The EU Cyber Resilience Act (CRA): Mandatory Security

Key Takeaways 

• Objective of the CRA: Binding cybersecurity requirements for products with digital elements in order to reduce vulnerabilities. 

• Scope: Hardware and software products that are directly or indirectly connected to a network. 

• Classification: Products are categorised based on their criticality, resulting in different security requirements. 

• Manufacturer obligations: Implementation of ‘security by design’ and ‘security by default’ as well as provision of security updates for the entire service life of the product. 

Introduction to the Cyber Resilience Act (CRA) 

Insecure software, unprotected networks and poorly maintained systems harbour considerable risks for companies and consumers. Continuous digitalisation and networking of IT systems lead to a growing need for robust security precautions. While innovative technologies increase efficiency and convenience, they also increase the attack surface for cyber threats. In 2023 alone, the economic damage caused by cyberattacks on European companies amounted to several billion euros – due to production downtime, blackmail, data loss or loss of trust. 

This is where the European Union’s Cyber Resilience Act (CRA) comes in, creating cybersecurity standards to make digital products more secure and strengthen the resilience of the digital economy in the long term.  

What is the Cyber Resilience Act? 

The Cyber Resilience Act (CRA) was adopted by the European Union to improve the cybersecurity of products with digital components. The CRA is part of the EU 2020 Cybersecurity Strategy, which provides for measures to strengthen digital security across the EU. The regulation entered into force on 11 December 2024 after being adopted on 10 October 2024. Manufacturers and other economic operators must comply with most obligations applying from 11 December 2027.  

The CRA is an EU cybersecurity law designed to ensure a high level of security for products with digital elements. This includes both hardware and software that are directly or indirectly connected to a network. The aim is to minimise security vulnerabilities and ensure that manufacturers are responsible for cybersecurity throughout the entire life cycle of the product.  

Many products have security vulnerabilities that can be exploited by attackers, causing considerable economic damage. The CRA is intended to counter these risks by defining binding security standards to strengthen trust in digital products. 

Who is Affected? 

The regulation is aimed at companies that manufacture, import or distribute digital products in Europe or provide related services.

Products with digital elements that require a data connection to a device or network are affected. This includes both hardware and software products, their remote data processing components, and individual modules – such as smart household appliances, networked industrial control systems or digital health devices. The CRA applies to new products as well as those that are already on the market. There are exceptions for public authorities, certain regulated products and open-source software. 

The Role of the CRA in the EU Cybersecurity Strategy 

The CRA is an essential part of the EU’s cybersecurity strategy and complements existing initiatives such as the NIS2 Directive, which sets out requirements for network and information security – you can also find a compact overview of the key points in the EFS Insight on NIS2. While the GDPR deals with the protection of personal data, the CRA focuses on the security of the products themselves. Together, they promote a secure digital single market and lead to the harmonisation of security requirements for digital products in the EU. 

Opportunities and Risks of the Cyber Resilience Regulation 

The CRA enables the introduction of uniform safety standards that lead to a higher level of safety. However, increased requirements can also lead to higher costs for manufacturers, especially for small and medium-sized enterprises (SMEs). Companies must therefore find a balance between security and economic feasibility. 

Key Points of the Cyber Resilience Act 

The regulation sets clear requirements for the cybersecurity of digital products within the EU. It affects manufacturers, retailers and users – from product development to labelling and use. The following key points provide an overview of the most important regulations and obligations.  

Area of Application of the CRA 

The CRA applies to all products with digital components that are directly or indirectly connected to a network. This includes both hardware and software as well as networked devices (Internet of Things). The CRA also distinguishes between different product categories in order to ensure suitable software security standards. 

Classification of Products 

Products are classified according to their risk as follows: 

• Standard category (not critical): Hard drives, PC games etc. 
• Critical products (class 1&2): Browser, password managers, firewalls, routers. 
• Highly critical products: Operating systems, CPUs.  

The majority (approx. 90%) of the products fall under the ‘non-critical’ category. 

Security Requirements of the CRA 

Requirements for Manufacturers:  

• Mandatory reporting: Vulnerabilities must be reported within 24 hours via the ENISA (European Union Agency for Cybersecurity) platform. 
• Security by design & default: Products must be developed securely from the start of implementation. 
• Vulnerability management: Manufacturers are obliged to provide regular IT security updates and patches. 

Requirements for Suppliers and Retailers: 

• Labelling the affected products with the CE mark. 
• Notifying the manufacturers about identified product vulnerabilities. 
• Completeness of the documents relating to the products supplied by the manufacturer. 

Requirements for Users: 

Users should be aware of the security aspects of their digital products and handle them responsibly. This includes regularly installing security updates and handling networked devices with care. 

Compliance and Certifications 

To support the implementation of the CRA, a CE marking for cybersecurity will be introduced. From December 2027, only products bearing the CE mark for cybersecurity may be sold in the EU.  

Infringements can lead to high penalties: 

• Up to €15 million or 2.5% of global sales for missing or incorrect CE labelling. 
• Up to €5 million or 1% of global turnover for false or misleading information in the conformity assessment. 

Importance of the CRA for Companies  

For companies, the CRA not only brings obligations, but also strategic opportunities. Those who react early can utilise security as a competitive advantage. 

Challenges for Companies 

Companies are facing challenges that require compliance with new requirements. These include rising compliance costs, the need to adapt supply chains and the increasing complexity of regulations. 

Advantages of the CRA for Companies 

However, the CRA also offers companies opportunities: adherence to strict security standards strengthens IT security, improves the brand image and gives companies that achieve compliance at an early stage a competitive advantage. 

Effects of the CRA on Users 

Security and Transparency for Users 

The CRA is intended to improve the security of digital products by introducing binding cybersecurity standards. This strengthens users’ trust in the products. Greater transparency about potential risks enables users to make informed decisions. In addition, security throughout the entire life cycle is also an advantage for users. 

Challenges for Consumers 

The new requirements could lead to higher prices for digital products. In addition, consumers will have to ensure that they only use CRA-compliant products in future. 

Best Practices for Companies to Implement the CRA 

Implementing the CRA requires targeted organisational and technical measures. The information security experts at EFS Consulting recommend the following best practices to fulfil regulatory requirements and strengthen your own security architecture at the same time: 

1. Initial GAP Analysis & Maturity Assessment: 

Before measures are implemented, it is crucial to determine the current maturity level of cybersecurity in the company. A structured GAP analysis creates transparency regarding the need for action and forms the basis for a targeted implementation strategy. 

2. Early Integration of Security Concepts:  

Security requirements should already be taken into account in the design phase (‘security by design’). This includes risk analysis, threat modelling and the selection of secure technologies – throughout the entire product development cycle. 

3. Regular Vulnerability Analysis:  

Vulnerabilities can be detected and rectified at an early stage using automated and manual tests. Regular penetration tests and code reviews, supplemented by centralised vulnerability management, are particularly effective methods. 

4. Structured Patch Management:  

Standardised processes are essential in order to provide security updates and patches in a timely manner. This includes the prioritisation of critical updates, test procedures and automated distribution to affected systems. 

5. Reliable Reporting of Security Incidents:  

Security incidents must be reported to the relevant authorities within 24 hours – e.g. via the ENISA platform. Clear internal reporting chains and prepared incident response plans are of utmost importance for a rapid response. 

Conclusion 

The Cyber Resilience Act represents significant progress towards greater cybersecurity in the EU. This brings challenges and opportunities for companies. Dealing with the new requirements at an early stage not only ensures compliance but also enables companies to gain long-term competitive advantages.  EFS Consulting supports companies with optimised solutions to efficiently implement the new requirements and sustainably strengthen their digital resilience. 

FAQs

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act is an EU law that requires manufacturers to bring secure hardware and software products to market and fix security vulnerabilities throughout the product lifecycle.

What is the difference between NIS2 and the Cyber Resilience Act?

NIS2 concerns the cyber security of critical infrastructure, while the CRA is aimed at the security of products with digital elements – in particular their design, development and maintenance.

What are the penalties for breaches of the CRA?

Violations of the CRA in the EU can result in fines of up to 15 million euros or 2.5% of annual global turnover – whichever is higher.