On October 10, 2024, the European Council officially adopted the Cyber Resilience Act (CRA), a regulation designed to ensure that products with digital features are secure to use and resilient against cyber threats, and that they provide enough information about their security properties. The regulation was introduced as a component of the 2020 EU Cybersecurity Strategy and complements existing laws, particularly the NIS2 Framework. It will encompass all products connected directly or indirectly to another device or network, with certain exceptions, including open-source software and industries already governed by current regulations, such as medical devices, aviation, and automobiles.
Manufacturers are required to ensure that compliant products are available in the EU market by 2027.
In the past few years, hardware and software products have been increasingly targeted by cyberattacks, which contribute to an estimated annual global cost of €5.5 trillion in cybercrime as of 2021. These products have a low level of cybersecurity characterized by widespread vulnerabilities and inconsistent or insufficient provision of security updates to address them. Another issue that drives up costs for users and society is a lack of user awareness and limited access to relevant information, which prevents users from selecting products with strong cybersecurity features or using them securely.
Most hardware and software products are currently not covered by any EU legislation tackling cybersecurity.
The current EU legal framework does not specifically address the cybersecurity of non-embedded software, even though cyberattacks are increasingly exploiting vulnerabilities in these products, leading to significant societal and economic costs.
To ensure the proper functioning of the internal market, the European Council identified two main objectives. First, there is a need to create conditions for the development of secure products with digital elements by reducing vulnerabilities in hardware and software and ensuring that manufacturers prioritize security throughout the product’s life cycle. Additionally, conditions must be established to empower users to take cybersecurity into account when selecting and using products with digital elements.
Additional objectives included the following:
- The assurance that manufacturers enhance the security of products with digital elements from the design and development phase through the entire product life cycle
- The guarantee of a coherent cybersecurity framework that simplifies compliance for hardware and software producers
- The enhancement of transparency regarding the security properties of products with digital elements
- The enablement of businesses and consumers to securely use products with digital elements
Purpose of the CRA
The CRA aims to protect consumers and businesses that purchase or use products or software with a digital component. It seeks to eliminate inadequate security features by introducing mandatory cybersecurity requirements for manufacturers and retailers, with this protection extending throughout the product’s life cycle.
The regulation addresses two main issues. The first is the insufficient cybersecurity in many products, or the lack of adequate security updates for those products and software.
The second is the difficulty consumers and businesses face in identifying cybersecure products or configuring products to ensure proper cybersecurity.
The CRA will ensure harmonized rules for bringing products or software with digital components to market; establish a cybersecurity framework that covers the planning, design, development, and maintenance of these products; and impose a duty of care for the entire product life cycle.
Scope of Application
The regulation will apply to all products connected directly or indirectly to another device or network, from smart doorbells and speakers to baby monitors, with the objective of addressing existing gaps, clarifying connections, and streamlining the current cybersecurity legislative framework. This ensures that products with digital components, such as Internet of Things (IoT) devices, are secure throughout the supply chain and their entire life cycle.
The CRA requirements will cover the design, development, production, and market availability of both hardware and software products, preventing overlapping regulations across EU member states.
Requirements
Products will carry a “CE” marking to signify compliance with the regulation’s requirements. This marking is already widely used on products sold in the European Economic Area (EEA) to indicate they meet high safety, health, and environmental standards.
Certain devices — such as medical devices, aeronautical products, — may be exempt from the CRA if they are already covered by existing EU laws.
In the UK, similar legislation — the Product Security and Telecommunications Infrastructure (PSTI) Act — came into effect in April 2024.
Next Steps for the Cyber Resilience Act
Now that the legislation has been adopted by the Council, the presidents of the Council and the European Parliament will need to sign it. In the weeks after the signing, the CRA will be published in the EU’s official journal.
The Importance of the CRA for Providers
Compliance with the CRA for providers is crucial for several reasons.
Legal Compliance
The failure to adhere to the requirements of the CRA could result in legal consequences, including fines and restrictions on market access. By complying, providers ensure they can continue selling their products across the EEA without facing legal barriers.
Consumer Trust
The CE marking, which indicates compliance with the regulation, enhances consumer trust. Consumers are more likely to purchase products that meet high cybersecurity standards, knowing they are protected from potential threats. This can give providers a competitive edge in the market.
Cybersecurity Assurance
As cybersecurity threats increase, ensuring that products are secure throughout their entire life cycle is vital. The CRA helps providers establish a consistent level of security across their product range. This reduces the risk that vulnerabilities will be exploited, which could damage the provider’s reputation and result in costly security breaches.
Market Consistency
By adhering to a unified set of cybersecurity requirements, providers avoid the complexity and costs of complying with different regulations across EU member states. This streamlining helps providers operate more efficiently across multiple markets.
Future-Proofing
The CRA sets a high standard for the security of digital products, including IoT devices, ensuring that providers’ products remain compliant with evolving security requirements over time. This future-proofs businesses against changing legislation and emerging threats.
At Goodwin, we are dedicated to helping companies navigate the complexities of new EU regulations, including the Cyber Resilience Act (CRA). Our team of legal experts specializes in EU law and works closely with regulators across member states to ensure that businesses are fully compliant with the evolving regulatory landscape.
The CRA introduces new cybersecurity requirements for manufacturers and retailers of products or software with a digital component, ensuring enhanced security throughout the product life cycle. This includes harmonized rules for bringing products to market and ensuring cybersecurity compliance at every stage, from development to maintenance.
Understanding the challenges posed by these regulations, Goodwin provides tailored support to help businesses anticipate and meet their obligations under the CRA. We are here to guide you through every step, ensuring your company is prepared for the regulation’s entry into force and compliant with its stringent requirements.
With our expertise, we ensure that your operations align with EU standards, safeguarding both consumers and businesses. Let us help you navigate this complex framework and turn regulatory challenges into opportunities for growth and innovation.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.
