Cyber Resilience Act

Regulation 2024/2847 on horizontal cybersecurity requirements for products with digital elements

Background and Scope

The Cyber Resilience Act (“CRA”), formally known as the EU Regulation 2024/2847, seeks to enhance the cybersecurity framework for products with digital elements. In response to the growing number of connected devices and cyber threats, the Act aims to establish a robust legal framework to ensure the cybersecurity of digital products in the EU market. Existing Union laws related to cybersecurity do not directly cover mandatory requirements for the security of products with digital elements. This has led to a legislative patchwork, increasing legal uncertainty and compliance burdens for manufacturers and users. The CRA therefore focuses on establishing a unified approach to cybersecurity to reduce vulnerabilities and enhance the consistency and adequacy of security updates.

The CRA applies to products with digital elements – software as well as hardware – that are provided on the market, where their intended use or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network. However, it excludes products covered by specific EU regulations such as medical devices, vehicles, and certain certified aviation equipment. The regulation also does not apply to spare parts intended to replace identical components in digital products, nor to products developed exclusively for national security or defence purposes. CRA imposes obligations mainly on manufacturers of goods, but importers and distributors of goods are also targeted.

Digital Omnibus Regulation Proposal

Under the Digital Omnibus Proposal, ENISA (the European Union Agency for Cybersecurity) will establish a single, unified EU-wide portal for incident reporting. This centralised reporting portal will also extend to entities subject to obligations under the CRA.

Key Obligations

• Cybersecurity by design: Products must be designed, developed, and manufactured to ensure an appropriate level of cybersecurity by conducting a cybersecurity risk assessment and complying with “essential cybersecurity requirements” specified in Annex I of the CRA. The risk assessment must be included in the technical documentation of the product.
• Vulnerability Management: Manufacturers are required to identify, document, and address vulnerabilities in their products.
• User Instructions: Products must be accompanied by clear instructions and information to enable secure installation, operation, and use.
• Incident reporting: Manufacturers must report actively exploited vulnerabilities and serious security incidents to designated CSIRT units and ENISA .
• Technical Documentation: Manufacturers must maintain technical documentation and a declaration of conformity for at least ten years after the product is placed on the market.
• CE Marking: Products covered under the CRA must be affixed with a CE-label.