The Cyber Resilience Act (CRA) establishes, for the first time, a harmonised European framework for the cybersecurity of products with digital elements. The objective of the Regulation is to improve the security of software, hardware, and connected products throughout their entire lifecycle and to ensure a consistent level of cybersecurity across the European internal market.

To achieve this, the CRA requires companies to take cybersecurity requirements into account during the design, development, and placing on the market of their products, and to establish processes for managing vulnerabilities and cybersecurity incidents. Compliance with these requirements will be monitored through market surveillance activities, and non-compliance may result in significant penalties.

The CRA entered into force on 10 December 2024. Its provisions will apply in stages from 11 June 2026 and will become fully applicable from 11 December 2027.

The CRA applies to companies that place products with digital elements on the European market. This includes, in particular, software products, hardware containing digital components, and certain digital services that are necessary for a product’s functionality.

The Regulation applies not only to manufacturers, but also to importers and distributors. Each of these parties is subject to specific responsibilities and compliance obligations throughout the supply chain. In principle, there are no size-based exemptions, meaning that large companies as well as small and medium-sized enterprises (SMEs) may be subject to the CRA’s requirements.

Certain product categories are excluded from the scope of the CRA where sector-specific legislation already applies. These include, in particular, medical devices and vehicle safety systems.

In short, the CRA is relevant if your business develops, manufactures, imports, or distributes products with digital elements.

The specific obligations depend on a company’s role within the supply chain and on the type of product concerned. However, the key requirements include:

• Taking cybersecurity requirements into account throughout the entire product lifecycle – from design and development to placing the product on the market and ongoing maintenance
• Carrying out conformity assessments and preparing the required technical documentation
• Establishing a structured vulnerability management process, including the provision of security updates
• Complying with information and reporting obligations towards users and competent authorities
• Demonstrating CRA compliance through the required documentation and marking procedures
• Implementing verification and control obligations for importers and distributors to ensure that manufacturers comply with the applicable legal requirements

In summary, companies should assess at an early stage which products and processes fall within the scope of the CRA, what role they perform within the supply chain, and which organisational, technical, and contractual measures are required to comply with the new requirements.