All key questions about the Cyber Resilience Act (CRA) clearly answered. Learn what the EU regulation means for your company and how you can prepare.
General
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is an EU regulation that sets minimum requirements for the cybersecurity of products (hardware and software). The goal is to make products more secure and thereby better protect consumers and companies from cyberattacks.
What does the Cyber Resilience Act mean?
The Cyber Resilience Act defines security requirements for products with digital elements. The aim is to ensure that products meet basic cybersecurity standards from development through the end of their lifecycle.
Why does the Cyber Resilience Act exist?
The Cyber Resilience Act was introduced to improve the cybersecurity of products with digital elements within the EU. It aims to address the growing threat of cyberattacks, which are often enabled by inadequately secured products.
Is the Cyber Resilience Act a regulation or a directive?
The CRA is a regulation. This means the CRA applies directly in all EU Member States without those states having to transpose it into national law.
Comparison with other EU frameworks
Cyber Resilience Act vs NIS2
The Cyber Resilience Act (CRA) and the NIS 2 directive have different focuses:
- The CRA focuses on the cybersecurity of products with digital elements and sets requirements for manufacturers, importers and distributors.
- NIS 2, by contrast, targets companies and organisations in critical and essential sectors, such as energy or healthcare, and requires organisational and technical security measures.
While the CRA applies directly as a regulation, NIS 2 must be transposed into national law. Both frameworks complement each other by strengthening product security and organisational security.
Cyber Resilience Act vs DORA (Digital Operational Resilience Act)
The Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA) differ in focus and scope:
- The CRA concentrates on the cybersecurity of products with digital elements. It sets requirements for manufacturers, importers and distributors to ensure these products are securely developed, operated and maintained. The goal is to improve security across all industries that use such products.
- DORA, on the other hand, is specifically aimed at the financial sector. It regulates the digital operational resilience of financial institutions such as banks, insurers and payment service providers. DORA aims to minimise risks related to cyberattacks and IT outages and includes clear requirements for IT risk management and incident reporting.
While the CRA is cross-industry, DORA is designed specifically for the financial sector. Both complement each other by addressing different aspects of cybersecurity.
Cyber Resilience Act vs Cybersecurity Act
The Cyber Resilience Act (CRA) and the Cybersecurity Act (CSA) have different emphases:
- The CRA sets cybersecurity requirements for products with digital elements. It obliges manufacturers to follow secure development processes, to remedy vulnerabilities and to provide security updates. The aim is to increase product security across the EU.
- The Cybersecurity Act, by contrast, creates the framework for European cybersecurity certification. It sets general rules and requirements for certification schemes, such as the EUCC scheme based on the Common Criteria, and strengthens the role of the EU Agency ENISA.
While the CRA defines mandatory security requirements for products, the CSA focuses on voluntary certifications to assess the cybersecurity of products, services and processes.
Timeline, entry into force and transition periods
Is the Cyber Resilience Act in force?
The Cyber Resilience Act (CRA) entered into force on 10 December 2024.
The main obligations, such as compliance with cybersecurity requirements and CE marking, will become mandatory from 11 December 2027. Certain provisions, in particular the reporting obligations for vulnerabilities, already apply from 11 September 2026. These staged transition periods are intended to give market participants sufficient time to implement the new requirements.
When did the Cyber Resilience Act come into effect?
The Cyber Resilience Act (CRA) entered into force on 10 December 2024. However, most requirements only become mandatory from 11 December 2027.
When does the Cyber Resilience Act take effect?
The Cyber Resilience Act (CRA) entered into force on 10 December 2024. Most requirements, such as the implementation of cybersecurity measures, only apply from 11 December 2027.
By when must the Cyber Resilience Act be implemented?
The provisions of the Cyber Resilience Act (CRA) must be implemented no later than 11 December 2027, as all requirements become binding from that date. For the vulnerability reporting obligation, an earlier deadline applies: this comes into force on 11 September 2026.
Scope
Which products fall under the Cyber Resilience Act?
The Cyber Resilience Act (CRA) applies to all products with digital elements that are placed on the market within the EU. These include both hardware and software, regardless of whether they are intended for consumers or businesses.
There are exceptions for certain products that already fall under other specific EU regulations, such as medical devices or vehicles, because their cybersecurity requirements are governed separately.
Are there exceptions to the Cyber Resilience Act?
The CRA does not apply to products that are already subject to specific cybersecurity requirements under other EU rules. These include, among others:
- Medical devices (regulated by the Medical Devices Regulation)
- Vehicles (covered by the type-approval regulations)
- Aviation products
- Military products
These exceptions avoid double regulation, since these products must already meet cybersecurity requirements under their own sectoral rules.
Does the Cyber Resilience Act also apply to radio equipment?
The Cyber Resilience Act (CRA) also applies to radio equipment when these products include digital elements. Currently, the requirements of the CRA and the Radio Equipment Directive (RED) apply in parallel, as both contain cybersecurity provisions.
However, it is planned that the CRA will replace the cybersecurity requirements of the RED to create a unified regulation for products with digital elements.
Does the Cyber Resilience Act apply to small and medium-sized enterprises (SMEs)?
The Cyber Resilience Act (CRA) applies to all companies, including small and medium-sized enterprises (SMEs), that manufacture, import or distribute products with digital elements in the EU. There are no general exemptions for SMEs. However, the CRA takes the needs of smaller companies into account and aims to minimise administrative burden for them.
Does the Cyber Resilience Act apply to foreign companies?
Yes, the Cyber Resilience Act (CRA) also applies to foreign companies if they place products with digital elements on the EU market. These companies must meet the same requirements as EU manufacturers to ensure that their products comply with the CRA.
Additionally, importers and distributors within the EU are responsible for ensuring that products from outside the EU are compliant. Foreign manufacturers who distribute products directly may have to appoint an authorised representative in the EU who acts as a contact for compliance with the regulations.
Does the Cyber Resilience Act apply to distributors and online marketplaces?
Yes, the Cyber Resilience Act (CRA) also applies to distributors and online marketplaces if they distribute products with digital elements in the EU. These actors are responsible for ensuring that the products they sell comply with the CRA requirements.
Distributors must in particular check whether products bear the CE marking, are accompanied by an EU declaration of conformity and include the required security information.
Does the Cyber Resilience Act apply to software and software products?
Yes, the Cyber Resilience Act (CRA) explicitly also applies to software and software products if they are provided in the EU. These include, for example, operating systems, application software, middleware and even open-source software when it is commercially distributed.
Does the Cyber Resilience Act apply to open-source software?
The Cyber Resilience Act (CRA) does not apply to pure open-source software that is provided without direct commercial intent. This means that software developed by volunteers and made available free of charge is generally not covered by the CRA.
However, if open-source software is used in a commercial context—for example as part of a product that is sold, or where support services or other paid services are offered—the CRA requirements apply. In this case, the provider of the end product is responsible for fulfilling the cybersecurity requirements.
Further information on the topic is available in our article Der Cyber Resilience Act und seine Auswirkungen auf Open-Source-Software.
Conformity
Which categories does the Cyber Resilience Act distinguish?
The Cyber Resilience Act (CRA) distinguishes products with digital elements exclusively according to the applicable conformity assessment procedure. The technical and procedural requirements are identical for all products.
The categories are:
- General products
- Important products – Class I
- Important products – Class II
- Critical products
Details on the individual categories and the associated conformity assessment procedures can be found in our article on the Cyber Resilience Act.
How are conformity assessment bodies involved?
Conformity assessment bodies are involved under the Cyber Resilience Act (CRA) for certain categories of products to verify compliance with the cybersecurity requirements. This concerns products for which the manufacturer’s self-assessment is not sufficient.
Their involvement occurs in particular for:
- Important products – Class II
- Critical products
In these cases, a notified body reviews the technical documentation and, if necessary, the product itself before it can be placed on the market. Further details on the conformity assessment procedures are available in our article on the Cyber Resilience Act.
Updates
Do I have to provide updates for my products?
Yes, the Cyber Resilience Act (CRA) obliges manufacturers to provide updates for their products with digital elements in order to close security gaps.
The requirements are:
- Provision period: Manufacturers must provide security updates for a period of at least five years after the product is placed on the market or for the entire expected lifetime of the product if this is shorter.
- Transparency: Customers must be informed about the availability of security updates and their installation.
- Security-critical updates: Security updates must be provided promptly and without undue delay.
Updates are a central element of the CRA and serve to ensure the long-term security and integrity of products.
Can I charge for my updates?
In principle, under the Cyber Resilience Act (CRA) no additional costs may be charged for security updates. Security updates that are provided to remedy identified vulnerabilities must be supplied promptly and free of charge.
However, for a customised product with digital elements, a different agreement can be made between the manufacturer and the commercial user. In this case, costs for security updates can be agreed if this is explicitly regulated contractually.
Implementation
How can I prepare for the Cyber Resilience Act?
To prepare for the Cyber Resilience Act (CRA), manufacturers should take the following steps:
- Analyse the product category: Determine which category your products fall into (general, important, critical) and which conformity assessment procedure applies.
- Adjust processes: Implement a secure product development process that meets the CRA requirements (for example, according to IEC 62443-4-1).
- Meet technical requirements: Implement security features based on a risk assessment to effectively address potential threats.
- Prepare technical documentation: Create the necessary evidence and documentation that must be reviewed as part of the conformity assessment procedure.
If you need support preparing for the CRA, we are happy to assist with our expertise, whether in process implementation, technical implementation or documentation. Contact us for a non-binding initial consultation.
What happens if I do not comply with the Cyber Resilience Act?
Non-compliance with the Cyber Resilience Act (CRA) can have significant consequences, including:
- Ban on sales: Products that do not meet the CRA requirements may not be sold or placed on the market in the EU.
- Recall or market withdrawal: Products already on the market can be recalled or removed from the market by the competent authorities if they do not comply with the regulations.
- Fines: The CRA provides for substantial fines, which may depend on the severity of the violation. The maximum penalty is up to 15 million euros or 2.5% of global annual turnover, whichever amount is higher.
To avoid these risks, it is essential to take early action to meet the CRA requirements. We are happy to support you in implementation and in preparing for the conformity assessment. Contact us for a non-binding initial consultation.
