The European Union’s Cyber Resilience Act (CRA) marks a transformative shift in how digital products are designed, developed and brought to market across Europe. As the first comprehensive EU-wide legislation of its kind, the CRA introduces mandatory cybersecurity requirements for virtually all hardware and software products with digital elements, fundamentally altering the compliance landscape for manufacturers, importers and distributors.
As well as safeguarding consumers and businesses buying software or hardware products with a digital component, the CRA:
- addresses the inadequate level of cybersecurity in many products, and the lack of timely security updates for products and software;
- tackles the challenges consumers and businesses currently face when assessing which products are cybersecure and in setting them up securely; and
- makes it easier to take cybersecurity into account when selecting and using products that contain digital elements, making it more straightforward to identify hardware and software products with the proper cybersecurity features.
Relationship with other EU legislation
The CRA complements existing EU cybersecurity laws, such as the NIS2 Directive, the Cybersecurity Act and the Digital Operation Resilience Act (DORA) and is part of a broader EU strategy to bolster digital security and resilience. By establishing a unified baseline for product security, the CRA aims to close gaps and overlaps in the current legislative framework.
Scope and applicability
The CRA applies to a broad range of products with digital elements - essentially, any device or software whose intended use involves a direct or indirect connection to a device or network. As well as discrete items of software or hardware, a broad range of products are covered, including smart home devices and other connected devices (e.g. Internet of Things devices), computers, wearables, mobile phones, operating systems, applications, embedded software and industrial components. Products already covered by existing EU cybersecurity rules, such as medical devices, aviation and automotive products, are excluded from the CRA. Open-source software is excluded, provided that it is not made available in the EU market as part of a commercial activity.
The CRA is governed by the ‘marketplace principle’ which means it applies to any product offered on the EU internal market - regardless of whether it is sold for payment or provided free of charge - provided it is supplied as part of a commercial activity. The location of the manufacturer or supplier is irrelevant, whether based inside or outside the EU. If the product is accessible to users in the EU, the CRA’s requirements will apply.
Timeline and transition
The CRA entered into force on 10 December 2024, with its main obligations applying in all EU Member States from 11 December 2027. Before this, the requirements for conformity assessment bodies will apply from 11 June 2026, and the notification obligations for manufacturers will apply from 11 September 2026. This transition period gives manufacturers and other economic operators (i.e. importers and distributors) time to adapt their processes, products and supply chains to the new requirements.
Key objectives and requirements
The CRA is underpinned by four principal goals:
- Enhance cybersecurity throughout product lifecycles. Manufacturers must embed security into every phase, from design to end-of-life, ensuring products are secure before they reach consumers.
- Create a unified EU cybersecurity framework. By introducing a unified set of cybersecurity requirements, the CRA aims to facilitate compliance for hardware and software producers.
- Increase transparency. Manufacturers must provide clear and accessible information about the security features of their products, including details on vulnerability management, support periods and incident reporting.
- Empower consumers and businesses. The CRA aims to make it easier for buyers to identify and trust products that meet robust cybersecurity standards.
The CRA introduces horizontal, mandatory cybersecurity requirements that apply throughout a product’s lifecycle:
- Security by design and by default. Products must be designed, developed and produced to minimise cybersecurity risks from the outset, including integrating security features such as authentication, identity and access management to protect against unauthorised access. Products must not be placed on the market with known exploitable vulnerabilities.
- Lifecycle coverage. Manufacturers are required to provide security updates and address vulnerabilities throughout the product’s supported lifecycle. The CRA’s focus on lifecycle management is intended to ensure that products remain secure, are regularly updated and that vulnerabilities are addressed promptly, thereby protecting consumers and businesses against evolving cyber threat.
- Vulnerability management. Manufacturers must implement processes to identify, document and remediate vulnerabilities throughout the product’s support period. Security updates and patches must be provided promptly and free of charge, with a minimum support period of five years unless a shorter period is justified by the product’s expected use.
- Incident reporting. Manufacturers must report actively exploited vulnerabilities within 24 hours of discovery and inform users within 14 days of corrective measures being available. A contact address for vulnerability reporting must be provided, and a co-ordinated vulnerability disclosure policy must be enforced.
- Conformity assessment and transparency. Before placing a product on the market, manufacturers must perform a conformity assessment to ensure compliance with the CRA’s essential cybersecurity requirements and affix the CE marking to demonstrate compliance. Certain critical products will require independent third-party cybersecurity assessments before being placed on the EU market. Manufacturers must prepare technical documentation including a software bill of materials (SBOM) listing all components and known vulnerabilities, and make it available to regulatory authorities upon request. Information and instructions for users regarding the secure configuration and use of the product must be provided.
Obligations for importers and distributors
Importers and distributors must verify that products conform to CRA requirements before making them available on the EU market. They must notify manufacturers and authorities of detected vulnerabilities and maintain records for 10 years after product release. If importers or distributors place products on the market under their own brand, they are considered manufacturers for the purposes of the CRA and must fulfil all related obligations.
Compliance and enforcement
The CRA places the onus squarely on manufacturers, importers and distributors - collectively termed “economic operators” - to ensure compliance. Non-compliance can result in substantial fines of up to €15 million or 2.5% of global annual turnover, whichever is higher. To indicate compliance, products must bear the CE marking, a familiar symbol signifying conformity with EU safety, health and environmental standards.
Practical steps for compliance
The CRA represents a paradigm shift for manufacturers, requiring increased upfront investment, with security integrated into product development from the earliest stages, as well as ongoing obligations well beyond the point of sale, such as the need for continuous vulnerability monitoring, incident reporting and regular updates. Economic operators should begin preparations now to ensure compliance by the 2027 deadline, including:
- Conduct product portfolio assessments. Undertake mapping, identify which products fall within the CRA’s scope and assess current cybersecurity controls.
- Implement security by design processes. Integrate cybersecurity into product development lifecycles, including secure coding practices and vulnerability management.
- Establish incident response protocols. Set up systems for rapid vulnerability detection, disclosure and remediation.
- Prepare documentation. Develop and maintain the technical files, declarations and conformity assessments required by the CRA.
- Monitor regulatory developments. Stay informed about guidance from the European Commission and the CRA Expert Group, a specialised advisory body established by the European Commission to support the implementation of the CRA, as implementation details evolve.
Updating contracts
The CRA's cybersecurity requirements transcend individual organisations and products, extending throughout the entire supply chain. Manufacturers must ensure security not only for their own components but also for all third-party elements, including open-source software. Contracts should be updated to deal with the new security responsibilities, including assigning roles for identifying and remediating vulnerabilities, managing updates and ensuring the secure integration of components. Other provisions should cover penetration testing, incident response, delivery of security patches and updates, provision of a SBOM as part of the contract, audit rights and contractual enforcement mechanisms, including penalties for non-compliance.
Conclusion
The European Cyber Resilience Act sets a new global benchmark for cybersecurity in digital products. By shifting responsibility to manufacturers and economic operators, the CRA aims to ensure that products sold in the EU are secure by design and throughout their lifecycle. Compliance will require significant changes to product development, supply chain management and post-market support, but it also offers an opportunity for businesses to build trust and differentiate themselves in a security-conscious market. As the 2027 compliance deadline approaches, proactive engagement and early adaptation will be critical for all stakeholders in the digital product ecosystem.
If you would like to discuss the content of this article further, please contact Tim Wright or Ben Milloy.
