On November 20, 2024, the Cyber Resilience Act (CRA) was officially published in the EU’s Official Journal. This landmark regulation harmonizes cybersecurity standards across the EU by introducing mandatory cybersecurity requirements for digital products.
Key dates for compliance are as follows:
December 10, 2024: Act enters into force.
September 11, 2026: Reporting obligations for manufacturers take effect.
December 11, 2027: Act becomes fully applicable.
What is the CRA?
The CRA sets minimum cybersecurity standards for hardware and software products with digital elements - aiming to ensure secure design, development, and post-market management.
Organizations involved in the design, production, or distribution of digital products must prepare for its phased implementation.
Important highlights
For manufacturers:
Cybersecurity requirements: Products must meet essential security standards and have documented processes for vulnerability handling.
Risk assessments: Manufacturers must conduct cybersecurity risk assessments and include them in technical documentation.
Reporting:
Notify authorities (CSIRT and ENISA) within 24 hours of discovering actively exploited vulnerabilities.
Incident reports must follow within 72 hours.
Inform users promptly of any incidents and necessary corrective actions.
Conformity assessments: Ensure products meet requirements and remain compliant throughout their lifecycle.
For importers and distributors:
Importers: Only place compliant products on the market and ensure proper documentation and CE marking.
Distributors: Act with due care to verify compliance, including CE marking.
Global effects
Though the CRA primarily impacts European markets, the effects will be felt globally because companies selling products with digital elements into the EU will need to comply with the new standards. Essentially, companies selling to the EU market may need to raise cybersecurity standards across their entire product line, not just for products sold in Europe.
Enforcement and penalties
EU Member States will designate authorities to enforce compliance. Penalties for non-compliance include fines up to €15 million ($16.3 million).
Visit BSI’s Experts Corner for more insights from our industry experts. Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a roundup of the latest thought leadership content: Digital trust, EHS, supply chain.