What is it about?

The CRA contains requirements for the cybersecurity of products with digital elements. The implementation of these requirements will be ensured through market surveillance and significant threats of sanctions. 

Current status and timeline

In September 2022, the EU Commission published the proposal for a corresponding regulation. This is the first step in the EU's procedure for enacting the Cyber Resilience Act. The regulations of the CRA are to become applicable 24 months after its entry into force, but certain information obligations already after 12 months.  

Who is affected?

The requirements for products with digital elements and the processes for dealing with vulnerabilities do not only affect product manufacturers. Importers and distributors are also subject to certain investigation and verification obligations. There are no company size-related exceptions. However, manufacturers of medical devices and vehicle safety systems are exempt from the CRA.

Challenges for companies

The CRA covers a wide range of requirements for "products with digital elements". These are all software and hardware products as well as "remote" data processing solutions without which an intended function of the respective product with digital elements could not be carried out. The requirements include, among others

  • Compliance with cybersecurity requirements throughout the manufacturing process, i.e. in the planning as well as in the design, development, production and distribution phases.
  • Conformity assessments based on harmonised EU standards, documentation by the CE mark.
  • Establish processes for dealing with cybersecurity vulnerabilities, including free provision of security updates. 
  • Information obligations towards users and the European Cyber Security Agency (ENISA).
  • Inspection obligations for importers and distributors with regard to the manufacturer's compliance with the requirements of the CRA.

Our legal services:

SKW Schwarz is ideally positioned to help companies comply with the expected requirements of the CRA. These include:

  • Compliance check: We review your current business practices to ensure that they comply with the new regulations and provide recommendations for action for any adjustments.
  • Advice on reporting requirements: We guide you through the new reporting requirements and help you establish processes for accurate reporting.
  • Contract management: We support you in drafting and reviewing contracts for products with digital elements in line with the new requirements.
  • Avoiding fines: Our team will help you avoid fines by guiding you through the requirements of the new law and helping you implement necessary compliance measures.
  • Crisis management and prevention: We stand by you in the event of cyber incidents as well as legal disputes and develop preventive strategies to minimise risks.
  • Training, seminars and internal guidelines: We provide training and seminars and create internal guidelines to educate companies and their employees on the requirements of the CRA and provide recommendations for implementation.

Our 5 Cyber Resilience Act Experts

Dr. Thomas  Hohendorf

Dr. Thomas Hohendorf


Dr. Daniel  Meßmer

Dr. Daniel Meßmer


Dr. Matthias  Orthwein

Dr. Matthias Orthwein


Martin  Schweinoch

Martin Schweinoch


Benjamin  Spies

Benjamin Spies