The CRA is a complex piece of legislation.
For manufacturers, software developers and device importers, distributors and resellers, understanding the purpose of this legislation is the first step on the path towards compliance.
In this page, we summarize the goals and main tenets of the Act to provide clarity to its stakeholders.
benefits for both businesses and consumers
The regulation will ensure an harmonized approach to IoT device security within the EU, making it easier for manufacturers to comply with the requirements and avoid overlapping regulations.
The risk of cyber-attacks will significantly lower, protecting businesses and consumers, from potential data breaches, financial losses, and reputational damage.
The implementation of cybersecurity features enables to avoid the significant costs of handling data breaches, which can run into millions of dollars.
With the increased security provided by the CRA, there will be an increase in customer's trust, leading to increased demand for products with digital elements.
This increase in demand can translate to more customers and increased profits for manufacturers and importers/distributors/resellers.
The regulation will improve transparency by making it easier to access clear information on the device, leading to better-informed purchasing decisions and customer satisfaction.
A better protection of fundamental rights such as data and privacy protection by ensuring that data collected with IoT devices are secure and protected from potential breaches.
The Cyber Resilience Act applies to economic operators such as manufacturers, software developers, distributors, importers and other economic actors (such as resellers) who supply digital products to the European market.
There are some important exceptions:
The Cyber Resilience Act imposes specific requirements and obligations on manufacturers, importers, distributors and third parties supplying digital products to the European market.
First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.
In particular, manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data (this is closely related to the GDPR).
Products must be updateable and patchable to address vulnerabilities that may appear. Information about products’ cybersecurity features must also be provided in a clear and comprehensive way to users.
If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the CSIRTs – this may change in the future as several within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.
Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as of fine of 15 millions euros or 2.5% of annual turnover, which ever is higher.
Cyber Security News and Events
Check out the latest events on cyber security and the Cyber Resilience Act.
Sign up to the CRA weekly newsletter
Sign up complete ! Check your inbox every Friday for our newsletter.