|

Add a bookmark to get started

Bookmarks info

Aiming for harmonized cyber resilience requirements in the EU for products with digital elements

The CRA aims to establish a harmonized and robust cybersecurity framework across the EU for products with digital elements. It will have a particular impact on the Internet of Things (IoT), introducing mandatory cybersecurity requirements for manufacturers, importers and distributors to ensure the safety and security of such products throughout their lifecycle.

On 1 December 2023, a political agreement was reached on the new EU regulation on cyber resilience, which was announced by the Commission in its 2020 EU Cybersecurity Strategy. The regulation was formally approved by the European Parliament in March 2024. Once published in the EU's Official Journal, most provisions of the CRA will apply three years after its entry into force.

The CRA aims to safeguard consumers and businesses by ensuring that products and software with digital components are cybersecure. It addresses concerns relating to security vulnerabilities in connected products which are increasingly used in the EU. It introduces mandatory cybersecurity requirements that must be met throughout the product lifecycle.

Who is in scope of CRA

The Cyber Resilience Act will apply to all products – including software and hardware – connected directly or indirectly to another device or network, with some exclusions such as open-source software and products covered by existing regulations, like medical devices, aviation, and cars.

“The CRA will be a real game changer for manufacturers, importers and distributors of the Internet of Things, targeting security vulnerabilities across all stages of the product lifecycle.”

What are the main elements of CRA

Among other requirements, manufacturers of products with digital elements caught by the CRA will be required to:

  • comply with a set of rules for the design, development and production of products with digital elements before placing them on the EU market;
  • document an assessment of the cybersecurity risks associated with such products;
  • perform (or have performed) a conformity assessment for products with digital elements and draw up an EU declaration of conformity and affix a CE marking to the product;
  • exercise due diligence when integrating third party components, including free and open-source software;
  • report actively exploited vulnerabilities to the relevant Computer Security Incident Response Team (“CSIRT”) and to (impacted) users; and
  • put in place compliant vulnerability handling processes, including providing relevant security updates, for the duration of the support period (of, in principle, five years).

Importers and distributors of these products are subject to related obligations regarding those processes.  

Actions to consider

The CRA will have a significant impact on all manufacturers, importers and distributors of digital products within its scope. Although there's a 36-month implementation period, it's important that those entities falling within the scope start preparing for its implementation. Manufacturers should assess current cybersecurity measures against the upcoming requirements to identify potential compliance gaps and start planning compliance strategies early.

From our blogs

Key contacts

Heidi Waem
Heidi Waem
Partner
Jan Pohle
Jan Pohle
Partner
Alessandro Ferrari
Partner

Related Capabilites

TechnologyMedia Sport and EntertainmentIntellectual PropertyData Protection Privacy and CybersecurityCommercial Contracts
Legal noticesPrivacy policyCookie policyFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper