The Cyber Resilience Act (EU) is a complex piece of legislation.
For manufacturers, software developers and device importers, distributors and resellers, understanding the purpose of this legislation is the first step on the path towards compliance.
In this page, we summarize the goals and main tenets of the Act to provide clarity to its stakeholders.
benefits for both businesses and consumers
The Cyber Resilience Act applies to economic operators such as manufacturers, software developers, distributors, importers and other economic actors (such as resellers) who supply digital products to the European market.
There are some important exceptions:
The Cyber Resilience Act imposes specific requirements and obligations on manufacturers, importers, distributors and third parties supplying digital products to the European market.
First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.
In particular, manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data (this is closely related to the GDPR).
Products must be updateable and patchable to address vulnerabilities that may appear. Information about products’ cybersecurity features must also be provided in a clear and comprehensive way to users.
If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the CSIRTs – this may change in the future as several within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.
Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as of fine of 15 millions euros or 2.5% of annual turnover, which ever is higher.
Cyber Security News and Events
Check out the latest events on cyber security and the Cyber Resilience Act.