An overview of the CRA and its implications for businesses within the EU.
In recent years, the European Union has been actively drafting and implementing new rules for the digital world (and this process is far from over). Following the well-known GDPR, the AI Act and several sector-specific laws, the Cyber Resilience Act (CRA) is next. The EU has decided to codify requirements for digital resilience of digital systems and to attach a concrete set of rules to this for manufacturers and businesses.
A product with digital elements
The CRA applies to products with digital elements, but what does this mean in practice? A product with digital elements is, in essence, a software product or a product that forms part of the Internet of Things. Solutions for remote data processing are also included, and software or hardware components that are marketed separately are likewise classified as products with digital elements.
In other words, all products that have anything to do with the digital world fall within the scope of the CRA. This includes obvious products such as software, laptops and smartphones, but also less conspicuous products such as smart refrigerators or webcams.
Key obligations
The CRA imposes four core obligations on manufacturers of products with digital elements. Failure to comply with these obligations may lead to substantial sanctions from the European supervisory authority.
-
The CRA requires manufacturers to design, develop and produce products in line with cybersecurity requirements. Annex I to the CRA contains a list of 13 points that describe in detail how products must be manufactured. These requirements will be explained in more detail in a future blog.
-
In addition to designing, developing and producing secure products, manufacturers are also required to identify, document and remedy vulnerabilities through security updates. In practice, this means that manufacturers are responsible for the cybersecurity of their products throughout the entire product lifecycle. They must actively search for vulnerabilities in their own software and proactively address any weaknesses. The manufacturer is also required to report these vulnerabilities to ENISA and to the coordinator of the Computer Security Incident Response Team (CSIRT), as discussed further below.
-
Manufacturers must also provide information about the security risks of their products and how consumers can manage these risks. This may include advice on installing updates regularly, avoiding connections to malicious networks or carrying out regular virus scans.
-
Finally, manufacturers must ensure that their products comply at all times with the generally applicable EU product standards before they are placed on the market. In addition to the new CRA requirements, products with digital elements must also comply with other applicable EU product legislation.
Impact on your business
If your business manufactures products with digital elements, the impact can be significant. Your products may need to be adapted to meet the requirements of the CRA. The legislation forces businesses to treat cybersecurity as a core element of product development rather than, as often is the case, an afterthought.
The CRA also introduces a separate classification for important products with digital elements. These are products that perform an essential function for the cybersecurity of other products, networks or services, or products that present a significant risk of adverse effects on the health, security or safety of users. Annex III to the CRA contains a list of products that fall within this classification. In addition, the CRA includes a separate annex for critical products with digital elements, such as hardware with a security module, gateways for smart meters or smartcards with secure elements.
The modules
The CRA contains a number of modules to which a product must be subject. These modules are described in detail in Annex VIII. For standard products, compliance is required with one of the following four modules: an internal control procedure (Module A), an EU type-examination procedure (Module B) followed by conformity with the EU type based on internal production control (Module C), a conformity assessment based on full quality assurance (Module H), or a cybersecurity certification scheme. There are therefore several ways to bring a product into compliance with the CRA. The manufacturer must be able to demonstrate that at least one of the above modules has been applied.
Does your product fall within one of the descriptions in Class I of Annex III? In that case, the number of modules that may be followed is more limited. Only an EU type-examination procedure (Module B) followed by conformity with the EU type based on internal production control (Module C), or a conformity assessment based on full quality assurance (Module H), is sufficient.
Does your product fall within one of the descriptions in Class II of Annex III? In that case, compliance can be achieved through Modules B and C or Module H, or a cybersecurity certification scheme at the “substantial” assurance level may be sufficient.
For critical products, it is necessary to have a cybersecurity certification scheme, or to comply with the same modules that apply to Class II products.
Reporting obligation
The short-term impact is relatively limited. The CRA was adopted in October 2024 and includes a transitional period of two years. This period should be used by businesses to adapt their products and processes to the new requirements. In the summer of 2026, the CRA reporting obligation will enter into force. This means that the manufacturer must report to ENISA, the European Union Agency for Cybersecurity, and to the CSIRT. In the Netherlands, the Ministry of Economic Affairs and Climate Policy has established the CSIRT for digital service providers. From the summer of 2026 onwards, vulnerabilities in products with digital elements must therefore be reported to these bodies. All other parts of the CRA will only enter into force in the autumn of 2027.
For the time being, the impact on your business is therefore relatively limited. You can start by adapting your production processes to the requirements of the CRA. A future blog will explore CRA compliance in more detail through a step-by-step guide. Keep an eye on our blogs so that we can keep you informed.
Do you have questions after reading this blog? Please feel free to contact us.
