The Cyber Resilience Act – new cybersecurity requirements for products with digital elements and liability risks

The Cyber Resilience Act (CRA) (Regulation (EU) 2024/2847) marks a pivotal shift in the cybersecurity of products with digital elements. The law introduces a range of new requirements for products with digital elements and provides significant market surveillance powers, including fines, in the event of non-compliance with these requirements. Following the publication of the CRA in the Official Journal of the European Union on 20 November 2024, the law will enter into force a few days later.

Introduction

Products are increasingly shaped by digitalization. This not only affects new, so-called "smart products" but also extends to traditional product categories, e. g. conventional household appliances, which are progressively being equipped with smart features.

While these connected and smart products offer substantial benefits and value, they also introduce new cybersecurity vulnerabilities. Security weaknesses of any kind create potential entry points for cyberattacks, which, depending on their nature and severity, can lead to significant damages.

The CRA directly addresses these challenges by establishing horizontally applicable comprehensive cybersecurity requirements for products with digital elements across all sectors. With its broad scope and substantial obligations, the CRA aims to enhance the overall cybersecurity posture within the EU and marks a significant advancement in setting higher cybersecurity standards across the EU.

First proposed by the European Commission in September 2020, the CRA has undergone a complex legislative process, with numerous revisions to the scope and nature of the requirements. Its publication now signifies the conclusion of this legislative process.

Cyber Resilience Act

1.Who is affected by the CRA?

As a result of the CRA’s intention to establish comprehensive cybersecurity requirements for products with digital elements, the CRA addresses stakeholders across the entire supply chain of such products.

As such, the CRA applies to manufacturers, importers, and distributors of products with digital elements. Manufacturers are subject to the most substantial obligations, as they control product design and development. While importers and distributors have their own obligations, they are also tasked with ensuring that the manufacturer has adhered to the necessary requirements. If not, they cannot introduce or make the product available into the EU market.

2.What are the key requirements for “products with digital elements”?

The term product with digital elements is broadly defined and includes any hardware or software or any of its components. Specific examples are items such as IoT devices, apps, wearables, video games, hard drives, firewalls, and password managers. The CRA also acknowledges that not all products with digital elements have the same level of criticality or risk and introduces distinct categories of products with digital elements, differentiating between regular, important or critical products with digital elements. Depending on the classification, different requirements apply regarding the design, development, and characteristics of the respective products.

It is important to highlight that all products with digital elements must meet certain so-called essential cybersecurity requirements. These abstract requirements are set out in Annex I Part 1 CRA and it needs to be assessed on a product-by-product basis how these requirements can be specifically implemented. In addition, manufacturers are required to meet vulnerability handling requirements for each of their products with digital elements, as set out in Annex I Part 2 CRA.

3. What are the risks for stakeholders?

For cases of non-compliance, the CRA provides market surveillance authorities with a wide range of investigative and corrective powers. For example, they can request access to any relevant data and documentation that helps them evaluate a product’s compliance (Article 52 CRA). In cases where a product is deemed to pose a significant cybersecurity risk, authorities are not only able to inspect the product in question but also issue instructions to the relevant economic operator. If necessary, they can take more drastic action, such as removing the product from the market entirely (Article 54 CRA).

The CRA also establishes a comprehensive penalty framework, which is well in line with recent EU legislation, and which needs to be implemented by all EU Member States. This penalty framework allows for significant fines for failure to comply with the CRA. The penalties can amount to as much as € 15 million or, for companies, up to 2.5% of their total global annual turnover from the preceding financial year—whichever is higher.

4. What are the key deadlines?

With the publication of the CRA in the Official Journal of the European Union, the implementation deadlines for the CRA have been established. The following deadlines are particularly relevant for companies:

• 10 December 2024: The CRA enters into force.
• 11 September 2026: Reporting obligations for manufacturers become applicable.
• 11 December 2027: The CRA becomes fully applicable.

Necessity of compliance amid growing regulatory pressure

The CRA imposes high standards on product design and development in the area of cybersecurity. With these stringent requirements, associated liability risks also increase.

In this regard, it is important to note that specific obligations and associated liability risks will not always arise solely from the CRA itself. The subject matter of the CRA – products with digital elements – often falls within the scope of additional regulations, such as the AI Act (Regulation (EU) 2024/1689).

The short transition periods under the CRA highlight the need for stakeholders to review and update their processes in line with the new regulatory requirements. A thoughtful and timely approach is essential to ensure full compliance. In addition to the CRA, stakeholders should also take note of the Product Liability Directive (Directive (EU) 2024/2853), which was recently published in the Official Journal of the European Union on 18 November 2024. Member States need to transpose the PLD into national law by 9 December 2026 at the latest. For an overview of the key changes in product liability introduced by the PLD, please click here.