The Cyber Resilience Act is the first European regulation to set a minimum level of cyber security for all connected products available on the EU market - something that did not exist before. The aim is to increase cybersecurity within the European Union. The new regulation applies in all EU Member States and will be implemented gradually.
These products are covered by the CRA
All products sold in the EU that contain ‘digital elements’ must fulfill the essential requirements of the CRA. This includes low-cost consumer products as well as B2B software and complex high-end industrial systems. ‘Products with digital elements’ are defined in the CRA as products that can be connected to a device or a network and include both hardware products with networked functions (e.g. smartphones, laptops, smart home products, smart watches, internet connected toys, but also microprocessors, firewalls and smart meters) and pure software products (e.g. accounting software, computer games, mobile apps). Non-commercial open source software products are exempt from the CRA and therefore do not have to fulfill the requirements of the CRA.
Off we go
The CRA enters into force 20 days after publication in the Official Journal of the EU. Implementation will take place in various stages. Products that have been newly placed on the market must meet all requirements by the end of 2027.
*CABs = Conformity Assessment BodysSource: BSI
This needs to be done
All products with digital elements must fulfill a minimum level of cybersecurity. The process sounds complicated, but is based on the familiar CE mark. Manufacturers who already know and apply these verification processes have an advantage here.
Take cybersecurity into account
The requirements of the CRA should already be taken into account during product development. Manufacturers must carry out a risk assessment for their products and address any cybersecurity risk. According to the conceptual principle of ‘security by design’, connected products must be designed with cybersecurity in mind, e.g. by ensuring that the data stored or transmitted with the product is encrypted and that the attack surface is as small as possible. In keeping with the ‘secure by default’ configuration principle, the default settings of networked products must contribute to increase their security, for example, by banning weak default passwords, by installing automatically security updates, etc. The mandatory handling of product vulnerabilities should already be considered during development. The basis for this is the integration of tools for creating a software bill of materials (SBOM). For software, a SBOM is the equivalent of a list of ingredients for food. It details which libraries and other software components are used in the product. The CRA demands the creation of a SBOM, but it does not have to be published.
Prove requirements
A declaration of conformity is required to prove that the product fulfills all the requirements of the CRA. Which conformity assessment procedure is used depends on the product category. For most products this is a self-assessment by the manufacturer, for a few it is an assessment by a notified third party body.
Disclose vulnerabilities
A new single reporting platform will be established for the easy exchange of information on actively exploited vulnerabilities and serious security incidents. These vulnerability reports must be submitted via this reporting platform.
Secure during the entire support period Security updates must be made available to the end user and vulnerabilities must be handled throughout the entire product life cycle. This support period is generally 5 years.
Standard, important or critical - thisapplies!
Most of the products for which the CRA is relevant are standard products. Only products that are considered more sensitive from a cybersecurity perspective are labelled as ‘important’ or ‘critical’ products and are listed in Annexes III and IV of the regulation (e.g. password managers, firewalls, smart cards, smart meters, etc.).
SME or start-up - what about us?
Support for small and medium-sized enterprises, micro-enterprises and start-ups is directly provided for in the CRA. Among other things, there will be guidelines for implementation, helpdesks will be available to assist with reporting obligations, technical documentation may be simplified and regulatory sandboxes will be set up to test products with digital elements.
BSI provides the following support
In order to make the requirements of the CRA more tangible, BSI is developing a technical guideline in which interpretations of the requirements for manufacturers and products with regard to cyber resilience are clearly and specifically described.
In Part 1 ‘General Requirements’, guidance for manufacturers and products are compiled based on the requirements from the articles and annexes of the CRA,
Part 2 ‘Software Bill of Materials (SBOM)’ contains formal and technical specifications for SBOMs.
Part 3 ‘Vulnerability Reports and Notifications’ describes how to deal with incoming vulnerability reports.
Note: Please note that the information provided here is for information purposes only and is not intended as legal advice. The legal text of the CRA takes precedence over the explanations given here.
FAQ
The CRA is an act and not a directive. Unlike the NIS 2 Directive, it is therefore directly applicable in all EU Member States, meaning that national implementation is not necessary. However, a transitional period is planned so that market participants have sufficient time to prepare for the new requirements. The European Parliament has already voted in favour of the CRA. The legal act was officially adopted by the Council in October 2024. The final text was published on 20th November 2024 in the Official Journal of the EU and will enter into force 20 days later. The CRA will then be implemented in multiple stages from the end of 2024 to 2027.
11th June 2026: Conformity assessment bodies (CABs) are authorised to assess the conformity of products with the requirements of the CRA.
11th September 2026: Manufacturers of connected products are subject to mandatory reporting of vulnerabilities and incidents.
11th December 2027: All CRA requirements apply, including compliance with the essential cybersecurity requirements before a product is placed on the market, addressing vulnerabilities throughout the product's life cycle and transparency to users.
My product:
uses digital elements or is a software product
entered the EU market at the end of 2027
does not fall into any sector that is excluded from the CRA (medical products, vehicles, in-vitro diagnostica, civil aviation, marine equipment) or is a product used in the context of national security
is not a free of charge open source software and has no intention of making profit
is not spare part for an inventory product
Then CRA applies.
The conformity assessment procedures provided for in the CRA are based on conformity assessment modules taken from the New Legislative Framework (NLF). Exception is certification according to a European cybersecurity certification scheme. The NLF of the European Union (EU) is a regulatory system that aims to improve the harmonisation and modernisation of the EU internal market for goods. It was introduced to update the previous legal framework, particularly in the area of product conformity assessment.
The NLF modules define the obligations of the manufacturer in the context of conformity assessment and the level of involvement of notified bodies (conformity assessment bodies authorized to operate under the CRA).
Module A (internal production control) comprises self-assessment, i.e. the manufacturer assesses the conformity of its product without the involvement of a notified body.
In Module B (EC-type examination), the notified body assesses the conformity of the product (the so-called sample). The manufacturer then manufactures all other products according to this compliant sample (Module C (internal production control)). The manufacturer must ensure that each product conforms to the sample from module B. Module B must always be combined with Module C in the CRA.
In Module H (full quality assurance), the notified body assesses the manufacturer's quality assurance, i.e. the notified body checks whether the manufacturer's quality assurance process results in products that conform to the CRA. If this is the case, the manufacturer can manufacture all further products according to this process.
There will not be a seperate marking for the CRA. Going forward the CE marking will include the cyber security requirements of the CRA. The CRA increases the transparency of product information. This should help users to make informed purchasing decisions, i.e. to select a suitable product not only on the basis of price and functionality, but also on the basis of the cybersecurity level. As cybersecurity is far less static than traditional product safety, the requirements of the CE marking for manufacturers do not end with the conformity assessment. The CRA also demands a support period with free security updates for end users. During this period, the manufacturer must actively handle vulnerabilities. The regulation prescribes that the end of support, i.e. the date till which the manufacturer is obliged to provide security updates, must be clearly stated.
A Software Bill of Materials (SBOM) is like a list of ingredients for software. It can be understood as an inventory list of software and contains information about the components used in this software. At best, it is available in a machine-processable format. The content can be available in various depths and levels of detail. SBOMs are an essential tool for ensuring greater transparency in the supply chain. The CRA requires manufacturers to create a SBOM with the aim of using it in vulnerability handling. The SBOM does not have to be published.
All actively exploited vulnerabilities and serious security incidents that affect the security of products with digital elements must be reported to the authorities within 72 hours. An early warning must be issued within 24 hours. These obligations apply 21 months after the regulation comes into force. The CRA provides for the establishment of a new single reporting platform in order to simplify the reporting procedure for manufacturers and ensure secure and efficient data exchange between the European Computer Security Incident Response Teams (CSIRTs) and ENISA.
On the one hand, the CRA contains a standardised set of essential cybersecurity requirements that apply to all products with digital elements. It applies regardless of whether products are cheap or expensive, whether they are used by individual consumers or by demanding business users. The requirements for reporting vulnerabilities and clearly stating the end of the support period of the product, for example, apply to all types of products.
On the other hand, the process for assessing the conformity of products with the CRA regulation will be different for standard products and for products that are considered more sensitive from a cybersecurity perspective. These products are referred to as ‘important’ or ‘critical’ products.
Important products, such as password managers or firewalls, are listed in Annex III and critical products, such as smart cards or smart meters, in Annex IV. Unlike standard products, which are assessed by the manufacturer themselves, important and critical products must pass stricter conformity assessment procedures. Product categories that are listed in class 1 of Annex III can be assessed by the manufacturer themselves according to a harmonised European standard. European standardisation bodies are currently working on the development of the necessary standards. Class 1 products for which no harmonised European standard is available are subject to conformity assessment by a notified body. The conformity assessment follows the rules of the existing product legislative framework (NLF). For the product categories listed in Class 2 of Annex III, assessment by a notified body is mandatory. Instead of such an assessment, conformity can also be demonstrated through certification in accordance with a European certification scheme. However, this requires that all product requirements are covered by the scheme. Certification in accordance with a European certification scheme is mandatory for the product categories listed in Annex IV.
With the IT Security Label, manufacturers can already prepare today for the requirements of the upcoming CRA. This strengthens trust in their products and positions them as pioneers in cybersecurity in the market. The existing security requirements of the IT Security Label will gradually be aligned with the security requirements of the CRA, allowing manufacturers to integrate these into their product development from now on. Together with industry and society, BSI will further develop these requirements in the context of the CRA. The feedback gained can serve as guidance for harmonised standards or implementation recommendations at the European level.
The CRA applies to all manufacturers who place products with digital elements on the EU market, regardless of whether they are based in the EU or not. For example, the CRA applies to a Japanese manufacturer who wants to sell its games consoles on the EU market, as well as to a US manufacturer who sells anti-virus protection software in the EU. In addition, distributors and importers of related products must also ensure compliance with the regulations.
