The EU’s Cyber Resilience Act: New Cybersecurity Requirements for Connected Products and Software

Wider Context to the CRA
The CRA is a central part of the EU Cybersecurity Strategy, launched at the end of 2020. The strategy focuses on enhancing the cybersecurity resilience of critical services, like hospitals, energy grids, railways and other essential infrastructure. It also aims to improve the security of the rapidly growing number of connected devices used by consumers, businesses and utilities.

The objective of the CRA is to ensure a high level of cybersecurity in products throughout their entire life cycle, through the implementation of prescriptive cybersecurity requirements (which must be observed during the design, development and production stages of the product), vulnerability reporting, information sharing requirements, and a robust system of market surveillance and enforcement.

The CRA complements several other key pieces of EU legislation, such as: (i) the General Data Protection Regulation (GDPR); (ii) the NIS 2 Directive (which strengthens cybersecurity requirements for critical sectors and supply chains); (iii) the Cybersecurity Act (which establishes EU-wide frameworks for cybersecurity certification of products and services); and (iv) the Digital Operational Resilience Act (DORA) (which focuses on ensuring financial entities can withstand cyber threats).

On a global level, the CRA reflects a broader push towards cyber resilience, driven by the increasing risk posed by cyber incidents, such as ransomware attacks, supply chain vulnerabilities and state-sponsored cyber activities. Similar efforts are underway in the United States, with initiatives like the National Cybersecurity Strategy and Cyber Trust Mark program, and in the UK, through measures such as the Product Security and Telecommunications Infrastructure (PSTI) Act and updates to the Network and Information Systems (NIS) framework, which is the subject of a recent UK Government policy statement. (See our earlier alert on these developments here.)

By addressing both consumer-facing and industrial cybersecurity challenges, the CRA aims to position the EU as a leader in tackling global cybersecurity risks and establish a safer digital environment.

Key Obligations for Economic Operators
There are three key economic operators that will have obligations under the CRA, namely the manufacturers, importers and distributors of products with digital elements made available in the EU.

• Manufacturers: This category includes entities that develop or manufacture products themselves or arrange for them to be designed, developed or manufactured by a third party for marketing under their name or brand—whether for payment or free of charge. Importantly, a manufacturer is therefore not limited to the entity that physically manufactures the product; it also includes entities that outsource manufacturing but ultimately market the product under their own name. Manufacturers bear the primary responsibility for compliance and are subject to the majority of the requirements under the CRA.
• Importers: This includes EU-based entities who bring in products from outside the EU.
• Distributors: This includes entities that sell or supply products in the EU without altering their function, configuration or cybersecurity properties (e.g., retailers).

Importers or distributors who market products in the EU under their own name or make substantial modifications are treated as manufacturers under the CRA and must comply with all related obligations.

“Products with Digital Elements”
The CRA applies to “products with digital elements” (referred to as “products” in this alert), which encompasses a broad range of hardware, software and associated remote data processing solutions. This includes any product that connects to an external device or network, whether directly or indirectly, through physical or logical connections. Examples include:

• Hardware. Devices connected to the internet or other networks, commonly referred to as the Internet of Things (IoT), such as:

  -  Connected household items: smart thermostats, smart refrigerators, cameras, smart doorbells, voice speakers;

  -  Wearables: fitness trackers, smartwatches, exercise equipment; and

  -  Industrial IoT devices: sensors in manufacturing environments, connected machinery.

• Software. Standalone software products that may be installed on hardware or function as applications, such as:

  -  Consumer applications: messaging apps, productivity tools, video editing software, software that controls connected devices like smart appliances;

  -  Operating systems; and

  -  Business software.

  Software offered via a software-as-a-service (SaaS) distribution model is not covered by the CRA, provided they do not qualify as a “remote data processing solution.” (See below.) However, SaaS may be subject to NIS 2 in some circumstances.

• Remote data processing solutions. This refers to data processing carried out remotely (i.e., not on the product itself), where such processing is essential for the product’s proper functioning. This is limited to processing carried out by software developed by or on behalf of the manufacturer of the product. The idea is to ensure end-to-end product security, whether the data is stored locally on the device or remotely by the manufacturer.

  The remote processing or storage solution is covered only if it is necessary for the product’s functionality. For example, a smart home device that relies on cloud-based features for remote user control would fall under the scope of the CRA, along with the software systems supporting that functionality. Websites that do not support the functionality of a product, or cloud services which are not designed and developed by or on behalf of the manufacturer, are not in scope (although they may be subject to similar requirements under NIS 2).

“Important” and “Critical” Products
The CRA also categorizes certain products as “Important” and “Critical” based on their cybersecurity risks.

• Important products: These are products which: (i) perform critical cybersecurity functions, like managing access, detecting intrusions, or protecting networks and devices; or (ii) could cause serious widespread harm or disruption to users, systems or services if misused or compromised. The relevant product categories are listed in Annex III to the CRA and are divided into two classes to reflect varying levels of risk.

  -  Class I: This includes, for example, web browsers, password managers, VPN tools, connected toys and smart home devices, like locks, security cameras, baby monitors and alarm systems.

  -  Class II: Products in this sub-category are deemed to pose a higher risk compared to Class I products due to their role in managing critical cybersecurity functions, or their potential to cause significant disruption if compromised. Examples include firewalls, intrusion detection systems and tamper-resistant microprocessors/microcontrollers.

• Critical products: These are products which the European Commission designates as falling within the product categories set out in Annex IV to the CRA—including hardware with security boxes, smart meter gateways within smart metering systems, other devices for advanced security purposes, including for secure cryptoprocessing, and smartcards or similar devices that include secure elements.

On March 13, 2025, the European Commission published draft implementing regulation containing technical descriptions of the Important and Critical product categories contained in Annexes III and IV to the CRA. The implementing regulation is open for public consultation until April 18, 2025.

While the content of the implementing regulation may not be unexpected, manufacturers, importers and distributors of products that could fall within these categories should carefully review the proposed technical descriptions to assess their relevance. Stakeholders are encouraged to submit feedback during the consultation period, particularly on issues such as the scope, wording or level of detail provided in the implementing regulation.

Important and Critical Products: Impact on Manufacturers
Manufacturers are required to assess whether their products meet the “Essential Cybersecurity Requirements” outlined in Annex I of the CRA. (See further below.) If the product is compliant, the manufacturer must issue an EU Declaration of Conformity and apply the CE marking before the product can be placed on the EU market.

For products that are not classified as Important or Critical, this assessment can be done internally by the manufacturer (self-assessment).

For Important Class I products, self-assessment is allowed only if the product complies with a “harmonized standard.” (See below.)

However, if no harmonized standards are available—or the product does not meet them—or if the product is classified as Important Class II or Critical, then a third-party conformity assessment is mandatory.

Out of Scope Products
Some products are explicitly excluded from the scope of the CRA. These include, for example: (i) medical devices; (ii) products used in vehicles, including cars, aircraft and maritime equipment; and (iii) products developed or modified exclusively for purposes of national security or defense. These exclusions reflect existing sector-specific regulations or the specialized nature of certain industries.

Manufacturer Obligations
Most of the obligations introduced by the CRA apply to manufacturers. In particular, manufacturers are required to:

• Ensure products comply with the “Essential Cybersecurity Requirements” listed in Annex I to the CRA. The requirements are split into two parts:

  -  Part I — Product Cybersecurity Requirements. This includes a general obligation to ensure products are designed, developed and produced in a way that ensures a level of cybersecurity appropriate to the relevant risks. This also includes specific obligations which must be implemented based on a risk assessment. For example, products must have no known vulnerabilities, should implement encryption and secure configurations, and include measures to withstand cyber incidents, such as denial-of-service attacks. Products should also include user-friendly security features, such as enabling secure data removal, and be regularly updated to ensure robust protection throughout their life cycle.

  -  Part II — Vulnerability Handling Process Requirements. This requires manufacturers to regularly test for and effectively remediate vulnerabilities within their products, for instance, by pushing security updates.

• Conduct and document cybersecurity risk assessments. As mentioned above, manufacturers must undertake assessments of the security risks associated with their products and consider the results of those assessments during the planning, design, production and maintenance phases. These assessments must be updated as appropriate and focus on minimizing risks, preventing incidents and reducing their impact, particularly on user health and safety.
• Exercise due diligence on third-party components (including open-source software) to ensure that these do not compromise the product’s cybersecurity.
• Maintain vulnerability-handling policies. Policies should be in place to ensure vulnerabilities are identified, documented and handled effectively, including addressing and remediating them without delay through measures such as providing security updates.
• Set and adhere to a support period. The length of the support period must reflect how long the product is expected to be used, considering factors like user expectations, the product’s purpose and applicable EU laws. The support period must be at least five years, unless the product is expected to be used for less time. Security updates must remain available for a minimum of 10 years or, if longer, the duration of the support period. The end date of the support period must be specified at the time of purchase.
• Maintain technical documentation. Documentation must include the risk assessment mentioned above, as well as further information specified in Annex VII. Manufacturers will be required to make technical documentation available to authorities for at least 10 years or the duration of the support period, whichever is longer.

• Undertake a conformity assessment. This will either be a self-assessment or third-party conformity assessment, depending on whether the product is designated as either Important or Critical. (See above.) Where the product complies with the CRA, the manufacturer must draw up a Declaration of Conformity and affix a CE mark.

  To undertake a conformity assessment, manufacturers will be able to rely on technical requirements outlined in “harmonized standards.” These are European technical standards developed by recognized European Standards Organizations (ESOs), which manufacturers can use to demonstrate a product complies with EU legislation, like the CRA.

  At present, no harmonized standards specifically addressing the CRA Essential Cybersecurity Requirements are in place. However, on February 3, 2025, the European Commission formally requested the three ESOs (CEN, Cenelec and ETSI) to develop 41 harmonized standards under the CRA. This initiative includes: (i) 15 horizontal standards, each aligned with one of the Essential Cybersecurity Requirements listed in Annex I of the CRA and applicable across all relevant products; and (ii) 26 vertical standards, tailored to specific product categories classified as Important or Critical.

  The European Union Agency for Cybersecurity (ENISA) published a paper on Cyber Resilience Act Requirements Standards Mapping, reviewing existing harmonized standards from European and international bodies against the CRA’s Essential Cybersecurity Requirements. The analysis found that while each requirement is at least partially covered by existing standards, no single standard addresses them all. ENISA concluded that a solid foundation exists to support the CRA, but further harmonization and targeted work are needed to close remaining gaps and ensure consistent coverage.

• Label products for identification. Products must be labeled with a type, batch or serial number (or equivalent identifier), and each product must display the manufacturer’s name, trademark and contact details (either on the product, packaging or accompanying documentation).
• Provide user instructions. These instructions must cover secure installation, operation and use of the product, and must also include the product’s purpose, security features and known risks, along with guidance on updates and contact details. The instructions must be provided in either paper or electronic form, in local languages and remain accessible for at least 10 years or the duration of the support period.
• Designate a single point of contact. The contact designated for user communication, particularly for reporting vulnerabilities, must be accessible via multiple communication methods and easily identifiable by the users.
• Report exploited vulnerabilities and security incidents. Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA and the relevant national Computer Security Incident Response Team (CSIRT) via a single reporting platform to be established by ENISA. An early warning notification will be required within 24 hours, followed by a more detailed notification within 72 hours. A final report must be submitted within 14 days for actively exploited vulnerabilities, and within one month for severe incidents.

Importers and distributors under the CRA must ensure that products are compliant before they are placed on the market, including verifying CE marking, conformity assessments and technical documentation. They must also halt sales and notify authorities upon the discovery of vulnerabilities in a product. Both importers and distributors are responsible for traceability, addressing non-conformities and cooperating with market surveillance authorities.

Entities Responsible for Enforcement
Enforcement under the CRA will operate at both the EU and Member State levels.

• Member State level: Each Member State must designate a market surveillance authority to ensure compliance with the CRA. These authorities will be responsible for monitoring products, investigating non-compliance and taking corrective measures, such as product recalls or withdrawal from the market.
• EU level: The European Commission will oversee the coordination of enforcement activities across the EU and can take action in exceptional circumstances to preserve the internal market. For example, if a product poses significant cybersecurity risks and Member States fail to act effectively, the Commission can adopt EU-wide corrective measures.
• Collaboration with ENISA: ENISA will play a supporting role by managing the single reporting platform for vulnerabilities and incidents and provide technical advice to market surveillance authorities.

Non-Compliance Penalties
Non-compliance with the CRA can result in significant penalties, which are designed to be effective, proportionate and dissuasive.

• Fines for failing to meet key requirements: Non-compliance with Essential Cybersecurity Requirements and other key CRA obligations can result in administrative fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher.
• Fines for other violations: Breaches of obligations related to documentation, CE marking or reporting can incur fines of up to €10 million or 2% of worldwide turnover.
• Misleading information: Providing incorrect, incomplete or misleading information to notified bodies or authorities may result in fines of up to €5 million or 1% of worldwide turnover.
• Enforcement flexibility: Member States may decide how penalties apply to public bodies or microenterprises, and fines may be accompanied by corrective or restrictive measures, such as product recalls.

CRA Obligations Deadline
The obligations under the CRA will apply in a phased manner to allow stakeholders time to prepare.

• General application: The CRA will apply from December 11, 2027, giving manufacturers, importers and distributors a transition period to ensure compliance with its requirements.

• Specific provisions:

  -  Reporting obligations: Requirements for notifying vulnerabilities and severe incidents will apply earlier, from September 11, 2026.

  -  Conformity assessment bodies: Rules on notifying and appointing conformity assessment bodies applicable to Member States will apply from June 11, 2026.

• Transitional provisions:

  -  Products that have been placed on the market before December 11, 2027, will generally be exempt from the CRA, unless they undergo substantial modifications after that date. The term “placed on the market” has a specific meaning under EU product law—notably, this test applies to each individual product, not to a type of product. This means that products designed or manufactured before the CRA takes effect (and which do not comply with the CRA) cannot be sold in the EU from December 11, 2027, unless each unit was already placed on the market by that date.

  -  Existing EU type-examination certificates issued under other regulations will remain valid until June 11, 2028, unless otherwise specified.

Preparation for the CRA: The Importance of Proactivity
To prepare for the CRA, businesses should take proactive steps to ensure compliance well ahead of the enforcement deadlines.

• Determine applicability: Identify if your products fall under the CRA and assess whether they are classified as Important (Class I or II) or Critical products, or unclassified. This classification will determine the type of conformity assessment required.
• Understand conformity assessment requirements: Review the applicable conformity assessment procedures, including whether third-party certification is required. Monitor the introduction of applicable harmonized standards.
• Assess cybersecurity obligations: Map the Essential Cybersecurity Requirements that apply to your products, such as vulnerability management, secure configurations and resilience against cyber incidents.
• Conduct a gap analysis: Evaluate existing cybersecurity policies, product design and incident response measures against the CRA’s requirements. Identify areas where updates or additional measures are needed.
• Prepare technical documentation: Ensure your technical documentation is comprehensive, covering cybersecurity risk assessments and other required details to demonstrate compliance.
• Align with other EU regulations: Consider how CRA obligations intersect with other frameworks like the GDPR, NIS2 Directive and EU AI Act. Harmonize compliance efforts to manage overlapping requirements effectively.
• Engage supply chain partners: Ensure that third-party suppliers and components meet CRA requirements. Update contracts and processes to address supply chain security and traceability.
• Train staff: Educate teams across engineering, compliance and legal functions on CRA obligations, particularly those related to vulnerability reporting and product development.
• Monitor deadlines: Track the phased implementation of the CRA and stay updated on guidance and delegated acts issued by the European Commission to refine your compliance strategy.

Taking these steps early will help businesses mitigate risks, ensure product compliance and build trust with consumers and regulators under the CRA.