How can I check whether I am affected?
The CRA basically applies to all products with digital elements on the European market and divides them into risk classes. However, a few product types are exempt from the CRA. Check whether your products are affected now with our free Quick-Check.
What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA) is a product-related regulation that aims to make the EU more resilient to cyberattacks and security incidents for the first time across sectors (horizontally).
What are the objectives of the Cyber Resilience Act?
The regulation aims to create uniform cyber security requirements within the EU and to increase the security of products with digital elements.
What deadlines apply?
The CRA came into force on 10.12.2024. The requirements for conformity assessment bodies apply from 11.06.2026. From 11.09.2026, manufacturers must report actively exploited vulnerabilities to the supervisory authorities. The regulation will be fully applicable from 11.12.2027. Important: The CRA also applies to products that were placed on the market before 11.12.2027 if significant changes are made.
How is the Cyber Resilience Act positioned within the EU regulatory framework?
The CRA complements company-specific cybersecurity requirements such as the DORA Regulation, which mandates extensive IT security measures for companies in the financial sector, and the NIS-2 Directive, which pursues a similar goal for critical infrastructures. After a transition period, the CRA will be directly applicable in all EU Member States from the end of 2027.
Are there exceptions for certain products?
Yes, despite or precisely because of the very broad scope of application, a few products are excluded from the CRA. In addition, the scope of the CRA may be limited or completely excluded for digital products covered by other EU legislation if such exclusion is compatible with the general legal framework for these products and the respective sector-specific rules achieve the same level of protection.
Are there exceptions for existing products?
Article 69 (2) CRA explicitly states that the requirements only apply to products that are placed on the market after December 11, 2027. So-called existing products that are placed on the market before this date are not subject to the CRA. It is therefore crucial to define the criteria for placing a product on the market. The CRA contains a legal definition: placing on the market is the first making available of a product on the Union market. The criterion always refers to the individual product and not to the product range or series. However, the CRA applies to products that were placed on the market before December 11, 2027, if significant changes are made.
What does „placing on the market“ mean?
Placing on the market is not a new legal term. It has long been used in product safety law and is also used in other legal acts such as the Medical Device Regulation or the AI – Act. There is already established ECJ case law on the question of when a product is placed on the market. This can be applied to the CRA. According to this, a product is placed on the market when it has left the manufacturing process set up by the manufacturer and has entered a marketing process in which it is offered to the public in a ready-to-consume or ready-to-use state.
When is software placed on the market?
It is recognized that the provision of software does not require the physical handover of a data carrier, for example, but that electronic provision in the form of enabling a download also fulfils the definition of provision. If a manufacturer makes software available for download in an app store or on a website, it has left the manufacturing process and entered the marketing process. This conclusion can also be reached if the subjective intention of the manufacturer is taken into account, as is sometimes demanded in the literature. If he offers software for download, it deliberately leaves his sphere. This means that software that was made available for download, in the cloud or in the app store before the cut-off date does not have to meet all the requirements of the CRA.
When does a „substantial change“ occur in software?
The CRA applies to products that were placed on the market before December 11, 2027 if significant changes have been made to them. The precise definition of the term raises questions, especially when updating software. The recitals to the CRA provide some clarification: according to them, there is no substantial modification if a mere security update does not change the intended purpose of the product. Even minor changes to functionality are not covered. Examples of minor changes to functionality include the addition of new languages, a visual improvement or new pictograms, which generally do not constitute a significant change. However, if the intended purpose is changed and the risk assessment in relation to cyber security changes as a result, this constitutes a significant change. The terms are not clearly defined, but until they are further specified in legal practice, practical results can be achieved using the examples given and with the help of the change of purpose and risk assessment criteria.
What is the personal scope of the application of the Cyber Resilience Act?
The most extensive obligations apply to manufacturers. These are followed, in a graduated manner, by the obligations of distributors and importers, which mainly consist of control duties.
What are the manufacturer’s obligations?
The manufacturers‘ obligations include cybersecurity risk analysis, conformity assessment procedures, vulnerability management and product monitoring, including the provision of security updates. All implementation measures taken must be carefully documented. It is also worth mentioning the reporting obligations in the event of actively exploited vulnerabilities.
What are the obligations of importers?
Importers may only place products with digital elements on the market that meet the cybersecurity requirements. Importers have the obligation to check whether the manufacturer has fulfilled their obligations with regard to the imported product. In particular, the importer should ensure before placing the product on the market that the manufacturer has carried out the relevant conformity assessment procedures in accordance with Art. 24 CRA, prepared the technical documents and affixed the European CE marking in the correct form and including the necessary instructions.
What are distributors‘ obligations?
Distributors have certain control obligations, such as providing the information specified in Annex II CRA or the declaration of conformity. In addition, if a product with digital elements is made available on the market, the distributor is obliged to act with due care in relation to the requirements of the Regulation. Overall, the rules for distributors are based on the requirements for importers, albeit in a somewhat watered-down form.
What consequences do actors along the value chain face in the event of breaches of duty?
The market surveillance authorities have extensive investigative, remedial, and sanctioning powers. In case of violations, consequences may include product warnings and fines of up to 15 million euros or 2.5 percent of the worldwide turnover of the previous year (whichever amount is higher). In civil law, the CRA influences the concept of defects in sales law and the classification of a product as defective under product liability law.
What should companies do now?
In view of the wide range of requirements and the various complex reporting procedures, companies should check whether their products are affected by the CRA and clarify what role they play in the value chain.You can do this quckly and easily with our Quick-Check. A gap analysis should then be carried out to determine which requirements relating to the product have already been met and what still needs to be implemented. It is also advisable to review contracts with suppliers and adapt them to the new requirements.