What is the Cyber Resilience Act?
The European Cyber Resilience Act (CRA) is an EU Regulation governing fundamental cybersecurity requirements for products with digital elements or networked hardware and software products on the European market. These include industrial control units, IoT products and software installed on electronic devices. The Regulation obligates manufacturers and operators to ensure that their products remain secure throughout their entire life cycle. The aim of this is to increase cybersecurity on the European single market and provide a transparent insight into the security level of products with digital elements.
The interior ministers of the European Council adopted the CRA on October 10, 2024. Due to its status as a Regulation, it is being enforced as a binding and directly applicable piece of legislation. Manufacturers and operators will have until November 2027 to ensure that new products they place on the market comply with the CRA requirements. National authorities will assess the implementation of the CRA, and failure to comply with its requirements may result in corrective measures, product recalls or sanctions. In the future, obtaining a CE quality marking will also be linked to compliance with the CRA — in other words, the marking will signify that the product not only meets certain quality standards, but also demonstrates a certain level of security.
Who does the CRA affect?
The requirements of the CRA apply to manufacturers, importers and distributors of products with digital elements or networked hardware and software products along the entire supply chain. There are no exceptions based on company size or turnover.
Products that are subject to existing EU security regulations are exempt from the CRA requirements. Additionally, the CRA does not affect open-source software developed without a commercial purpose in mind, military products and software as a service provided as a non-essential component of a product. However, it does apply with binding effect to cloud services that involve remote data processing. As it incorporates the entire supply chain, it has particular implications for many companies that contribute software artifacts or hardware components to security-critical products.
What sanctions are being envisaged for breaches of the CRA’s requirements?
The amounts at which fines are set will depend on how serious the breach is. If information is left incomplete, fines could reach as much as 5 million euros or 1% of annual turnover. Breaches of the obligations that distributors are required to fulfill may incur fines of up to 20 million euros or 2.5% of annual turnover. As compliance with CRA requirements will also be a factor in whether CE markings are awarded, products that are not CRA-compliant may end up lacking a CE marking, preventing them from gaining access to the European single market at all.
CRA requirements
What Fraunhofer AISEC can assist with