On October 10, 2024, the European Council officially adopted the Cyber Resilience Act (CRA), a regulation designed to ensure that products with digital features are secure to use and resilient against cyber threats, and provide enough information about their security properties. The CRA was introduced as a component of the 2020 EU Cybersecurity Strategy, complementing existing cybersecurity laws such as the Network Information Systems Directive 2 (NIS2), which goes into effect in October 2024. It will encompass all products connected directly or indirectly to another device or network, with certain exceptions, including open-source software and industries already governed by existing regulations, such as medical devices, aviation, and automobiles.
Manufacturers are required to ensure that compliant products are available in the EU market by 2027.
In the past few years, hardware and software products have been increasingly targeted by cyberattacks, which contribute to an estimated annual global cost of €5.5 trillion in cybercrime (as of 2021). Typically, these products have minimal cybersecurity measures and attract widespread vulnerabilities with inconsistent or insufficient security updates to address them. Another issue that drives up costs for users and society is a lack of user awareness and limited access to expertise. This, ultimately, prevents users from selecting products that contain robust security features.
The current EU legal framework does not specifically address the cybersecurity of non-embedded software, even though cyberattacks are increasingly exploiting vulnerabilities in these products, leading to significant societal and economic costs.
The European Council identified two main objectives. First, there is a need to create conditions for the development of secure products with digital elements by reducing vulnerabilities in hardware and software and ensuring that manufacturers prioritize security throughout the product’s life cycle. Additionally, conditions must be established to empower users to take cybersecurity into account when selecting and using products with digital elements.
The other objectives identified by the European Council included the following:
- The assurance that manufacturers enhance the security of products with digital elements at the design and development phase and throughout the entire product life cycle
- The guarantee of a coherent cybersecurity framework that simplifies compliance for hardware and software producers
- The enhancement of transparency regarding the security properties of products with digital elements
- The ability of businesses and consumers to securely use products with digital elements
Purpose of the CRA
The CRA aims to protect consumers and businesses that purchase or use products or software with a digital component. It seeks to eliminate inadequate security features by introducing mandatory cybersecurity requirements for manufacturers and retailers, with this protection extending throughout the product’s life cycle.
The regulation addresses two main issues:
- Insufficient cybersecurity measures in many products and software, as well as the lack of security update software
- The difficulty consumers and businesses face in identifying cybersecure products or configuring products to ensure proper cybersecurity
The CRA will ensure harmonised rules for bringing products or software with digital components to market; establish a cybersecurity framework that covers the planning, design, development, and maintenance of these products; and impose a duty of care for the entire product life cycle.
Scope of Application
The regulation will apply to all products connected directly or indirectly to another device or network, from smart doorbells and speakers to baby monitors, with the objective of addressing existing gaps, clarifying connections, and streamlining the current cybersecurity legislative framework. This ensures that products with digital components, such as Internet of Things (IoT) devices, are secure throughout the supply chain and their entire life cycle.
The CRA requirements will cover the design, development, production, and market availability of both hardware and software products, preventing overlapping regulations across EU member states.
Requirements
Products will carry a “CE” marking to signify compliance with the regulation’s requirements. This marking is already widely used on products sold in the European Economic Area (EEA) to indicate they meet high safety, health, and environmental standards.
Certain devices — such as medical devices and aeronautical products — may be exempt from the CRA if they are already covered by existing EU laws. For example, medical devices will be required to comply with the cybersecurity requirements of NIS2.
In the UK, similar legislation — the Product Security and Telecommunications Infrastructure (PSTI) Act — came into effect in April 2024. PSTI creates a new regulatory scheme in the UK to make consumer connectable products more secure against cyberattacks by setting minimum security requirements for IoT products. PSTI imposes duties on relevant businesses that will affect manufacturers, importers, and distributors of these products, including: (i) compliance with relevant security requirements (for example, meeting minimum password requirements, providing information on reporting security issues to a designated point of contact, and providing information on the minimum period during which security updates are provided); (ii) ensuring in-scope product is only available within the UK if it is accompanied with a statement of compliance; (iii) ensuring any failures to comply with security requirements are rectified.
Next Steps for the CRA
Now the legislation has been adopted by the Council, the presidents of the Council and the European Parliament will need to sign it. In the weeks after the signing, the CRA will be published in the EU’s official journal.
The Importance of the CRA for Providers
Compliance with the CRA for providers is crucial for several reasons.
Legal Compliance
The failure to adhere to the requirements of the CRA could result in legal consequences, including fines (up to €15 million or 2.5% of annual turnover) and restrictions around market access. Complying with the CRA will, therefore, ensure providers can continue to sell their products across the EEA without legal barriers and business disruption.
Consumer Trust
The CE marking, which indicates compliance with the regulation, enhances consumer trust and confidence. Consumers are more likely to purchase products that meet high cybersecurity standards, knowing they are protected from potential threats. This can give providers a competitive edge in the market.
Cybersecurity Assurance
vital. The CRA helps providers establish a consistent level of security across their product range. This reduces the risk of vulnerabilities being exploited, which could damage the provider’s reputation and result in extensive costs arising from security incidents.
Market Consistency
By adhering to a unified set of cybersecurity requirements, providers avoid the complexity and costs of complying with different regulations across EU member states. This harmonisation enables providers to operate more efficiently across multiple markets.
Future-Proofing
The CRA sets a high security standard for digital products, including IoT devices; ultimately, it ensures providers’ products remain compliant with evolving security requirements over time. This future-proofs businesses against changing legislation and emerging threats.
At Goodwin, we are dedicated to helping companies navigate the complexities of new EU and UK regulations, including the Cyber Resilience Act (CRA). Our team of legal experts specializes in EU and UK law and work closely with regulators across member states to ensure businesses are fully compliant within this evolving regulatory landscape.
The CRA introduces new cybersecurity requirements for manufacturers and retailers of products or software with a digital component, ensuring enhanced security throughout the product life cycle. This includes harmonised rules for bringing products to market and ensuring cybersecurity compliance at every stage, from development, market launch and ongoing maintenance.
Understanding the challenges posed by these regulations, Goodwin provides tailored support to help businesses anticipate and meet their obligations under the CRA. We are here to guide you through every step, ensuring your company is prepared for the regulation’s entry into force and compliant with its stringent requirements.
With our expertise, we ensure that your operations align with EU standards, safeguarding both consumers and businesses. Let us help you navigate this complex framework and turn regulatory challenges into opportunities for growth and innovation.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.
Contacts
- /en/people/m/mccluskey-curtis
Curtis McCluskey
Counsel - /en/people/s/scott-gretchen
Gretchen Scott
Partner
