The Cyber Resilience Act (CRA) has been published: What does it mean for businesses?

What is the purpose of the CRA, and how does it align with other EU cybersecurity laws?

The Cyber Resilience Act is a central component of the EU's cybersecurity strategy. It addresses risks such as DDoS attacks on connected devices and, for the first time, creates binding EU-wide security standards for so-called "products with digital elements" as referred to in the CRA (hereinafter also referred to as "products"). The aim is to harmonise the security requirements for such products and ensure a high level of cybersecurity. While the NIS2 Directive and DORA set requirements for specific industries, the CRA emphasises the responsibility of manufacturers to provide secure products.

Download a one-page overview here

The CRA obliges businesses along the entire supply chain - from manufacturers to importers and distributors - to adapt their products and processes to the new requirements of the CRA. This includes, among other things:

• Regular security updates and vulnerability management: Manufacturers must actively monitor and mitigate vulnerabilities.
• Clear responsibilities: Importers and distributors help ensure compliance with cybersecurity requirements by verifying products' compliance before placing them on the EU market and reporting security risks.
• Stringent compliance measures: Violations can result in fines of up to 15 million euros or 2.5% of annual global turnover.

Which products are affected?

The CRA covers all software and hardware products that are connected to networks or other devices - from IoT devices to critical industrial control systems - defined as "products with digital elements". Examples include:

• Connected devices such as intelligent household and industrial systems, routers and IoT sensors.
• Software such as control software for connected household appliances (e.g., washing machines, fridges, and ovens), smart home platforms, firmware update management tools for IoT devices, video editing tools, and mobile apps.
• AI systems categorised as high-risk under the AI Act, such as intelligent surveillance cameras or facial recognition systems, provided they are connected to a network.

Which products do not fall within the scope?

• Products that are already covered by certain other EU regulations such as medical devices regulated by the Medical Device Regulation.
• Websites, cloud, and SaaS services: These are excluded if they provide only support functions and are not integral to the product’s functionality – such as backup software for an IoT device as opposed to a cloud service that directly controls it.
• Non-commercial open source software: This is also exempt if it was developed without the intention of making a profit.

Are all products treated the same way?

Products must undergo conformity assessments – for example, for vulnerabilities or compliance with security standards – as required under the CRA and can carry the CE mark if they pass. The CRA divides products with digital elements into four categories, which are regulated differently, particularly in the mandatory conformity assessment process - i.e. the comparison of whether all CRA requirements are met:

• Standard products: Products with a low security risk, such as smart TVs or simple home automation systems. These are subject to less stringent requirements and can usually be tested for conformity using the manufacturer's internal procedures.
• Important products - Class I: Products with security-relevant functions, such as routers, operating systems, or intelligent door locks. These require either compliance with a harmonised standard - these are technical standards recognised by the EU that enable manufacturers to demonstrate compliance with relevant EU regulations - or an external conformity assessment.
• Important products - Class II: Products with increased security relevance, such as firewalls or tamper-proof microcontrollers. Mandatory external testing is required here to ensure conformity.
• Critical products: Products for advanced security purposes, such as smart meter gateways or devices for secure crypto processing. If a product contains security-relevant components (e.g. for critical infrastructure) and falls under Annex IV of the CRA, compliance with an EU cyber security certification scheme under the EU Cyber Security Act is mandatory - if such a scheme is available. Otherwise, the requirements of Class II apply.

What are the most important cybersecurity requirements for manufacturers?

The CRA contains extensive requirements for manufacturers, including requirements for technical documentation and operating instructions. At the centre of the CRA is the primary responsibility of manufacturers for the security of their products. The key requirements include

1. Security along the entire life cycle: Security must be taken into account from product development to the use of the product until the end of the product's lifetime - for example through secure software architecture and regular security updates.
2. Vulnerability management: Product security vulnerabilities must be reported to the responsible Computer Security Incident Response Team (CSIRT), i.e. the competent national supervisory authority, and ENISA within 24 hours. In the days and weeks that follow, further information must be provided, for example on the type of attack, affected products and remedial measures.
3. Conformity assessment and CE marking: All products must undergo a conformity assessment before being placed on the market in order to demonstrate compliance with the CRA requirements. After successful testing, the CE mark may (and must) be affixed to confirm the conformity of the product.
4. Integration of secure components: Third-party components, including open source software, must be checked before they are integrated into the product.
5. Security updates: Security updates must be provided for the product regularly over a period of five years and must generally be free of charge.
6. Transparency and documentation: Manufacturers are obliged to create comprehensive technical documentation for the product that proves compliance with the safety requirements. These documents must be available to supervisory authorities, among others, and must be kept up to date throughout the entire life cycle of the product.

What are the obligations of importers and distributors?

Importers and distributors play a central role in ensuring the cybersecurity of products with digital elements along the entire supply chain.

• Importers must ensure that the products they import fulfil the requirements of the CRA. Among other things, they are responsible for ensuring that the manufacturer has carried out the prescribed conformity assessment procedures, that the technical documentation is available, that the product bears the CE marking and that it is accompanied by a valid EU declaration of conformity.
• Distributors are responsible for ensuring that products they make available on the market fulfil the requirements of the CRA. Among other things, they must ensure that the product bears the CE marking and is accompanied by an EU declaration of conformity and that all necessary information and instructions for the end user are available.

In addition, importers and distributors must immediately report any security risks or vulnerabilities discovered to the competent authorities. These obligations place great responsibility on importers and distributors and supplement the requirements for manufacturers in order to ensure a consistent level of security.

Application deadlines and timetable

1. 11 June 2026: Requirements for conformity assessment bodies (institutions that check compliance with safety standards) come into force.
2. 11 September 2026: Reporting obligations for vulnerabilities apply.
3. 11 December 2027: The other CRA regulations come fully into force, including the requirements for security updates and vulnerability management.

Products launched on the market before this date are generally only affected if they are significantly changed, e.g. through new hardware integration or significant software updates.

Enforcement and sanctions

Market surveillance is carried out by national authorities of the EU Member States in cooperation with ENISA (European Cybersecurity Agency), for example through joint reviews or guidelines on the implementation of CRA requirements.

Sanctions are based on the severity of the offence:

1. 15 million euros or 2.5% of annual global turnover: For breaches of cybersecurity requirements.
2. 10 million euros or 2% of turnover: For other offences, e.g. lack of safety checks.
3. 5 million euros or 1% of turnover: For false statements or inadequate documentation.

In addition, authorities can withdraw products from the market and oblige companies to close security gaps if serious security flaws are identified, for example in unsecured IoT devices.

Summary and outlook

The CRA introduces binding EU-wide security requirements for products with digital elements. The aim is to harmonise vulnerability management requirements and security standards and strengthen cybersecurity in the EU. For companies, however, these regulations mean considerable adjustments to development, manufacturing and maintenance processes.

The harmonised rules offer opportunities such as increased customer confidence, but also bring challenges: Businesses must review standards and processes, ensure their conformity and implement additional security measures where necessary.  

Download a one-page overview here