Cyber Resilience Act: New Legal Framework and Recommendations for Companies

Cyber Resilience Act: New Legal Framework and Recommendations for Companies

Introduction and Overview of the Cyber Resilience Act

With the Cyber Resilience Act (CRA), the EU is introducing binding regulations for the first time that establish fundamental requirements for the IT security of connected products. The goal is to better protect both consumers and businesses from digital threats. Manufacturers will be required to consider security aspects during product development and to provide updates and technical support throughout the product lifecycle. The following provides an overview of current developments surrounding the CRA and includes a practical checklist for companies to assess whether they are affected—and what measures must be implemented by when.

What is the Cyber Resilience Act about?

The CRA is an EU-wide regulation that applies to so-called “digital products”—devices and software solutions that can connect to networks or other systems. Its aim is to establish uniform IT security standards across the European Union and systematically reduce risks in digital products. This is intended to ensure a binding level of security throughout a product’s lifecycle—from design to decommissioning.

Until now, there have often been no clear requirements for security measures or regular updates, leading to avoidable vulnerabilities. The CRA closes this gap by defining mandatory security requirements and clearly assigning responsibility to manufacturers.

Current Status and Timeline

The CRA has been progressing through the EU legislative process since 2022 and was politically adopted at the end of 2023. After extensive discussions—particularly regarding the treatment of open-source software—it was decided to exempt non-commercial open-source projects from the obligations. The final version was adopted by the EU Parliament in March 2024, and the EU Council gave its official approval on October 10, 2024. The law was published in the EU Official Journal on October 20, 2024, and came into force on December 10, 2024. Transition periods extending into 2027 were granted to give companies sufficient time for implementation.

Key Dates at a Glance:

• December 10, 2024 – Entry into Force: The law officially applies from this date. Companies can begin adapting their processes.
• June 11, 2026 – Notified Bodies Available: From this point, accredited conformity assessment bodies may test and certify products under the CRA. Manufacturers of security-critical products should identify suitable bodies early.
• September 11, 2026 – Start of Reporting Obligations: From this date, exploited vulnerabilities or cyber incidents must be reported to the relevant authorities (e.g., ENISA or national bodies) within 24 hours. Companies must have a functioning vulnerability and incident management system in place by then.
• December 11, 2027 – Full Application: From this date, only products that fully comply with the CRA may be marketed in the EU. The transition period ends—the law becomes fully binding.

Important: Affected products must achieve full compliance by the end of 2027 at the latest. However, some obligations—such as incident reporting—take effect earlier. Violations may result in sanctions such as sales bans or fines of up to €15 million or 2.5% of global annual revenue.

Scope of Application: Which Companies and Products Are Affected?

The CRA generally applies to all new digital products placed on the EU market from December 11, 2027. This includes connected hardware—such as devices with internet or network access—as well as software solutions like operating systems, applications, or IoT components in smart home environments. The key criterion is that the product can communicate with other devices or networks.

The regulation affects not only European manufacturers but also importers who bring such products from third countries into the EU market. Thus, the law covers a wide range—from simple consumer goods to complex industrial IT systems.

Exemptions from the Scope
However, the law provides for specific exemptions. The CRA does not apply to:

• Products already regulated by specific EU IT security laws—such as medical devices, in vitro diagnostics, certain vehicle components, certified aviation technology, or marine equipment.
• Spare parts manufactured exactly according to the specifications of an original product.
• Products intended exclusively for military or law enforcement purposes.
• Non-commercial open-source software provided free of charge and not intended for profit.

Companies should carefully assess the scope, as the law covers a wide variety of products—from low-cost consumer items to highly specialized B2B solutions—and allows only a few clearly defined exceptions.

Core IT Security Requirements of the CRA

The CRA requires manufacturers to implement a range of fundamental IT security measures. The goal is to identify and systematically control digital risks early to ensure product security throughout the lifecycle.

Key Obligations at a Glance:

• Security by Design & Default:
  Manufacturers must conduct a risk analysis during development and integrate appropriate safeguards. Product design must prioritize security from the outset—e.g., through encryption of sensitive data or avoiding default passwords. Default settings must be securely configured. External components such as open-source libraries must be reviewed and documented for security.
• Continuous Vulnerability Management & Updates:
  Throughout the product’s lifecycle, vulnerabilities must be actively identified, resolved, and transparently communicated. A structured Coordinated Vulnerability Disclosure (CVD) process is mandatory. Critical vulnerabilities that are actively exploited must be reported to authorities (e.g., ENISA or national bodies) within 24 hours. Security updates must be provided for at least five years after market launch.
• Technical Documentation & Software Bill of Materials (SBOM):
  Each digital product must have comprehensive technical documentation, including an up-to-date SBOM—a complete list of all software components such as libraries or modules. While publication of the SBOM is not required, its creation is mandatory.
• Proof of Compliance & CE Marking:
  Before market placement, manufacturers must demonstrate CRA compliance—either through self-assessment (for most products) or third-party certification for high-risk products. Compliant products receive the CE mark, which will also cover IT security requirements in the future.
  These requirements may necessitate adjustments in development processes, product strategy, and support structures. Establishing a Product Security Incident Response Team (PSIRT) and a structured vulnerability management process is strongly recommended. Ensuring IT security across the supply chain is also essential—even if components come from third parties, the manufacturer remains fully responsible.

Implementation Guide: Checklist for Companies

Use the following overview to check whether your product or organization is affected by the CRA – and what steps are required for compliance:

1. Does the Law Apply to Your Product?
Answer the following questions:

• Digital Functionality: Does your product include hardware or software with network or internet connectivity?
  Example: An IoT device or an application with online update functionality.
• Market Launch After 2027: Will the product be newly introduced in the EU after December 11, 2027?
• No Sector-Specific Exemption: Is the product not already subject to other specific EU IT security regulations (e.g., for medical devices, automotive, aviation)?
• Not Non-Commercial Open Source: Is it not free open-source software with no commercial intent?
• Not a Spare Part: Is the product not an identical spare part for a device already marketed before the deadline?

If you answered “yes” to all questions, your product is likely subject to the CRA.

2. What Measures Must Be Taken and When?
If your product is affected, initiate the following steps:

• Integrate Security Principles Early (Immediately):
  Embed IT security in product development. Ensure secure default settings, avoid default passwords, and encrypt sensitive data.
• Establish Risk Analysis & SBOM (Ongoing):
  Conduct regular risk assessments and create a Software Bill of Materials (SBOM) documenting all components used.
• Prepare Compliance Documentation (by End of 2027):
  Create technical documentation and an EU Declaration of Conformity. Determine whether your product falls into a high-risk category—in which case external certification is required.
• Implement Vulnerability Management (by September 11, 2026):
  Set up a Product Security Incident Response Team (PSIRT) and establish processes for reporting security incidents within 24 hours.
• Ensure Long-Term Update Strategy:
  Plan to provide security updates for at least five years after market launch. Communicate clearly how and for how long updates will be delivered.

Implementation Tips and Outlook

Engage Suppliers Early
Actively involve your suppliers and external service providers in your security strategy. Ensure that purchased components also meet CRA requirements. Contractually anchor security criteria to minimize interface risks along the supply chain.

Regulatory Context
The CRA is part of the EU’s broader cybersecurity strategy and complements other frameworks such as the NIS2 Directive. While NIS2 focuses on critical infrastructure operators and their reporting obligations, the CRA targets product security. Both frameworks are directly applicable—the CRA as an EU regulation, NIS2 after transposition into national law—and share the goal of strengthening digital security in Europe.

Stay Informed
Regularly follow publications from the EU Commission, the European Union Agency for Cybersecurity (ENISA), and national authorities such as the BSI. These sources provide practical guides, FAQs, and sector-specific recommendations to support CRA implementation. Ongoing monitoring of regulatory developments helps ensure timely responses to changes.

Conclusion:

The Cyber Resilience Act marks a turning point: IT security becomes a legal obligation. Companies that act early can not only avoid fines but also build trust through demonstrably secure products and strategically position themselves in the market.

Feel free to contact us if you have questions about the CRA!