The CRA, explained

The CRA is a complex piece of legislation.

For manufacturers, software developers and device importers, distributors and resellers, understanding the purpose of this legislation is the first step on the path towards compliance.

In this page, we summarize the goals and main tenets of the Act to provide clarity to its stakeholders.

Related Links

Understand the CRA

Read the full text
simple COMPLIANCE checklist

Your path towards compliance

I am a device manufacturer
I am a software company
I am an importer, distributor

The CRA puts resilience at the CORE of IoT

Read the full text
Go the the EU's website

Why does cyber-resilience matter?

benefits for both businesses and consumers

Harmony

The regulation will ensure an harmonized approach to IoT device security within the EU, making it easier for manufacturers to comply with the requirements and avoid overlapping regulations.

Security

The risk of cyber-attacks will significantly lower, protecting businesses and consumers, from potential data breaches, financial losses, and reputational damage.

Economy

The implementation of cybersecurity features enables to avoid the significant costs of handling data breaches, which can run into millions of dollars.

RELIABILITY

With the increased security provided by the CRA, there will be an increase in customer's trust, leading to increased demand for products with digital elements.

PROFITABILITY

This increase in demand can translate to more customers and increased profits for manufacturers and importers/distributors/resellers.

TRANSPARENCY

The regulation will improve transparency by making it easier to access clear information on the device, leading to better-informed purchasing decisions and customer satisfaction.

PRIVACY

A better protection of fundamental rights such as data and privacy protection by ensuring that data collected with IoT devices are secure and protected from potential breaches.

Related Links
Guide for MANUFACTURERS
Guide for Software dev
Guide for third-parties
European flag

To whom does the CRA Apply?

The Cyber Resilience Act applies to economic operators such as manufacturers, software developers, distributors, importers and other economic actors (such as resellers) who supply digital products to the European market.

There are some important exceptions:

  • Free and open-source software does not fall under the purview of the CRA. However, open-source software from which its developers derive some source of income (such as paid technical assistance or commercial use of data generated by software users) are subject to the Act’s requirements.
    ⚠️ The case of free and open-source software is a hot topic, we can expect further CRA drafts to refine the scope of commercial activities undertaken by open-source software that would have them fall under the Act’s purview.

 

  • Other pure SaaS also do not need to comply with the CRA, so long they do not process remote data.

 

  • For all other types of software, in the event that they meet other European regulations (such as the NIS 2 Directive, the AI Regulation, etc.) with similar level of cyber-resilience requirements, they do not need to further comply with the CRA for the cyber-resilience features already covered by these other regulations.
    For instance, high-risk AI systems that are covered by the AI Regulation may not meet the full requirements of the CRA. In that case, the software would need to be certified for both AI Regulation and the CRA, but for the latter, only for features that are not already covered by the AI Regulation.

 

  • In general, IoT products that are covered by other European Regulations (such as with the European Health Data Space Regulation for Electronic Health Records systems) similar level of cyber-resilience requirements do not need to further comply with the CRA providing that all CRA requirements are already fulfilled via these other Regulations.
Related Links
Compliance checklist

Requirements and obligations

The Cyber Resilience Act imposes specific requirements and obligations on manufacturers, importers, distributors and third parties supplying digital products to the European market. 

First is the obligation to take into account cybersecurity features during the design and development phase of their products. This means that cybersecurity considerations must be integrated into the product development process.

In particular, manufacturers must ensure that products meet the security requirements specified in the CRA including provisions related to security by design and default, risk management, incident management, and the protection of personal data (this is closely related to the GDPR). 

Products must be updateable and patchable to address vulnerabilities that may appear. Information about products’ cybersecurity features must also be provided in a clear and comprehensive way to users.

If a manufacturer becomes aware of a cybersecurity risk, they must take immediate action to address it, including notifying users and the CSIRTs – this may change in the future as several within 24 hours. They must also cooperate with national authorities in investigating and resolving cybersecurity incidents related to their products.

Failure to comply with the Cyber Resilience Act can result in penalties and sanctions, such as of fine of 15 millions euros or 2.5% of annual turnover, which ever is higher.

 

Cyber Security News and Events

Check out the latest events on cyber security and the Cyber Resilience Act.

Go to Event Calendar

Sign up to the CRA weekly newsletter

Sign up
X