Meet Us at Gartner® Security & Risk Management Summit | 10-11 March 2025 | Grand Hyatt, Mumbai | Booth 319
Meet us at Gartner® Security & Risk Management Summit | 10-11 March 2025 | Grand Hyatt, Mumbai | Booth 319
An Introduction to EU’s Cyber Resilience Act
The journey of the Cyber Resilience Act began when the European Commission President, Ursula von der Leyen initially announced it during the State of the Union address in September 2021.
Following this announcement, the European Commission submitted the proposal on 15 September 2022. Subsequently, after extensive discussions, the co-legislators reached a provisional agreement on 30 November 2023.
The formal adoption process moved forward when the European Parliament approved the act in March 2024. Furthermore, the Council of the European Union granted its final adoption on 10 October 2024. This marked the completion of the EU legislative process.
The implementation timeline spans several years. The Cyber Resilience Act officially entered into force on 10 December 2024. The reporting obligations will become effective 21 months after the entry into force, approximately in summer 2026. The main obligations introduced by the CRA will come into effect from 11 December 2027, providing companies with a three-year transition period to align with the new requirements.
What’s the goal of the European Union behind the adoption of the Cyber Resilience Act 2024?
The Cyber Resilience Act serves multiple strategic objectives. Specifically, it seeks to create uniform security requirements that will strengthen the EU’s digital single market. This standardisation helps reduce fragmentation in cybersecurity rules across different member states, making compliance more straightforward for businesses operating within the EU.
Another core goal centres on increasing consumer trust in digital products. By mandating strict security standards, the act ensures that products entering the EU market meet essential cybersecurity requirements. This approach not only protects end-users but also helps maintain the integrity of the EU’s digital infrastructure.
The legislation also aims to enhance the overall competitiveness of EU businesses in the global digital market. Through standardised security requirements, companies can demonstrate their commitment to cybersecurity, potentially gaining a competitive advantage in international markets.
How does the CRA raise the level of cyber security?
The Cyber Resilience Act strengthens cybersecurity through a comprehensive set of mandatory requirements for digital products. Primarily, the act mandates that manufacturers embed security features from the earliest stages of product development. This security by design approach ensures products are developed with secure processes, minimising potential vulnerabilities.
Consequently, all hardware and software products must bear the CE marking to demonstrate compliance with the regulation’s security requirements. The act establishes essential cybersecurity guidelines that manufacturers must follow throughout their products’ lifecycle, coupled with strict vulnerability management protocols.
The regulation raises security standards through these key requirements:
Essentially, the act introduces mandatory reporting requirements for actively exploited vulnerabilities. Manufacturers must alert authorities within 24 hours for early warning and provide complete notification within 72 hours. This swift reporting mechanism helps prevent the spread of cyber threats across the EU market.
Furthermore, the act enhances transparency by requiring clear disclosure of the end-of-support date on products or packaging. This information enables users to make informed decisions about their purchases based on long-term security support. The regulation nevertheless maintains flexibility, allowing organisations to set additional requirements for procurement or use, choosing products that exceed the mandatory security standards.
Scope and Applicability – Products with Digital Elements
Products with digital elements form the cornerstone of the Cyber Resilience Act’s scope. Under this legislation, these products encompass any software or hardware product and its remote data processing solutions, including components sold separately.
What are Products with Digital Elements?
A product with digital elements refers to any item that connects either directly or indirectly to another device or network. This includes hardware devices like smart cameras, fridges, and toys, primarily focusing on items that process, store, or transmit digital data. Remote data processing solutions, particularly those designed by manufacturers, are integral to these products’ core functions.
How does the act apply to them?
The act categorises products based on their cybersecurity risk levels. Notably, 90% of digital products fall under the default category. Critical products are divided into two classes:
- Class I products include password managers, smart home assistants, and internet routers
- Class II encompasses more specialised items such as firewalls and tamper-resistant microprocessors
Whereas certain products remain exempt from the act’s scope, including medical devices, automotive products, and aeronautical equipment. Generally, open-source software developed for non-commercial purposes and software-as-a-service also fall outside the act’s purview.
Requirements covered under the act
The act mandates that products must meet essential cybersecurity requirements before entering the EU market. Manufacturers must ensure secure configurations, protect against unauthorised access, and safeguard data confidentiality. Furthermore, products must maintain the availability of essential functions and minimise negative impacts.
Accordingly, manufacturers must implement vulnerability handling procedures, which include identifying and documenting vulnerabilities, conducting security testing, and providing automatic security updates. These requirements span the entire product lifecycle, from design and development to production and market placement.
Requirements
Under the Cyber Resilience Act, manufacturers bear primary responsibility for product security throughout the lifecycle.
Requirements for Manufacturers
Manufacturers must conduct thorough cybersecurity risk assessments during planning, design, development, and production phases. These assessments form part of the mandatory technical documentation, which must be retained for at least 10 years after market placement.
Further, manufacturers must implement robust vulnerability handling procedures. This includes establishing coordinated vulnerability disclosure policies and promptly addressing security issues. Upon discovering actively exploited vulnerabilities, manufacturers must notify authorities within 24 hours for early warning and provide complete notification within 72 hours.
Rather significantly, manufacturers must determine an appropriate support period for their products. This period should reflect the expected product lifetime and must extend for at least five years. Throughout this duration, manufacturers must provide security updates and maintain product documentation.
Requirements for Vendors and Distributors
Importers and distributors hold distinct responsibilities under the act. Primarily, importers must verify that manufacturers have completed conformity assessments and prepared technical documentation. They must simultaneously ensure products bear the CE marking and include necessary user instructions.
Distributors, undoubtedly, must exercise due care when making products available. Their obligations include verifying CE marking compliance and ensuring manufacturers have fulfilled their requirements. Upon discovering vulnerabilities, both importers and distributors must inform manufacturers without delay and alert market surveillance authorities if products pose significant cybersecurity risks.
Implementation Timeline
Upon entry into force on 10 December 2024, the Cyber Resilience Act begins its phased implementation across the European Union. Throughout this carefully structured timeline, different provisions become applicable at specific intervals to ensure smooth adoption.
The first milestone arrives on 11 June 2026, marking the implementation of provisions related to conformity assessment bodies. In line with this timeline, member states must establish administrative structures for product conformity, primarily focusing on the framework for certification entities and inspection bodies.
The second phase commences on 11 September 2026, introducing mandatory reporting obligations for manufacturers regarding actively exploited vulnerabilities and severe incidents impacting product security. This phase establishes the Single Reporting Platform operated by ENISA, enabling coordinated vulnerability disclosure across the EU.
Eventually, the act reaches full applicability on 11 December 2027, marking three years from its entry into force. At this stage, all newly designed and produced products with digital elements entering the European market must comply with the complete set of regulations. This final phase mandates manufacturers to maintain technical documentation for 10 years, provide security updates for 5 years, and ensure these updates remain available for a decade.
The European Commission will evaluate the effectiveness of the Single Reporting Platform approximately one year after full implementation. This assessment will address any issues with vulnerability handling and reporting procedures, ensuring the act’s objectives are met effectively.
What are the consequences of non-compliance with the CRA?
Non-compliance with the Cyber Resilience Act carries substantial implications for manufacturers and distributors in the European market. Primarily, market surveillance authorities monitor adherence to the regulation’s requirements through rigorous assessment procedures.
In fact, products failing to meet cybersecurity standards face immediate market restrictions. Given that the act mandates CE marking compliance, products without proper certification cannot be sold in the EU market. Under these circumstances, manufacturers must withdraw non-compliant products and address identified security vulnerabilities.
The act establishes a structured approach to enforcement. Market surveillance authorities possess the power to demand immediate product withdrawal in cases of significant cybersecurity risks. As a result, manufacturers face not only financial losses from product recalls but also potential damage to their market reputation.
For critical products requiring third-party assessment, the consequences become more stringent. These products must undergo evaluation by authorised bodies before entering the EU market. In the event that manufacturers bypass this requirement, their products face automatic removal from market circulation.
The regulation places heightened emphasis on vulnerability management. Manufacturers failing to provide timely security updates or neglecting to maintain proper technical documentation face regulatory action. The act mandates support for at least five years, whilst technical documentation must be preserved for a decade.
Member states maintain the authority to enforce these requirements, though they cannot impose additional cybersecurity standards for market availability. Still, organisations retain the flexibility to set stricter cybersecurity requirements for procurement purposes, ensuring robust security standards across the supply chain.
Objectives addressed by the act
The Cyber Resilience Act sets forth two fundamental objectives aimed at strengthening the European Union’s internal market. Primarily, the act focuses on creating conditions for developing secure products with digital elements, ensuring hardware and software products enter the market with minimal vulnerabilities. Alongside this, the legislation establishes a framework enabling users to consider cybersecurity aspects whilst selecting and using digital products.
Building upon these foundational goals, the act addresses four specific objectives. First, it mandates manufacturers to enhance security features throughout a product’s lifecycle, starting from the design phase. Second, the legislation creates a unified cybersecurity framework that simplifies compliance procedures for hardware and software producers. Third, it improves transparency regarding security properties of digital products. Fourth, the act empowers businesses and consumers to use digital products securely.
The act responds to pressing cybersecurity challenges, with global annual cybercrime costs reaching €5.5 trillion by 2021. Throughout its implementation, the legislation aims to rebalance responsibility towards manufacturers, introducing a duty of care principle for product lifecycles. This approach shifts away from relying on consumers and volunteers to establish basic security levels.
Conclusion
The legislation recognises that secure products in the supply chain hold paramount importance for businesses, treating cybersecurity as a comprehensive company risk issue. This strategic focus aims to prevent severe disruptions to economic and social activities across the internal market, which could potentially become life-threatening. By establishing these objectives, the act positions the EU as a potential global leader in cybersecurity standards.
GET SUPPORT
- © 2025 Sectona Technologies Private Limited. All rights reserved. All trademarks held by their respective owners.
- © 2025 Sectona Technologies Private Limited. All rights reserved. All trademarks held by their respective owners.
- Privacy Policy
- Terms
- Eula
- Responsible Disclosure
GET SUPPORT
- © 2025 Sectona Technologies Private Limited. All rights reserved. All trademarks held by their respective owners.
- Privacy Policy
- Terms
- Eula
- Responsible Disclosure