The Cyber Resi­li­ence Act: Con­tent and prac­ti­cal implementation

The Cyber Resi­li­ence Act (CRA) signi­fi­cant­ly tigh­tens the cyber secu­ri­ty requi­re­ments for num­e­rous pro­ducts. The aim of the CRA is to crea­te a uni­form secu­ri­ty stan­dard for pro­ducts with digi­tal ele­ments on the Euro­pean mar­ket. The regu­la­ti­on is to app­ly direct­ly in all EU mem­ber sta­tes from 2027. In this artic­le, we explain what the CRA means for com­pa­nies and give you tips on how to imple­ment it.

For whom is the CRA relevant?

Manu­fac­tu­r­ers, importers and dis­tri­bu­tors of pro­ducts with digi­tal ele­ments are affec­ted. The term pro­duct with digi­tal ele­ments is to be unders­tood broad­ly and includes soft­ware or hard­ware pro­ducts inclu­ding their backend sys­tems. This includes, i.g. net­work­ed machi­nes, IoT devices, apps, weara­bles, soft­ware and com­pu­ter games, hard dri­ves, fire­walls, pass­word mana­gers, micro­pro­ces­sors with security-related func­tions, and many more. Only a few pro­duct types are exempt from the CRA.

What do com­pa­nies need to prepa­re for?

The CRA obli­ges manu­fac­tu­r­ers of pro­ducts with digi­tal ele­ments to ful­fil cer­tain cyber secu­ri­ty and vul­nerabi­li­ty manage­ment requirements:

• Risk assess­ment and con­trol: Manu­fac­tu­r­ers must design and deve­lop pro­ducts with digi­tal ele­ments in such a way that an appro­pria­te level of cyber secu­ri­ty is gua­ran­teed throug­hout the enti­re pro­duct life cycle. Num­e­rous mea­su­res must be taken on the basis of a cyber­se­cu­ri­ty risk assess­ment. E.g., the pro­ducts cover­ed may only be pla­ced on the mar­ket with a secu­re stan­dard con­fi­gu­ra­ti­on and wit­hout known explo­ita­ble vulnerabilities.
• Vul­nerabi­li­ty manage­ment and pro­duct moni­to­ring: Manu­fac­tu­r­ers of pro­ducts with digi­tal ele­ments must also ful­fil far-reaching requi­re­ments for the hand­ling of vul­nerabi­li­ties. Ful­fil vul­nerabi­li­ties. Based on con­ti­nuous moni­to­ring of the pro­ducts, manu­fac­tu­r­ers must eli­mi­na­te known vul­nerabi­li­ties through free secu­ri­ty updates.
• Report­ing obli­ga­ti­ons and docu­men­ta­ti­on: Actively exploi­ted vul­nerabi­li­ties must be repor­ted to the super­vi­so­ry aut­ho­ri­ty. The risk assess­ment and all reme­di­al mea­su­res taken must be careful­ly documented.
• Cyber­se­cu­ri­ty in the sup­p­ly chain: Cyber­se­cu­ri­ty must also be gua­ran­teed in the sup­p­ly chain. Com­pli­ance with the CRA usual­ly requi­res com­pre­hen­si­ve adjus­t­ments to con­tracts with sup­pli­ers and ser­vice providers.

Gra­dua­ted obli­ga­ti­ons app­ly to importers and traders.

What are the pen­al­ties for violations?

The mar­ket sur­veil­lan­ce aut­ho­ri­ties have far-reaching powers to inves­ti­ga­te, reme­dy and impo­se sanc­tions. Vio­la­ti­ons of the CRA can result in pro­duct war­nings and fines of up to 15 mil­li­on euros or 2.5 per cent of annu­al glo­bal turnover.

What should com­pa­nies do now?

The CRA will app­ly direct­ly in all EU mem­ber sta­tes in 2027. Howe­ver, in view of the diver­se and com­plex requi­re­ments and the neces­sa­ry pre­pa­ra­ti­on in pro­duct deve­lo­p­ment, com­pa­nies should imme­dia­te­ly check whe­ther their pro­ducts are affec­ted by the requi­re­ments of the CRA and cla­ri­fy their role (manu­fac­tu­rer, importer or dis­tri­bu­tor) with regard to the respec­ti­ve pro­ducts. A gap ana­ly­sis should then be car­ri­ed out to check which requi­re­ments rela­ting to the pro­duct have alre­a­dy been ful­fil­led and which still need to be imple­men­ted. It is also advi­sa­ble to review the con­tracts within the sup­p­ly chain and adapt them to the new requirements.

Fur­ther information

• Our one-pager pro­vi­des a com­pact over­view of the key infor­ma­ti­on on the Cyber Resi­li­ence Act and explains our sup­port services.
• CRA Quick-Check: With our free Quick-Check you can check easi­ly and wit­hout obli­ga­ti­on whe­ther your pro­ducts are affec­ted or not.