EU CRA Cyber Resilience Act

European Union Strengthens Cybersecurity Measures

In response to growing digital security threats, the European Union has passed a new law aimed at protecting users and businesses from cyber threats. The Cyber Resilience Act (CRA) introduces strict mandatory security requirements for all digital products, including software and hardware.

The key provisions of the new law are:

1. Integration of security measures. Manufacturers are required to integrate security measures at all stages of the product lifecycle, from design to support.
2. CE marking (“European Conformity”). All digital products must meet minimum security standards to receive CE marking, which confirms their compliance with EU requirements.
3. Security updates. Manufacturers are required to provide security updates within five years of a product going to market and to report identified vulnerabilities to the European Cybersecurity Agency (ENISA).

CRA for manufacturers

Product Requirements

CRA formulates detailed security standards for technical devices and software. The document provides for comprehensive protection in several key areas: ensuring access control, guaranteeing information privacy, preserving data integrity, maintaining system availability and creating a reliable protected state of the product at the time of its realization.

A fundamental condition is the integration of security mechanisms at the initial stages of the product life cycle – directly into the design, development and production realization processes.

Process requirements

As part of the secure development methodology, manufacturers are required to diagnose their own products systematically for potential cybersecurity issues, followed by immediate remediation of identified vulnerabilities. The security correction process must be implemented at no additional cost and must be in effect for a five-year period.

The CRA regulations also introduce enhanced information transparency requirements. Companies are required to inform promptly the European Union Agency for Cybersecurity (ENISA) of any known active vulnerabilities or reported cyberattacks that could compromise product security, in particular, through potential manipulation of download mechanisms.

Conformity assessment

Before a product is placed on the market, the manufacturer must ensure that it is fully compliant with established industry regulations. The assessment procedure is based on a detailed classification of the product, taking into account its potential criticality and risks.

Confirmation of compliance requires either strict adherence to European standards or testing by a specialized authorized institution. Particular emphasis is placed on the security assessment of critical infrastructure in the industrial sector.

In this context, the application of harmonized regulatory standards and the possibility to work closely with approved expert organizations to confirm fully the conformity of products with the established requirements are envisaged.

CRA for users

CRA provides users with technology solutions with enhanced cybersecurity, significantly reducing the risks of unauthorized access, information leakage and other potential cyber threats. CE marking is provided, officially confirming compliance with modern European standards.

Manufacturers commit to continuous support of their products throughout their life cycle, including regular provision of automatic security updates. In this way, consumers are assured of the cybersecurity level of CE-marked products.

Scope and timing

CRA covers a wide range of products:

• Hardware. Devices with digital components such as computers, smartphones, smart home appliances.
• Software. Operating systems, applications, embedded software solutions.
• Internet of Things (IoT) devices. Sensors, security systems, and other IoT devices.
• Control and automation systems. Products for industrial processes and commercial applications.

The law was enacted on October 23, 2024. Some of its sections begin to take effect in June and September 2026. The law becomes fully effective on December 11, 2027. By that date, manufacturers are required to ensure their products are compliant with the Act.

Sanctions for manufacturers who do not comply with the CRA’s requirements

The CRA provides strict penalties for manufacturers who violate the new requirements:

• Fines. Violations can result in fines of up to 15 million euros or 2.5% of a company’s annual worldwide turnover, whichever is greater.
• Sales ban. Non-compliant products cannot be placed on the market and their sale must be suspended.
• Notification of violations. Manufacturers must promptly inform ENISA of cyberattacks or vulnerabilities in their products. Failure to do so also risks sanctions.

CRA Implementation

The Cyber Resilience Act is an important step towards a secure digital environment in the EU. It logically complements the GDPR law and the NIS 2 Cybersecurity Directive. The Act protects users from cyber threats and incentivizes manufacturers to implement advanced cybersecurity solutions.

The Act demonstrates the EU’s strategic readiness to adapt to modern technological challenges. The regulation protects consumer interests with strict requirements, certification systems and liability mechanisms. Failure to comply with the new requirements can result in severe penalties, making compliance with the law critical.

Don’t wait until the last minute to put yourself at risk of penalties. If your company develops digital products and needs support to comply with the CRA, we’re here to help!

We offer comprehensive cybersecurity auditing, testing, and enhancement solutions to ensure your products meet the new standards and remain competitive. Contact us today to learn more.

Check out our additional services and business cases. Submit the form below to request CRA implementation services. Get a free consultation.