The Cyber Resilience Act (CRA) establishes mandatory cybersecurity requirements for manufacturers and retailers throughout the product lifecycle. Its goal is to ensure that consumers and businesses buying or using products or software with digital components are fully protected.
The EU Cybersecurity Resilience Act (CRA) is an EU cybersecurity regulation proposed by the European Commission on September 15, 2022. Its objectives include:
The Cyber Resilience Act mandates that products with digital elements will only be made available on the EU market if they meet specific essential cybersecurity requirements specified in CRA-Annex I.
The EU Cyber Resilience Act applies to a broad range of digital products. This includes consumer electronics like smartphones and laptops, Internet of Things (IoT) devices such as smartwatches and connected home appliances, network equipment like routers and modems, and various software products including operating systems and applications.
The current Act covers the products with digital elements hardware or software sold or available in the EU.
Depending on the product class type, different conformity assessments are applicable according to CRA. The classification for Important Products (Class I and Class II) and Critical Products can be found in CRA-ANNEX III and IV.
If you are a manufacturer, make sure you are aware of the main process and all the steps to be followed:
Contact Applus+ if you need help in understanding the requirements and how to proceed. We are walking all through this new regulation.
Yes, some products are not covered under the CRA or excluded
Amongst the excluded products are those sufficiently regulated on cybersecurity such as cars, medical devices, in vitro, and certified aeronautical equipment.
These are some of the products that are not covered by CRA regulations:
The EU Cyber Resilience Act is intended to work in conjunction with existing cybersecurity certification frameworks, including the European Union Cybersecurity Certification Scheme (EUCC) coming from the CSA (Cybersecurity Act). The EUCC, based on the Common Criteria for Information Technology Security Evaluation, offers a voluntary certification scheme. However, the Cyber Resilience Act introduces mandatory compliance requirements for certain products.
It specifies which products must adhere to certification standards, potentially including those outlined in the EUCC and other relevant schemes. This approach ensures a more cohesive and comprehensive cybersecurity landscape across the EU, blending voluntary and mandatory measures to enhance overall digital security.
Entry into force is expected around the second half of 2024. We recommend following the updates in CRA on the ENISA CRA website.
Manufacturers will have to apply the rules 36 months after they enter into force. Except for a more limited 21-month grace period for the reporting obligation of manufacturers for incidents and vulnerabilities.
If you are a manufacturer, make sure you are aware of the main process and all the steps you’ll have to take to maintain the cybersecurity of your product throughout its lifecycle.
If you have any doubts or questions our Applus+ Laboratories experts will be more than happy to walk you through this new regulation.
Applus+ uses first-party and third-party cookies for analytical purposes and to show you personalized advertising based on a profile drawn up based on your browsing habits (eg. visited websites). Click HERE for more information. You can accept all cookies by pressing the "Accept" button or configure or reject their use by clicking here.
They allow the operation of the website, loading media content and its security. See the cookies we store in our Cookies Policy
They allow us to know how you interact with the website, the number of visits in the different sections and to create statistics to improve our business practices. See the cookies we store in our Cookies Policy