Skip to navigation Skip to main content Skip to footer

Get Prepared for the Cyber Resilience Act

A comprehensive framework for cyber security standards in the European Union

The Cyber Resilience Act (CRA) is a pioneering framework designed to regulate the cyber security standards of software and hardware products with digital elements.

As the first legislation of its kind, the CRA sets comprehensive guidelines to strengthen the security and resilience of digital products sold in the EU.

It seeks to enhance preparedness and cooperation against cyber threats by enforcing standards that improve software and hardware safety for users.

Will my organisation be affected?

The CRA impacts manufacturers, importers, and distributors of products with digital elements. Coming into effect on December 11, 2024, this extensive legislation will impact large segments of the EU's common market and will be enforced across all EU countries.

To whom does the Act apply?

The CRA applies to:

  • EU-based suppliers and manufacturers that produce and sell network-connected digital products or services.
  • Suppliers and manufacturers based outside the European Union that sell network-connected digital products or services in the EU market.

What does it cover?

The CRA has a broad scope and sets out essential cyber security requirements for the design, development, and production of "products with digital elements" (PDEs) including:

  • Computer hardware and software
  • Internet of Things (IoT) devices (e.g., smart home devices)
  • Network-connected critical infrastructure including smart meters, firewalls, routers, and other critical network management systems

There are some exceptions, such as medical devices, national security, and vehicles regulated elsewhere.

Four tiers of classification of PDEs:

Manufacturers, developers, and vendors must meet the CRA requirements before the product can be put on the EU market. Products deemed "important" or “critical” under the Act face a higher level of regulatory scrutiny.

Default —

About 90% of products with digital elements fall under a default category, for which manufacturers will self-assess security, write an EU declaration of conformity, and provide technical documentation.

Important — Class I

Products deemed "important" under the Act and stipulated within “Class I” category will be required to apply a relevant standard or undergo a third-party assessment to demonstrate their compliance.

Important — Class II

Products deemed "important" under the Act and stipulated within “Class II” category will be required to undergo a third-party assessment to demonstrate their compliance.

Critical —

For a small number of products considered "critical," manufacturers and vendors will have to gain mandatory EU certification before they can sell the product in the EU.

Requirements, deadlines, and penalties

Requirements

All the essential requirements are set out in Annex I of the CRA, broadly covering:

  • Ensuring the product does not have any known exploitable vulnerabilities
  • Embedding Secure-by-Default principles from the outset
  • Ensuring vulnerabilities can be addressed through security updates
  • Implementing authentication and identity or access management systems
  • Protecting the confidentiality and integrity of data (e.g., through encryption or other technical means)
  • Implementing data minimisation
  • Protecting the availability of essential functions
  • Minimising the negative impacts by products on other connected devices
  • Designing, developing, and producing products to reduce the impact of an incident using exploitation mitigation mechanisms and limit attack surfaces, including external interfaces
  • Providing security-related information
  • Allowing users to securely and easily remove all data and settings

In addition, vulnerability handling processes are required to be put in place to ensure cyber security is considered for the whole life cycle of a product. This includes drawing up a software bill of materials (SBOM).

Timeline - When will the CRA come into force?

Following the law coming into effect in December 2024, vendors, manufacturers, and developers have until 11th September 2026 to comply with the vulnerability handling requirements and until 11th December 2027 to comply with the remaining cyber security requirements.

What are the consequences of violating the CRA?

Breaking these requirements will make new products less secure and come with a hefty cost.

Non-compliance could result in fines of up to €15 million or up to 2.5 % of the organisation's total worldwide annual turnover for the preceding financial year—whichever is higher.

Getting prepared

You might be aware of the changes required to comply with the Act but are concerned about the time, expertise, and resources needed.

Alternatively, you may be starting from scratch.

NCC Group can help you prepare and meet your compliance deadline on time.

• Identify your requirements

• Understand how the regulation will affect you and what penalties are involved

• Adopt a proactive approach to CRA compliance

Whatever your situation, NCC Group is here to help. We excel at helping organisations spanning various industries and regions meet their compliance requirements and regulatory deadlines.

Our experts are here to help you.

Please get in touch to discuss your specific compliance requirements and explore how you can benefit from our services.

Start a discussion Further reading