or biometric readers, may adhere to an EU standard to ensure compliance or undergo a third-party assessment to demonstrate compliance with the Act. Class II products, such as operating systems or firewalls and routers for industrial use, must undergo third-party assessments to demonstrate conformity due to their higher security risk.

The European Standardisation Organisations will create technical standards for many of the product categories covered

4. Declaration of Conformity: Draft an EU declaration confirming your product meets CRA requirements containing the information laid out in Annex V.

5. CE Marking: Affix the CE mark to your product as a symbol of compliance.

6. Security Updates: Define a support period (the designated timeframe during which manufacturers are obligated to provide security updates and manage vulnerabilities for their digital products, correlated with the expected duration of product use). and consistently provide necessary security updates.

7. Vulnerability Management: Establish a system for managing and addressing vulnerabilities.

8. User Information: Clearly inform users about the cybersecurity features and support period of your product.

Planning for CRA Compliance with QIMA/CCLab

As you work to achieve compliance with the EU Cyber Resilience Act, partnering with QIMA/CCLab can significantly streamline your journey. QIMA/CCLab offers specialized cybersecurity services tailored to ensure your products meet the rigorous standards set by the CRA.

With expert guidance on risk assessments, conformity assessments, vulnerability management, and electronic product testing, QIMA/CCLab can assist at every step, from design integration to putting your product on the market.

For more information on cybersecurity regulations in the EU, read our whitepaper: Cybersecurity for IoT and Beyond: Complying with EU Regulations


Related Articles

/