[co-author: Tanvi Chopra]
The European Union (EU) is poised to enact the Cyber Resilience Act (CRA), a comprehensive cybersecurity regulation with major implications for software and connected device manufacturers in the United States and globally.
The CRA is intended to establish baseline product security regulations across the supply chain, covering product life cycles from development to retirement. The regulation will apply to a wide range of software and connected devices sold within the EU, irrespective of where they are manufactured. Organizations should prepare now by reviewing their upcoming CRA compliance obligations and begin incorporating their extensive legal, technical, and administrative processes before the enforcement deadline.
This post provides an overview of the CRA and its key requirements for manufacturers, importers, and distributors. Citations in brackets to the regulation text are provided for ease of reference.
Implementation Timeline
The EU is expected to pass the CRA into law in the coming weeks. Much of the CRA will be enforceable three years after enactment – approximately February 2027 [Art. 57.2].
The security vulnerability and cyber incident reporting requirements [Art. 11] will apply less than two years after enactment – approximately November 2025.
Provisions on the establishment of conformity assessment bodies [Chap. IV] will apply 18 months after enactment – approximately August 2025 [Art. 57.3].
Prior to the date of application of the CRA, the EU will develop harmonized standards to better enable manufacturers to perform conformity assessments [Recitals 38-38a, 41-41d]. The EU Commission will also publish guidelines to assist companies with applying the CRA [Art. 17c; Recital 4a].
Scope – Products with Digital Elements
The CRA applies to "products with digital elements" (PDEs) that are made commercially available on the EU market. PDEs are within scope regardless of the location of manufacture or whether the product is made available free of charge [Arts. 3.18, 3.23].
"Products with digital elements" include software as well as products with both software and hardware with a direct or indirect connection to a device or network [Arts. 2.1, 3.1]. This encompasses standalone software as well as Internet of Things (IoT), operational technology, or other tangible devices, such as televisions, laptops, baby monitors, etc., for both enterprises and consumers.
The CRA does not apply to websites and cloud solutions, such as software-as-a-service (SaaS), that do not support remote processing or functionality for a PDE. However, the CRA does apply to remote data processing solutions that enable PDEs to function, such as mobile apps for IoT products [Recitals 9-9a]. The CRA also applies to software and hardware components that are integrated into PDEs [Art. 3(1)-(8)].
Open-source software developed outside of commercial activity is not covered under the regulation. The CRA states that free and open-source software would be subject to a light-touch regulatory regime, and that the regulation does not apply to persons who merely contribute source code to open-source products that are not under their responsibility [Recitals 10b-10d].
The CRA does not apply to certain products that already have sectoral legislation, such as medical devices, motor vehicles, and maritime and aeronautical equipment [Arts. 2.1 - 2.3a]. The CRA also does not apply to PDEs that are developed exclusively for national security or defense [Recital 12a].
Key Requirements for Manufacturers
The CRA establishes extensive security safeguards that PDEs must meet prior to being available on the EU market [Art. 5]. Manufacturers of PDEs must develop, produce, and disseminate products with "essential cybersecurity requirements" that are appropriate to the risks [Art. 10.1]. Among other things, manufacturers must also establish processes and documentation to validate the compliance of their PDEs with the CRA. Where PDEs are aligned with recognized EU standards that meet or exceed the CRA's security requirements, there is a presumption that the PDEs conform to the CRA [Art. 18; Recitals 38-41d].
Below is an overview of the CRA's product security requirements and conformity processes.
- Product security requirements
Cybersecurity Risk Assessments: Manufacturers must undertake a cybersecurity risk assessment associated with the PDE. The risk assessment must be updated during the support period and taken into account throughout the product life cycle [Art. 10.2].
Vulnerability Management: PDEs must be made available on the market without known exploitable vulnerabilities, provide security updates for vulnerabilities without delay, and publicly disclose remediated vulnerabilities [Art. 10.6; Annex I Part I (3)(a), Part II (4)]. Security updates must remain available for a minimum of 10 years or the remainder of the support period, whichever is longer [Art. 10.6a]. Manufacturers must document relevant product vulnerabilities it becomes aware of [Art. 10.5].
Support Period: The support period for PDEs shall correspond to the expected use time, but must otherwise be at least five years [Art. 10.6]. The end of the support period, including the month and year, must be accessible to users at the time of purchase [Art. 10.10a].
Software Bill of Materials (SBOM): Manufacturers must identify and document product components and vulnerabilities, including by drawing up a software bill of materials (SBOM) of at least the top-level dependencies of the product [Annex I, Part II(1)]. The SBOM does not have to be made publicly available [Recital 37].
Testing: Manufacturers must regularly test product security [Annex I, Part II(3)].
Vulnerability Reporting: Manufacturers must report any product vulnerability exploited by a malicious actor to its designated EU Member State Computer Security Incident Response Team (CISRT) within 24 hours. Manufacturers must then file a general follow-up within 72 hours, and a detailed report no later than 14 days after a mitigation is available. Except in exceptional circumstances, these vulnerability reports are forwarded to other CISRTs and market surveillance authorities in Member States in which the product is on the market. Manufacturers must also inform their users about the incident [Arts. 11.1-11.4; Recitals 34-35i].
Coordinated Vulnerability Disclosure: Manufacturers must establish a coordinated vulnerability disclosure policy and provide a contract address for third parties to report vulnerabilities in the product [Arts. 10.6, 10.9c; Annex I, Part II(5)-(6)]. When manufacturers identify vulnerabilities in PDE software or hardware components, the manufacturer must report the vulnerability to the party responsible for the component [Art. 10.4a].
Cyber Incident Reporting: Manufacturers must notify, within 24 hours, their designated CSIRT and ENISA of any severe cyber incident having an impact on the security of a PDE. Manufacturers must then file a general follow-up within 72 hours, and a detailed report no later than one month after the notification. These reports are forwarded to other relevant CSIRTs and market surveillance authorities. Manufacturers must also inform their users about the incident [Arts. 11.3-11.4; Recital 35].
- Demonstrating product conformity
Technical Documentation: Manufacturers must create and maintain technical documentation to demonstrate that a PDE complies with the CRA's essential security requirements [Art. 10.7; Annex I]. The technical documentation must be drawn before the PDE is placed on the market and should be continually updated during the product support period [Art. 23].
Conformity Assessments: Prior to placing a PDE on the market, manufacturers must subject the product to a conformity assessment to ensure compliance with security requirements [Art. 10.7; Recitals 25-27d]. The type of assessment is based on the PDE risk category:
- Unclassified or default: This broad category includes most PDEs. Manufacturers may self-assess compliance with the security requirements [Art. 24.1; Recital 45].
- Classes I and II – "Important" PDEs: These products must undergo a third-party conformity assessment, or they can apply harmonized standards or cybersecurity certification schemes [Arts. 24.2-24.3]. Classes I and II are products with cybersecurity-related functionality or with a function that carries significant risk of adverse effects if disrupted [Recitals 26-27]. Among other things, Class I includes operating systems, ID management systems, virtual private networks, security information and event management systems, malicious software scanners, smart home security products, and wearable health monitors. Class II products include firewalls, intrusion detection and prevention systems, hypervisors, and more [Annex III].
- "Critical" PDEs: These products must demonstrate conformity with cybersecurity certification schemes applicable to the PDE's product type. If there is no applicable scheme, then Critical PDEs demonstrate conformity through the same means as Important PDEs [Arts. 6a, 24.3a]. This category includes products considered to be critical dependencies to essential services, such as smartcards or similar devices with secure elements, smart metering systems, and other devices for advanced security purposes [Annex IIIa; Recital 27a].
Declaration and CE Marking: Upon completing the conformity assessment, manufacturers must draw up a declaration of conformity to supplement the technical documentation and keep these records for ten years or for the support period (whichever is longer) [Arts. 10.7-10.8]. In addition, PDEs must feature a CE marking to indicate the product's conformity with CRA prior to entering the market [Art. 22.1].
Key Requirements for Importers and Distributors
Due Diligence: Before making a PDE available on the EU market, importers and distributors must verify that the manufacturer demonstrates compliance with the CRA [Arts. 13.2, 14.2]. If the importer or distributor has reason to believe that the PDE is not compliant with the essential security requirements, they should take any necessary corrective measures, or may withdraw or recall the product [Arts. 13.3, 14.3].
Inform Manufacturer of Vulnerabilities: After identifying a vulnerability in a PDE, importers and distributors must inform the manufacturer without undue delay [Arts. 13.5, 14.4].
Inform Authorities of Significant Risks: If a PDE presents a significant cybersecurity risk, importers and distributors must immediately notify the market surveillance authorities in the Member States in which they made the PDE available on the market [Arts. 13.5, 14.4].
Record Retention: Importers must retain a copy of the manufacturer's EU declaration of conformity for a period of ten years following the placement of a PDE on the market and provide it upon request by market surveillance authorities [Art. 13.6].
Post-Product Responsibilities: After becoming aware that a manufacturer of a PDE has ceased operations, importers and distributors must inform the relevant market surveillance authorities and, to the extent possible, inform the users of the product [Arts. 13.8, 14.6].
Penalties for Non-Compliance
Companies that fail to comply with the CRA's vulnerability reporting, cyber incident reporting, or essential cybersecurity requirements could face administrative fines of up to €15 million or 2.5% of their global turnover, whichever is higher [Art. 53.3].
Failing to comply with many of the other obligations may be subject to administrative fines of up to €10 million, or 2% of their global turnover, whichever is higher [Art. 53.4].
Supplying misleading information to enforcement bodies or national cyber incident response teams could result in a fine of €5 million, or 1% of global turnover, whichever is higher [Art. 53.5].
Under certain circumstances, EU Member State authorities can require the recall or withdrawal of non-compliant products from the EU market [Art. 47].
International Interoperability
In recent years there has been a proliferation of policies around the world that are focused on product security and communication to consumers through mechanisms such as consumer labels. This includes regulations introduced by the governments of Australia, the European Union, Singapore, the United Kingdom, and the United States, among others.
To ensure that the global market for products is not undermined by divergent approaches, certain governments have embarked upon efforts to mutually recognize their consumer labels or product security certifications. The U.S. and the EU launched an initiative at the U.S.-EU Cyber Dialogue in December 2023, aimed at facilitating mutual recognition of certifications between the forthcoming U.S. Cyber Trust Mark and the EU's Cyber Resilience Act. If successful, this initiative will help avert duplicative market access barriers and provide businesses with greater choice in which certification is most appropriate to their products and end users.
How Businesses Can Start Preparing
While the CRA does not begin taking effect for approximately 21 months, companies that sell or intend to sell software and digitally connected products in the EU should be aware of the security safeguards and processes required by the regulation.
To do so, companies should review which of their products are likely to fall within the scope of the CRA and the extent to which they meet the essential security requirements. Products that are in development now may need to adapt to ensure compliance with the CRA once they are ready for market deployment. Companies should review their internal processes for software and hardware security and ensure that relevant personnel on their teams are aware of their role in complying with the regulation.
Companies can additionally enhance their preparedness by starting to incorporate required security practices before the regulation is effective. This may include implementing a coordinated vulnerability disclosure policy or generating a software bill of materials. Companies may also gather information to support the required technical documentation for PDEs.
Companies should promptly assess and, if necessary, amend their vulnerability and incident handling procedures to ensure required reporting can be made in a timely manner. Given that the vulnerability and incident reporting timelines established in the CRA differ from other EU regulations, such as NIS 2 and GDPR, we encourage companies to review their incident response plans and vulnerability management processes ahead of time.
These considerations are intended to highlight a few steps that companies can take now to prepare for the CRA. Each company must assess the processes and procedures that may be necessary and appropriate within the context of its operations, business, and regulatory environment.
* * *
The CRA is a comprehensive regulation, and the above summary is not exhaustive. Just as GDPR forever changed the global privacy landscape, the CRA will likely have a widespread impact on product and organizational security. Implementing these upcoming requirements will take considerable time and resources, and it is essential for companies to be proactive in addressing them.
