The EU Cyber Resilience Act targets digital components made available in the EU market throughout the entire supply chain of a product

In an era when cyberattacks on hardware and software products are becoming increasingly common, the European Union (EU) has taken a bold step forward. This July, the EU voted in favour of the new EU Cyber Resilience Act (CRA), which was officially adopted by the EU Council on 10 October 2024.

The CRA is set to transform the security landscape for digital products sold in the EU. It covers a wide range of internet-connected devices, from everyday items like digital refrigerators and baby monitors to the software embedded within these products. This means that both tangible products and non-tangible digital products, such as software products embedded into connected devices, will now be subject to stringent security regulation, marking the CRA as the world's first specific legislation relating to the regulation of the ‘Internet of Things’ (IoT).  

This move is intended to create a safer digital environment for consumers, ensuring that our increasingly connected world is better protected against cyber threats.

The changes ahead

 The Act splits digital products into three categories based on risk factors:   

1. Unclassified or Default 

 The Default category applies to products without critical cybersecurity vulnerabilities. According to the Commission, this category will cover 90% of connected devices, including (but not limited to): photo-editing software, video games, and other commonplace software and devices such as smart toys, TVs and fridges.

2. Class I 

 Products which have a lower cybersecurity risk level than Class II products but a higher level of risk than the unclassified or default category. 

3. Class II 

Class II are higher-risk products with digital elements concerning critical cybersecurity vulnerabilities. Under the certification scheme, Class II products must meet the highest level of assurance. 

Risk factors for these products can include:

• whether it runs with privilege, privileged access, or performs a function critical to trust;
• whether it is to be used in sensitive environments as described by the NIS2 Directive (including, but not limited to, energy and infrastructure, transportation, banking, and healthcare);
• whether it is to be used to process personal information or other sensitive functions;
• whether its vulnerability can affect a group of people; and
• whether it has already caused adverse effects when disrupted.

How will the CRA affect companies? 

Although the CRA is an EU regulation, it has far-reaching effects. The legislation applies to relevant entities that manufacture or place products with the requisite digital elements in the EU market.

In the case of UK companies, the CRA can apply to manufacturers and importers, as well as resellers of the regulated hardware and software.  

How can companies prepare themselves? 

Companies should prepare themselves before the implementation date of November 2025.
Conducting a comprehensive cyber security assessment to identify potential threats and vulnerabilities will be crucial to help prioritise and focus on the most critical areas. Affected organisations will need to consider cybersecurity requirements from the commencement of the product development phase through to when the customer receives the product or service. 

It is recommended that companies consider preparing a detailed incident response plan, since organisations caught by the CRA will be required to inform European authorities of cyber security incidents. 

Organisations must also be alive to ongoing and overlapping data protection obligations and ensure their teams are up to speed. Companies should strive to be vigilant to help avoid penalties. 

Reporting requirements under the CRA 

The CRA creates reporting obligations for manufacturers to notify the EU Agency for Cybersecurity (ENISA) within 24 hours after becoming aware of ‘any actively exploited vulnerability contained in the product with digital elements’ or ‘any incident having an impact on the security of the product with digital elements.’ 

The manufacturers will also need to inform the users of the product of the incident, as well as take corrective measures to mitigate the consumer impact.

Similarly, importers and distributors of products with digital elements must inform manufacturers of cybersecurity vulnerabilities without delay. If there is a significant cybersecurity risk, importers and distributors must also inform national market surveillance authorities of the non-conformity and corrective measures taken.

The impact of the new penalty system under the CRA 

Organisations should keep in mind the new sanctions under CRA, which include: 

• non-compliance with essential requirements and obligations in Articles 10 and 11 potentially subjects offending businesses to administrative fines of up to €15 million or 2.5 percent of their global annual turnover for the previous fiscal year, whichever is greater; 
• non-compliance with other obligations within the CRA could lead to administrative fines of up to €10 million or 2 percent of global annual turnover for the previous fiscal year, whichever is higher; and 
• misleading market surveillance authorities with incorrect, incomplete, or manipulated information could lead to a fine of €5 million or 1 percent of global annual turnover for the previous fiscal year, whichever is greater. 

Comment

We understand the significant challenge of balancing cyber security requirements with practical implementation for manufacturers and suppliers. We recognise that some companies may be concerned about the extra burden and compliance costs the CRA will bring. 
However, it is important also to appreciate the benefits of the CRA. 

The CRA's emphasis on risk assessment and security by design allows organisations to proactively identify and address potential vulnerabilities. This will ultimately boost digital resilience and help to prevent cyber incidents, and the associated costs and potential reputational damage. There could also be an increase in the trust of users and market adoption.

The Act indicates a growing trend in ensuring that cybersecurity remains firmly on the global agenda. The need for organisations affected to start preparing is pressing.