I. Scope of application
The new Cyber Resilience Act (Regulation (EU) 2024/2847) applies to all products that are either directly or indirectly connected to another device or network; according to Art. 3(1) CRA, it covers hardware and software equally. For example, apps, connected machines (IIoT), computers, laptops, smartphones, smart household appliances with security functions, including smart door locks, baby monitor systems and alarm systems, networked toys and wearable medical devices (wearables) are subject to the CRA. However, products for which cybersecurity requirements are already laid down in existing EU legislation, e.g. for medical devices, aviation or vehicles, are excluded from the scope of application.
II. Product requirements
1. Formal requirements
As the CRA is based on the EU’s New Legislative Framework (NLF), it follows its basic regulatory structure. The formal requirements include the issuing of an EU declaration of conformity in accordance with Art. 28 CRA and the affixing of the CE marking in accordance with Art. 30 CRA. As usual, the latter must be affixed primarily to the product itself or secondarily to the packaging. In the case of stand-alone software, the CE marking can also be affixed to the EU Declaration of Conformity or a website accompanying the product. In addition, the manufacturer and importer markings must be indicated.
2. Substantive requirements
Furthermore, the product must meet the essential cybersecurity requirements in accordance with Art. 6 CRA in conjunction with Annex I of the CRA. According to Art. 27 CRA, it is presumed that the product meets the requirements if it complies with harmonized standards (so-called presumption of conformity).
The conformity assessment procedure relevant for compliance with the substantive requirements is generally carried out by the manufacturer itself in accordance with Art. 32 CRA. The situation is different for so-called important or critical products with digital elements within the meaning of Art. 7, 8 CRA. A product falls into this category if its core function corresponds to one of the applications listed exhaustively in Annex III, IV of the CRA. A distinction is also made between Class I and Class II products for important products with digital elements. For Class I products, the manufacturer can demonstrate conformity by fully applying harmonized standards in accordance with Art. 27 CRA, otherwise he must carry out one of the procedures listed in Art. 32(2), (3) CRA with the involvement of a notified body. In the case of Class II products, however, a conformity assessment procedure involving a notified body is mandatory.
III. Obligations of the economic operators
1. Manufacturer
The concept of manufacturer in Art. 3(13) CRA corresponds to the usual understanding and also covers so-called quasi-manufacturers. According to Art. 22 CRA, carrying out a substantial modification of a product with a digital element is also sufficient to be considered a manufacturer.
The manufacturer bears primary responsibility for product conformity. Product responsibility is expressed in the classic pre-market and post-market obligations, which, however, differ in part from the existing Union harmonization legislation:
- Ensuring the essential requirements within the meaning of Annex I and carrying out a conformity assessment procedure (Art. 13(1), (12) CRA)
- Information and instruction obligations with the minimum content of Annex II of the CRA (Art. 13(15), (16), (18), (19), (20) CRA)
- Product monitoring obligations, in particular with regard to susceptibility to security vulnerabilities and the resulting risks (Art. 13(3), (7) CRA)
- Inspection obligations in relation to purchased components (Art.13(5) CRA)
- Proactive post-market obligations for the entire lifetime of the product, but for a maximum of 5 years after market launch, such as software updates in the event of security vulnerabilities or corrective measures in the event of non-compliance (Art. 13(6), (8), (21) CRA)
- Obligations to cooperate and notify the market surveillance authorities; in particular a very short notification period of no more than 24 hours to the European Union Agency for Cybersecurity (ENISA) in the event of the discovery of actively exploited security vulnerabilities (Art. 13(22), (14) CRA)
2. Importers and distributors
Both importers and distributors may only place a product on the market or make it available on the market if it complies with the requirements of the CRA. Importers and distributors are subject to the usual formal testing and assurance obligations under the NLF. These include, for example, the obligation to verify the correct CE marking (see Art. 19(2)(c) CRA for the importer and Art. 20(2)(a) CRA for the distributor). In addition, they are responsible for taking appropriate measures in the event of non-compliance (see Art. 19(5) subpara. 2 CRA and Art. 20(4) subpara. 2 CRA).
IV. Interplay with other EU product legislation
As a horizontal legal act, the CRA stipulates that it is to be applied in parallel with other harmonization legislation. However, the interplay with three EU product regulations is explicitly regulated:
- According to Art. 11 CRA, Union harmonization legislation and Regulation (EU) 2023/988 (the so-called EU Product Safety Regulation) take precedence over the CRA with regard to product safety requirements
- According to Art. 12 CRA, the cybersecurity requirements under Art. 15 Regulation (EU) 2024/1689 (the so-called AI Act) are deemed to be fulfilled if the product is already compliant under the CRA
Products that fall within the scope of both the CRA and Regulation (EU) 2023/1230 (the EU Machinery Regulation) must meet the requirements of both legal acts. Where certain essential requirements overlap, compliance with the requirements of the CRA may also satisfy the requirements of points 1.1.9 and 1.2.1 of Annex III to Regulation (EU) 2023/1230. However, the manufacturer must demonstrate this, e.g. by applying harmonized technical standards (see recital 53 of the CRA).
V. Market surveillance and sanctions
Art. 52(1) CRA stipulates the application of Regulation (EU) 2019/1020 (so-called EU Market Surveillance Regulation) with regard to market surveillance. On this basis, the market surveillance authorities may, in the case of non-compliant products, require economic operators to take measures to end non-compliance and eliminate risks, prohibit or restrict the making available of a product on the market and carry out recalls.
In order to enforce these measures, the national implementing acts pursuant to Art. 64(1) CRA should contain corresponding sanction provisions. Fines of up to EUR 10 million or up to 2% of turnover – whichever is higher – are to be imposed for breaches of the CRA’s essential obligations.
VI. Date of application
The requirements and obligations of the regulation apply from 11.12.2027 in accordance with Art. 71(1) CRA. An exception to this is the reporting obligation for actively exploited security vulnerabilities, which must already be complied with from 11.09.2026.
VII. Conclusion
Overall, this is an ambitious law with numerous points of reference to various product-related regulatory areas. Due to the advancing digitalization in almost all product areas, the majority of economic players will be affected by the planned regulation. Despite the generous transitional period, economic operators should therefore already start looking at the planned regulations now.
Do you have any questions about this news or would you like to discuss it with the author? Please contact: Dr. Gerhard Wiebe
