The EU Cyber Resilience Act (CRA) is a major piece of cyber legislation passed in 2024 in the European Union (EU) that regulates cybersecurity for digital products and services. The EU Cyber Resilience Act directly complements the NIS2 Directive, which regulates risk management and incident reporting across the European market.
The CRA marks another step forward for building up the cybersecurity posture across the EU, ensuring that both individuals and organizations are better protected against a wide range of cyber threats.
Find out how UpGuard helps you secure your digital products and services >
What is the EU Cyber Resilience Act?
The EU Cyber Resilience Act is an EU legislation first proposed by the European Commission in 2022 and passed by the European Parliament in March 2024. The act sets clear essential cybersecurity requirements for all products with digital elements (PDEs), their components, and other digital services that are offered in the EU market. The CRA is expected to work in conjunction with other cybersecurity certification schemes.
Products are classified into two risk categories, based on the level of assumed risk, in which higher-risk products must comply with stricter conformity assessments to ensure they are meeting minimum standards set by the act.
As a key legislation in the EU’s broader strategy to improve cybersecurity across the continent, the Cyber Resilience Act’s main purpose is to provide a security framework for digital products and all related components and drive toward a more comprehensive supply chain risk management (SCRM) strategy.
The European Commission designates four key goals for the act:
- To ensure manufacturers continue improving the security of covered products throughout the entire product lifecycle
- To create a standardized framework for cybersecurity product compliance in the EU
- To increase the transparency of cybersecurity practices and properties of products and their manufacturers
- To provide consumers and businesses with safe and secure products to use
EU Cyber Resilience Act overview
At its core, the EU Cyber Resilience Act introduces mandatory cybersecurity requirements for PDEs, including both tangible (connected devices) and non-tangible products (software or applications). It covers a wide range of products in the digital environment, which the European Commission defines as “any hardware or software product, and its remote data processing solutions, including software or hardware components to be placed on the market separately.”
As such, the CRA mandates new legal obligations on digital manufacturers and other entities who design or develop for the manufacturers.
Legal obligations
First, the CRA mandates that products must be designed, developed, and marketed with a competent level of cybersecurity measures in mind. This includes a requirement for manufacturers to continually update and patch their products, without extra costs, throughout their lifecycle, thereby ensuring sustained protection against new and evolving cyber threats.
Second, any security incidents or actively exploited vulnerabilities with the products must be collectively reported to ENISA, the overarching cybersecurity regulatory body for Europe, within 24 hours of becoming aware of the vulnerability as part of the reporting obligations outlined in the CRA. Reports must be made no later than 72 hours after becoming aware, in which the manufacturer must provide complete notification of the incident.
Third, manufacturers must provide full technical documentation and user instructions for the use of their product for full transparency. Instructions must be clear and intelligible for users and authorities.
Finally, all manufacturers must conduct a risk assessment for all PDEs they release to ensure risks are mitigated and that the product is designed in accordance with the essential requirements of the CRA. Risks should be assessed at every stage of product development to minimize all potential risk outcomes.
Products that meet all of the CRA’s essential requirements and pass the conformity assessment will receive the CE marking, which must be identified on the product.
Using a risk-based approach, the CRA categorizes PDEs into two classes: 1) Default Category and 2) Critical Category. The Critical Category is divided into two subcategories, Class I and Class II.
Default category
Products listed under the Default category do not have critical cybersecurity vulnerabilities. The European Commission notes that 90% of products should fall under Default, which includes IoT (Internet of Things) devices, digital consumer products, and other commonly used software and devices.
Compliance requirements:
- Providers, distributors, and manufacturers with products in this category are allowed to self-assess their vulnerability management and compliance.
- Manufacturers must provide an EU declaration of conformity
- Manufacturers must provide accompanying technical documentation
Critical category
Critical products are divided into two subcategories — Class I and Class II. Products are categorized into each subcategory based on various risk factors, with those with higher risk classified as Class II.
Class I
Class I products typically include products or components that would not have a severe impact if they were compromised. Examples might include consumer electronics or software applications with limited access to sensitive data or critical functions.
Annex III of the CRA lists examples of Class I products, which can include:
- Password managers
- SIEM tools
- IAM software
- VPNs
- Anti-malware or antivirus software
- Industrial IoT products
- Network management tools
Compliance requirements:
- Manufacturers are required to assess their products in adherence to a third-party conformity assessment or an equivalent standard.
- Manufacturers are obligated to provide clear technical documentation, including information on the security features of the product, offer guidance for secure use, and detail the period during which security updates will be provided.
Class II
Class II products pose a higher cybersecurity risk than Class I and include digital products and services that could have significant adverse effects on individuals, organizations, or society if compromised. High-risk products might cover critical infrastructure components, medical devices, or other products that handle sensitive personal information or financial data.
Products in Class II include:
- Microprocessors
- IDS/IPS
- Cryptoprocessors
- Operating systems
- Industrial routers and modems
- Industrial software
- Firewalls, antivirus, anti-malware for industrials
Compliance Requirements:
- Class II products are subject to stricter requirements and therefore must complete a third-party conformity assessment directly and cannot use an equivalent standard.
- Manufacturers of Class 2 products must meet all the obligations of Class 1, with additional requirements for transparency and disclosure. This includes detailed reporting on how the product meets the specific cybersecurity requirements, providing evidence of the independent assessment, and more rigorous management of vulnerabilities and updates.
Who does the EU Cyber Resilience Act impact?
The reach of the Cyber Resilience Act is broad, impacting a wide array of stakeholders within the digital ecosystem. This includes manufacturers of digital products, developers of digital services, and suppliers of critical digital components. Additionally, the act has implications for end-users, including both individuals and organizations, by ensuring that the digital products and services they use are held to stringent cybersecurity standards.
Businesses operating within the EU, as well as those outside the Union that supply digital products or services to EU markets, must adhere to the new regulations. The act thereby has a global impact, affecting not just EU-based entities but international companies engaged in the EU digital market.
Meeting compliance standards of the EU Cyber Resilience Act
Compliance with the Cyber Resilience Act requires a proactive approach from affected entities. Organizations must thoroughly assess their current cybersecurity practices and align them with the act’s requirements. This involves implementing robust cybersecurity measures from the initial design phase of a product or service, conducting regular vulnerability assessments, and ensuring the prompt deployment of necessary patches and updates.
What are the penalties for non-compliance?
Failure to comply with the Cyber Resilience Act can result in significant monetary or legal penalties. Companies that do not meet compliance standards, such as failure of cybersecurity incident reporting and vulnerability disclosure, lack of necessary technical documentation, or inadequate product updates to adapt to changing cyber threats, can face administrative fines of up to €15 million or 2.5% of their global turnover, whichever is higher.
Additionally, businesses that provide falsified or inaccurate information to regulating bodies can result in a fine of up to €5 million, or 1% of global turnover, whichever is higher.
Who enforces the EU Cyber Resilience Act?
Each member-state in the EU is tasked with upholding and enforcing the Cyber Resilience Act and selecting designated “market surveillance authorities” to oversee its enforcement. These authorities are in charge of overseeing compliance, conducting investigations, and imposing sanctions where necessary. Authorities also have the power to restrict market availability, request corrective actions, or order the manufacturer to take the product off the market altogether.
While ENISA is the overarching cybersecurity regulating body in Europe, they do not directly enforce the CRA. However, ENISA is critical in providing guidance to each member-state, facilitating coordination between member-states, assisting in the research and implementation of new cybersecurity standards, and updating cyber policies as necessary in accordance with changing threat landscapes.
How does the Cyber Resilience Act affect other EU Cyber Regulations?
The EU Cyber Resilience Act is part of a broader cyber strategy to strengthen the EU’s overall cybersecurity infrastructure and security posture. It works in tandem with other major cyber regulations, such as the NIS2 Directive and the EU General Data Protection Regulation (GDPR).
NIS2 Directive
The NIS2 Directive is mainly focused on improving the cybersecurity of critical sectors and essential services. There is a heavier emphasis on risk management, incident reporting, and establishing minimum security requirements for large sectors, such as finance, healthcare, energy, and more.
While the NIS2 Directive targets specific sectors and critical infrastructure, the Cyber Resilience Act covers a broader spectrum of digital products and services. The CRA is not limited by sectors or industry; it covers all digital manufacturers, providers, and distributors that operate within the EU market.
EU GDPR
While the EU General Data Protection Regulation (GDPR) is largely focused on protecting the rights and privacy of EU citizens and the CRA is more focused on the manufacturers, the CRA enforces many of the cybersecurity aspects that lead to data protection for individuals. Businesses that comply with the CRA can not only ensure transparency and safety for their product’s usage but also that their services are compliant with privacy regulations and secure against cyber threats.
The problem with open-source software (OSS)
When the EU Cyber Resilience Act was first proposed, it drew much contention from OSS developers because the Act mandates continual updates against cyber threats for the software to be eligible to be placed on the EU market. However, this creates compliance concerns because OSS developers offer freely distributed software to the public, which they may not have the ability or resources to constantly provide security patches or software updates, as is the nature of the OSS model.
Many developers also expressed issues surrounding the vulnerability disclosure obligations set by the CRA. Because vulnerabilities are required to be reported within 24 hours, even if no fix is available, it may cause distrust in developers, where coordination efforts to develop a patch can also be difficult. In addition, reporting vulnerabilities may also lead to zero-day exploits, as threat actors would gain information on the software before a security patch is released.
In response, the Act exempts not-for-profit open-source software from meeting the requirements, citing contributors who don’t engage in commercial activity are allowed to distribute their products on the open market. However, because OSS developers often operate with limited budgets and resources, it may de-incentivize them from releasing open-source software as a not-for-profit.