After years in the making, the EU Cyber Resilience Act was adopted by the Council of the European Union 10 Oct. It will be published in the Official Journal of the EU in the coming weeks and enter into force 20 days after that. Reporting obligations will go into effect 21 months after entry into force, likely in the summer of 2026, and the remaining provisions 36 months after entry into force, likely in the fall of 2027.
What is the CRA?
The CRA imposes cybersecurity and vulnerability handling requirements on certain products with digital elements. These are wired or wireless products connected to the internet, including software or hardware components placed on the market separately. This broad definition is likely to cover a wide range of internet of thing devices, likely including the following: end devices like laptops, mobile devices, smartphones, microprocessors, routers and smart home devices; stand-alone software like identity, privileged access and mobile device management software, as well as firewalls, mobile apps, video games and desktop applications.
Excluded from the scope are certain products already covered by product safety legislation like medical devices, civil aviation and motor vehicles, as well as products developed for national security and defense purposes, among others.
Most obligations fall on manufacturers of products with digital elements, but some also on authorized representatives, importers and distributors.
Key requirements under the CRA
Products with digital elements will need to comply with key cybersecurity requirements. They will need to be designed, developed and produced to ensure an appropriate level of cybersecurity based on the risks.
Products will need to be delivered without any known exploitable vulnerabilities and with a secure by default configuration. Organizations will need to implement appropriate control mechanisms, including authentication, identity or access management systems, state of the art encryption at rest or in transit, as well as resilience against denial-of-service attacks. Vulnerabilities will need to be able to be addressed through security updates.
Additionally, specific vulnerability handling requirements will apply. Manufacturers of products with digital elements will have to identify and document vulnerabilities and components contained in the product, including by drawing up a software bill of materials in a commonly used and machine-readable format, covering at the very least the top-level dependencies of the product.
Manufacturers will also need to address and remediate vulnerabilities without delay, including by providing security updates free of charge, along with advisory messages for users, including potential action to be taken. Once a security update has been made available, manufacturers will have to publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and information helping users to remediate the vulnerabilities. A policy on vulnerability disclosure will need to be in place.
Categories of products with digital elements that trigger specific requirements
Some products with digital elements are considered critical because essential entities under the NIS2 Directive are critically dependent on such products, or because incidents and exploited vulnerabilities concerning those products could lead to serious disruptions of critical supply chains across the internal market. Annex IV of the CRA contains an initial list of critical products with digital elements, including for example Hardware Devices with Security Boxes, smartcards or similar devices. The list can be amended by the European Commission.
This category of products will need to obtain a European cybersecurity certificate at assurance level at least "substantial" under a European cybersecurity certification scheme adopted pursuant to the EU Cybersecurity Act (Regulation (EU) 2019/881), where available, to demonstrate conformity with the essential cybersecurity requirements under the CRA.
Certain products with digital elements are considered important because they perform functions that are critical to the cybersecurity of other products, networks or services, including securing authentication and access, intrusion prevention and detection, endpoint security or network protection, or because the function they perform carries a significant risk of adverse effects and ability to disrupt, control or cause damage to a large number of other products or to the health, security or safety of its users.
Annex III of the CRA contains an initial list of important products with digital elements, including for example identity management systems and privileged access management software and hardware, VPN, operating systems, routers, microprocessors or microcontrollers with security-related functionalities, internet-connected toys and wearables. The list can be amended by the European Commission.
This category of products will need to undergo specific conformity assessment procedures under the CRA, among other requirements.
Reporting obligations
Manufacturers will need to report any actively exploited vulnerability or severe incidents that impact the security of the product to the competent computer security incident response team and to the European Union Agency for Cybersecurity without undue delay, and in any event within 24 hours upon awareness. Follow-up notices will be required as a general rule within 72 hours and 14 days. There are specific rules to determine the competent CSIRT.
The intention is for notifications to be submitted using the electronic notification of the competent CSIRT, which should as a rule simultaneously be accessible to ENISA.
Users of the product will also need to be informed of incidents impacting the security of the product without undue delay.
Fines for noncompliance
Fines can amount to up to 15 million euros or 2.5% of global annual turnover of the preceding year, whichever is higher.
Next steps for manufactures of products with digital elements
There was some debate during trilogue negotiations around the scope (e.g., whether stand-alone software should be in scope) and key obligations under the CRA. Now that the text is final, manufacturers of products with digital elements should check whether the products they manufacture that are sold in the EU are likely to be caught by the CRA, and if so in which likely categories. Even though the bulk of the requirements under the CRA will only apply in three years-time, manufacturers could benefit from an early assessment and early compliance steps, taking into account products in the pipeline and the extent of the new obligations around secure software development, technical documentation and vulnerability handling.
Ana Bruder is a partner at Mayer Brown, LLP.