What is the Cyber Resilience Act (CRA)?
The European Union's Cyber Resilience Act establishes cybersecurity requirements for products with digital elements.
The Cyber Resilience Act (CRA) is EU Regulation (EU) 2024/2847, which establishes mandatory cybersecurity requirements for hardware and software products directly or indirectly connected to a network or another device.
As a horizontal product safety regulation, the CRA applies across various industries and product types. A key aspect is that cybersecurity compliance will be integrated into the existing CE marking framework. The CE mark indicates the manufacturer’s declaration that the product complies with all applicable EU safety and security requirements.
The regulation will be applied in phases between 2026 and 2027. It aims to improve societal security by ensuring that digital hardware and software placed on the EU market meet strict security standards and that manufacturers remain responsible for product security throughout their lifecycle.
Which products and companies does the CRA affect?
The CRA applies to Products with Digital Elements (PDE), which encompass any software or hardware product with a direct or indirect data connection (e.g., smartwatches, security cameras, smart TVs, routers, operating systems, password managers, and IoT devices).
The regulation affects all businesses, regardless of size (including SMEs), operating in the following roles:
- Manufacturers: Companies that design and manufacture products to be placed on the EU market under their own name or trademark.
- Importers: Entities that place products imported from third countries (outside the EU) onto the EU market.
- Distributors: Retailers or wholesalers that distribute and sell products within the EU.
Product Classifications Based on Risk
The CRA categorizes digital products into three main classes depending on their cybersecurity risk levels and functions:
| Product Class | Proportion | Conformity Assessment Method | Examples |
|---|---|---|---|
| Default Class | ~90% | Manufacturer’s self-assessment and CE declaration. | Smart speakers, hard drives, photo editing software, video games. |
| Important - Class I | ~9% | Conformity based on harmonized standards or third-party assessment. | Web browsers, password managers, home automation devices. |
| Important - Class II | ~1% | Mandatory third-party certification by a Notified Body. | Firewalls, operating systems, virtualization software (hypervisors), routers. |
| Critical Class | Very low | Mandatory high-level European cybersecurity certification. | Smart cards, smart electricity meters, security components in industrial control systems. |
Core Obligations for Businesses
The CRA mandates security practices starting from product design through to the end of the product’s support lifecycle.
1. Obligations for Manufacturers
- Security by Design: Products must be designed, developed, and produced to be secure out-of-the-box (e.g., secure default settings, strong authentication, data encryption, protection against unauthorized access).
- Security Updates: Manufacturers must guarantee security updates for the expected lifetime of the product (minimum of five years from when the product is placed on the market).
- Vulnerability Management: Manufacturers must document all known vulnerabilities, fix them without delay, and publish detailed instructions for users on how to apply fixes.
- Incident Reporting: Any actively exploited vulnerability or severe security incident must be reported within 24 hours to the national CSIRT (in Finland, the NCSC-FI at Traficom) and ENISA.
2. Obligations for Importers
- Importers must verify before placing a product on the market that the manufacturer has performed the conformity assessment, compiled the technical documentation, and affixed the CE marking.
- If a product is non-compliant, the importer must not place it on the market and must immediately notify the manufacturer and market surveillance authorities.
3. Obligations for Distributors
- Distributors must verify that the product bears the CE marking and that the manufacturer and importer have met their labeling obligations.
- If a distributor identifies a security flaw, they must withhold the product from the market until the manufacturer or importer has corrected the issue.
CRA Timeline and Transition Periods
The regulation entered into force in late 2024, with its provisions taking effect in stages:
- June 11, 2026: Provisions regarding the designation and accreditation of Notified Bodies (third-party conformity assessment organizations) begin to apply.
- September 11, 2026: The obligation for manufacturers to report actively exploited vulnerabilities and incidents takes effect (applies also to products already on the market).
- December 11, 2027: All essential cybersecurity requirements become fully mandatory. Every new connected hardware or software product placed on the EU market must carry a CRA-compliant CE mark.
Administrative Fines for Non-Compliance
Violations of the CRA can result in substantial administrative fines:
- Non-compliance with essential requirements (e.g., placing unsafe or uncertified products on the market): Fines of up to €15,000,000 or 2.5% of global annual turnover (whichever is higher).
- Non-compliance with other obligations (e.g., missing technical documentation, failure to supply updates): Fines of up to €10,000,000 or 2% of global turnover.
- Providing misleading information to authorities: Fines of up to €5,000,000 or 1% of global turnover.
How can Tekve help you prepare?
Tekve’s experts help hardware manufacturers, software publishers, and importers achieve Cyber Resilience Act compliance without delaying product launch:
- Scope and Classification Assessment: We analyze your product line, determine their CRA classifications, and review your current development lifecycle.
- Security by Design Integration: We embed security practices into your product development (threat modeling, code audits, secure update mechanisms).
- Technical Documentation Compilation: We draft the technical files, risk assessments, and EU declarations of conformity required for the CE mark.
- Vulnerability and Incident Reporting Readiness: We set up processes for vulnerability management and ENISA/CSIRT reporting within the mandatory 24-hour window.
- Notified Body Coordination: We manage the third-party certification process for Class II and Critical products, coordinating with certified arisings.