What is the EU Cyber Resilience Act (CRA)?
The Cyber Resilience Act is an EU regulation that sets out binding cyber security requirements for products with digital elements. The aim is to ensure a standardised and high level of security for hardware and software in the EU.
Scope of application: Who is affected by the CRA?
The Cyber Resilience Act applies to all digital products that are placed on the market in the EU. This includes:
Consumer products:
- Smartphones
- laptops
- Smart home devices (e.g. thermostats, cameras)
- Smartwatches and connected toys
Industrial products:
- IoT devices (Internet of Things)
- sensors
- Programmable logic controllers (PLCs)
Software products:
- Operating systems
- Desktop, web and mobile applications
👉 Exception: Non-commercial open source software is not subject to the requirements of the CRA.
Requirements of the Cyber Resilience Act
The regulation contains a series of binding requirements for manufacturers, importers and retailers who sell digital products in the EU:
| Requirement | Article | Details |
|---|---|---|
| Cybersecurity in development | Art. 10 | Security measures must be integrated into the development process from the outset. |
| Risk assessment | Art. 10 | Analysis of potential cybersecurity risks before market launch.Conformity assessment |
| Conformity assessment | Art. 10 | Proof of compliance with all cyber security requirements. |
| CE labelling | Art. 10 | Official proof of conformity with EU requirements. |
| Technical documentation | Art. 10 | Production and maintenance of comprehensive technical documentation. |
| Obligation to report security incidents | Art. 11 | Security incidents must be reported within 24 hours. |
| Security updates | Art. 10 | Provision of updates for at least five years after market launch.Information for users |
| Information of Users | Art. 10 | Provision of comprehensible instructions on security functions and updates. |
Deadlines for implementation
Companies should act now to fulfil the requirements in good time. The most important deadlines are:
- General implementation of the requirements: By October 2027 (36 months after coming into force).
- Obligation to report security incidents: By October 2026 (24 months after coming into force).
Cyber Resilience Act and supply chain: Who is affected?
The CRA impacts the entire supply chain:
- Manufacturers
Must integrate cybersecurity measures across the entire lifecycle of their products. - Importers
Are required to ensure that imported products comply with the requirements. - Distributors
Are responsible for ensuring that the products they sell are compliant and that security updates remain available.
Why is the Cyber Resilience Act so important?
With the CRA, the EU is setting new standards for cyber security. The aim is to protect the digital infrastructure, minimise risks and strengthen trust in networked products. For companies, this means
- Improved competitiveness through secure products
- Increased consumer confidence
- Protection against costly security incidents and fines
Conclusion: Act now!
The EU Cyber Resilience Act is more than just a regulation – it is a clear message to manufacturers, importers and retailers to take cyber security seriously. It sets out clear and binding requirements to make digital products more secure and define responsibilities along the entire supply chain. With binding requirements and clear deadlines, the EU is sending a strong signal in favour of a more secure digital Europe. It is now crucial for companies to take early action to fulfil the requirements and increase consumer confidence in digital products.
Are you ready to implement the requirements of the CRA? Contact us and secure our support for implementation and compliance!
