What is the Cyber Resilience Act?
With cyber security being at the forefront of this rapidly evolving digital landscape, the EU has emphasised the importance of improving overall cyber security to safeguard products with digital elements (both hardware and physical) against cyber threats. As a result, the European Commission has published a draft of the Cyber Resilience Act (CRA) which is the first ever EU-wide legislation introducing unified cyber security requirements for manufacturers and developers of products with digital elements, covering both hardware and software.
To ensure the goal of the legislation is met, compliance with cyber security requirements and practices will be required for in-scope products with digital elements. This legislation aims to enhance cyber security maturity across the entire product lifecycle, from development to decommissioning, by enforcing obligations on companies to conduct risk and vulnerability assessments and ensure continuous deployment of security updates for their digital products falling within the legislation's scope.
Who will be impacted by the Cyber Resilience Act?
Both EU and non-EU companies manufacturing or selling products with digital elements in the European market will be affected by the CRA, which mandates enhanced cyber security measures throughout the entire lifecycle of their products.
Which products are affected by the EU Cyber Resilience Act?
The scope of the CRA includes “products with digital elements whose intended or reasonably foreseeable use involves direct or indirect logical or physical data connection to a device or network”. Here are some examples of products with digital elements:
Hardware |
Software |
|
Smartphones |
Operating Systems |
|
Laptops |
Password Managers |
|
CPUs |
Photo Editing |
|
Routers |
Audio and Video Editing |
|
Switches |
Word Processing |
|
Firewalls |
Anti-virus / Anti-Malware |
|
Hard Drives |
Endpoint Protection |
|
Microcontrollers |
Games |
What are the categories of products affected by the EU Cyber Resilience Act?
- Critical Class “I”
- Critical Class “II”
- Default Category
Critical Class “I”
Products that provide functions critical to the cyber security of other products or provide functions significantly affecting a large number of other products belong in this category. Examples of products belonging to this category cited in Annex III of the CRA are:
Standalone and embedded browsers;
Password managers;
Mobile device management software;
- Physical network interfaces.
Critical Class “II”
Products that provide both a critical cyber security function and significantly affect a larger number of products that belong in this category. Examples of products belonging to this category cited in Annex III of the CRA are:
Operating systems for servers, desktops, and mobile devices;
Hypervisors and container runtime systems that support virtualised execution of operating systems and similar environments;
Public key infrastructure and digital certificate issuers;
- Firewalls, intrusion detection and/or prevention systems intended for industrial use.
Default Category
It comprises 90% of the products covered by the legislation, these items with digital elements hold basic security relevance, encompassing common consumer electronics like smartphones or laptops. Products not classified as Critical Class I or Class II are included in this category.
What products are exempted from the EU Cyber Resilience Act?
Products that are required to comply with current EU cyber security regulations are exempt from the EU Cyber Resilience Act. Here are a few examples of the existing EU cyber security regulations that fall under this exemption:
(EU) 2017/745 for Medical Devices;
(EU) 2019/2144 for Motor Vehicles;
(EU) 2018/1139 for Products affected by Aviation Rules;
Directive 2014/90 EU for Marine Products.
When will the CRA be released and enforced?
The CRA was officially released in 2024, and is undergoing phased implementation in 2025, culminating in full applicability by 2026. Oversight and enforcement will be conducted by authorities within EU member states and by the European Union Agency for Cybersecurity (ENISA).
What are some key obligations that Companies should prepare for under the EU Cyber Resilience Act?
Manufacturers and developers of products with digital elements, covering both hardware and software, will be required to comply with the legislation by following certain cyber security requirements which aim to improve the overall cyber security to safeguard products with digital elements against emerging cyber threats. Here are some of the key obligations that companies can expect under the CRA, including but not limited to the following:
- Mandatory Risk Assessments
- Vulnerability Management
- Security Updates
- Compliance
Mandatory Risk Assessments
Throughout the product development process and its lifecycle, there will be a mandatory requirement to conduct comprehensive risk assessments. This would include evaluating and mitigating cyber security risks associated with the product across its entire lifecycle.
Vulnerability Management
Companies are expected to deliver products that are secure from known vulnerabilities. This requires implementing vulnerability management practices to promptly identify and address security weaknesses.
Security Updates
It is required to provide free security updates following the product's release, meeting customer expectations. This will be crucial for ensuring that products remain resilient against emerging threats.
Compliance
Adhering to the act may require meeting standardised requirements, such as those outlined in IEC 62443, or engaging external auditing authorities, depending on the product's risk classification.
Given the global significance of the European market, it is anticipated that the CRA will influence the cyber security of products worldwide. As products with digital elements become subject to the CRA in the European market, growth in overall cyber security maturity across the product life cycle is expected which is aimed at benefiting both companies and customers.
How can we help?
Our Cyber Security team brings together deep local insight and global experience to help you stay secure, resilient and ready for what’s next. We work across key areas including:
- Cyber Security Governance, Risk and Compliance (GRC)
- Cyber Strategy and Technology Consulting
- Threat and Vulnerability Management
- Penetration Testing and Red Teaming
- Threat Intelligence
Our team combines technical expertise with practical experience across both public and private sectors. We’re backed by specialists in digital, audit and business transformation. Together, we help you see the full picture, so you can act with confidence. Want to learn more? Visit our Cyber Security webpage or reach out to one of our team leaders below.
Contact us
