Discover the EU Cyber Resilience Act (CRA) and its impact on businesses. Learn compliance requirements for hardware, software, and digital products, including cybersecurity standards and exemptions.
The EU Cyber Resilience Act (CRA) is the first law in the EU that aims to protect consumers from cyberattacks. It puts rules in place for companies that make or sell hardware with software, as well as the software itself, in the European Union. This law aims to safeguard consumers from cyberattacks on connected devices.
Until now, companies decided for themselves what cybersecurity measures to take. People assumed that companies would safeguard their products and systems for their own benefit. Regulating this would have amounted to enacting a law mandating you to lock your doors and windows or face fines. Of course, laws such as the GDPR required companies to protect personal data, but left the rest up to them.
Explore more privacy compliance insights and best practices
Nowadays, a wide range of products, including cars, robot vacuums, fridges, phones, and heating systems, are equipped with software and are connected to the internet. This makes them straightforward targets for hackers. Because of this, regulators have stepped in with the Cyber Resilience Act. This law ensures that products sold in the EU meet strong cybersecurity standards, so they’re safer for consumers.
If your business makes or sells hardware or software, this law matters to you. It means you’ll need to meet these new standards to sell your products in the EU. At Secure Privacy, we work with businesses like yours, and we want to help you understand how this law might affect your business.
The EU Cyber Resilience Act sets minimum cybersecurity standards for products with digital elements, such as Internet of Things (IoT) devices. This includes most types of software as well as hardware that can connect to a network.
If you want the exact legal text, here’s the second recital of the Regulation: “This Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle. It also aims to create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.”
Just like we expect safe food and medications, we now expect safe hardware and software. Just as there are minimum safety standards for food and medicine, we now have similar standards for hardware and software.
The regulation went into effect on December 10, 2024, but it will gradually phase in its requirements. It will start applying in June 2026 and be fully applicable by December 2027.
The CRA cybersecurity standards fall into two categories: essential standards and vulnerabilities handling standards.
Hardware or software with digital elements must incorporate essential standards into their design. As you might expect, these standards are quite general, leaving it up to you to decide which specific measures to implement to ensure your product’s safety.
Paragraph 1 of Annex 1 says: “Products with digital elements shall be designed, developed, and produced in such a way that they ensure an appropriate level of cybersecurity based on the risks.”. This is the spirit of the regulation: do whatever you think you need to do; just make sure that the product is safe. If you are aware of any vulnerabilities, refrain from putting the product on the market.
More in detail, you must:
When it comes to managing vulnerabilities, the regulation requires you to identify and fix them as quickly as possible. However, this doesn’t mean waiting for an issue to arise. We expect you to adopt a proactive approach by conducting regular checks, updates, and maintenance to proactively prevent problems before they arise.
On top of these standards, covered businesses must:
The CRA applies to hardware and software, but not universally. There’s a clear distinction between the products it covers and those that fall outside its scope.
The regulation categorizes the products it governs into two types:
The EU Cyber Resilience Act includes several important exemptions. Products already covered by industry-specific regulations are not subject to this law. These include items provided exclusively for national security and defense purposes, medical devices, motor vehicles, civil aviation products, and marine equipment.
Free and open-source software remains exempt unless the business charges for the software itself, charges for technical support services related to the software, or processes personal data beyond what is necessary for its functionality.
In general, SaaS and PaaS products are exempt, as these services, in their purest forms, are not inherently tied to the operation of a product with digital elements. However, the regulation would apply if the service directly connects to a device's functionality, like software for a fitness wearable.
If you’re feeling confused about how the EU Cyber Resilience Act (CRA) differs from the GDPR, NIS/NIS2, or DORA, let’s clarify the distinctions:
The Cyber Resilience Act applies to three types of businesses:
It’s also important to note that products and entities regulated by sector-specific laws, such as those in healthcare or finance, are exempt from the CRA. This regulation covers only the areas left unregulated by other laws.
tvOS apps connected to Apple TV face specific regulatory requirements.
Whether the CRA applies to your business depends on the products you work with. If you sell devices that can connect to a network, the CRA definitely applies. If you make or sell software for such devices, the regulation may apply.
In general, the CRA requires businesses to ensure their products are secure from a cybersecurity perspective. The CRA requires businesses to conduct a prior risk assessment, provide a user manual with the product, and ensure the identification and appropriate resolution of vulnerabilities.
For each type of business that falls under the CRA scope, the steps toward compliance look as follows:
Before placing a product on the European market, the manufacturer under the CRA scope must:
It is mandatory for software developers to adopt a risk-based approach when designing the software. It should result in the following:
If your business does not make hardware or software, using it in the market requires CRA compliance.
Your duties include:
The answer to this question is straightforward: make sure your product is safe. While compliance with the Cyber Resilience Act may be mandatory for certain businesses, the principles behind it benefit all companies working with digital products. You don’t need to wait for authorities to pass legislation to start prioritizing security. Taking proactive steps to ensure your products are safe demonstrates responsibility and builds trust with your customers.
In a world where cybersecurity threats are constantly evolving, ensuring the safety of your hardware and software is not just about meeting legal requirements; it’s about protecting your customers, your reputation, and the stability of the digital ecosystem. By embedding cybersecurity into the design and operation of your products today, you’re not only preparing for regulations like the CRA but also setting your business up for long-term success in an increasingly connected and security-conscious marketplace.
