DA SV
legislation

Cyber Resilience Act EU regulation for secure products

5 minutes read
Cyber Resilience Act EU regulation for secure products

The Cyber Resilience Act (CRA) establishes EU-wide rules for the security of products with digital elements. Learn about scope, manufacturer obligations and CE marking.

Scope and applicability of the CRA

The Cyber Resilience Act applies in principle to all products with digital elements (i.e., that are or contain some software), which have a network or device connection and are placed on the EU market.

However, products already regulated by other EU legislation such as medical devices, vehicles or aviation are excluded. Defence articles, spare parts and products for which the Commission has granted an exemption are also outside the regulation. The regulation essentially aims to harmonize and strengthen cybersecurity requirements for most connected products across the EU.

Open source software and cloud or Software-as-a-Service (SaaS) solutions occupy a special role within the scope.

Open source software

Open-source software is explicitly included in the scope. Article 3(48) defines “free and open-source software” as software whose source code is openly shared and provided under a free and open licence that allows free access, use, modification and redistribution. For such open-source products, Article 24 requires that the “open-source software maintainers” implement a cybersecurity policy and cooperate with authorities on risk mitigation.

Cloud and software-as-a-service (SaaS)

SaaS and cloud solutions fall under the Cyber Resilience Act only if they are regarded as "remote data processing solutions" within the meaning of Article 3(2). Otherwise they are not to be considered a “product with digital elements” as defined in Article 3(1) and thus would not be covered by the regulation.

Scope of the CRA - products with digital elements

In essence, all connected software, hardware and electronic products with data processing functions fall under the term “products with digital elements”.

According to Article 2 (Scope), the Cyber Resilience Act applies to:

> products with digital elements that are made available on the market and whose intended use or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network.

“Products with digital elements” (Article 3) means any software or hardware product as well as its remote data processing solutions, including software or hardware components placed on the market separately.

The core of the definition is that these are electronic information systems that can process, store or transmit digital data. This includes both software components and the physical hardware components.

Remote data processing solutions refer to data processing for which the manufacturer is responsible and without which the product cannot perform one of its functions.

Products may have a logical (virtual) and/or physical (electrical, optical, mechanical) connection to other devices or networks, directly or indirectly as part of a larger system.

Exemptions from the CRA

The CRA largely applies to most products with digital elements that are connected to devices or networks when placed on the EU market. It does not apply to products already regulated elsewhere. These include:

  • Medical devices: products with digital elements falling under Regulation (EU) 2017/745 on medical devices (Article 2(2a)).
  • In vitro diagnostics: products with digital elements falling under Regulation (EU) 2017/746 on in vitro diagnostic medical devices (Article 2(2b)).
  • Motor vehicle components: products with digital elements falling under Regulation (EU) 2019/2144 on motor vehicles (Article 2(2c)).
  • Civil aviation: products with digital elements certified under Regulation (EU) 2018/1139 on aviation safety (Article 2(3)).
  • Ship equipment: equipment falling under Directive 2014/90/EU on marine equipment (Article 2(4)).
  • Products covered by other EU acts that achieve an equivalent or higher level of cybersecurity, as specified by the Commission in delegated acts (Article 2(5)).
  • Spare parts that replace identical components in existing products with digital elements (Article 2(6)).
  • National security & defence: products developed or modified solely for national security, defence or processing of classified information (Article 2(7)).

Obligations of manufacturers of products

Manufacturers of products with digital elements have a wide range of obligations to ensure cybersecurity and conformity. These obligations include:

RISK MANAGEMENT AND CONFORMITY WITH ESSENTIAL REQUIREMENTS

Manufacturers must ensure their products are designed, developed and produced in accordance with the essential requirements, including the cybersecurity requirements set out in Annex I, Part I (Article 13(1)).

To comply, manufacturers must carry out a cybersecurity risk assessment and consider it throughout the product lifecycle, including planning, design, development, production, delivery and maintenance (Article 13(2)).

The risk assessment must be documented and updated and included in the technical documentation created for market placement (Article 13(3)-(4)).

Manufacturers must exercise due care when integrating components, including third-party components, to ensure those components do not compromise product cybersecurity. This also applies to open-source software that has not been commercialised (Article 13(5)).

PROVISION OF UPDATES AND REMEDIATION OF VULNERABILITIES

When a vulnerability in a component, including open-source components, is identified, manufacturers must report the vulnerability to the component’s manufacturer or maintenance provider and take steps to remediate it (Article 13(6)).

Manufacturers must systematically document cybersecurity aspects of products and update the risk assessment accordingly (Article 13(7)).

Manufacturers must ensure that vulnerabilities are effectively addressed during the entire support period, which must be at least five years (Article 13(8)).

Security updates must be available for at least ten years after placing the product on the market or for the duration of the support period (Article 13(9)).

When subsequent software versions are introduced, manufacturers must ensure that earlier versions can be upgraded to the latest version free of charge (Article 13(10)).

TECHNICAL DOCUMENTATION AND CONFORMITY ASSESSMENT

Manufacturers must produce technical documentation, carry out or have carried out conformity assessment procedures, issue the EU declaration of conformity and affix the CE marking (Article 13(12)).

The technical documentation and the EU declaration of conformity must be retained for at least ten years (Article 13(13)).

Manufacturers must ensure that products produced as part of a series continue to meet the requirements (Article 13(14)).

PRODUCT LABELLING AND USER INFORMATION

Manufacturers must ensure their products have a unique identification number and that their contact information is provided on the product or packaging (Article 13(15)-(16)).

Manufacturers must designate a single point of contact to enable users to communicate directly and quickly with them, and ensure that this contact is easy to identify (Article 13(17)).

Products must include required information and instructions for users, which must be available for at least ten years (Article 13(18)).

The end of support must be clearly and understandably indicated at the time of purchase (Article 13(19)).

Manufacturers must provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product (Article 13(20)).

CORRECTIVE MEASURES AND COOPERATION WITH AUTHORITIES

If products or processes are not compliant, manufacturers must promptly take corrective measures to bring them into conformity (Article 13(21)).

Upon request by market surveillance authorities, manufacturers must provide all necessary information and documentation and cooperate in measures to eliminate cybersecurity risks (Article 13(22)).

Manufacturers ceasing their business must inform the relevant market surveillance authorities and, where possible, users about the planned discontinuation (Article 13(23)).

These obligations ensure manufacturers are responsible for the security and conformity of their digital products and take all necessary measures to minimise potential cybersecurity risks.

Essential requirements of the CRA

Article 13 requires that manufacturers ensure their products are designed, developed and produced in accordance with the essential requirements, which include the cybersecurity requirements in Annex I, Part I.

Fundamentally, the CRA requires a risk-based approach to product development. This is reflected particularly in the first requirement:

  • Appropriate cybersecurity level based on risks (Part I, paragraph 1) Example: A manufacturer conducts a risk assessment and implements appropriate security measures for its internet-enabled product.

Further requirements must be implemented based on the risk assessment:

  • No known exploitable vulnerabilities at the time of placing on the market (Part I, paragraph 2(a)) Example: All known vulnerabilities are remediated before market placement.
  • Secure default configuration (Part I, paragraph 2(b)) Example: The product is shipped with unnecessary services disabled and strong default passwords.
  • Vulnerabilities addressable through security updates (Part I, paragraph 2(c)) Example: The product notifies users of new updates and provides a function for (automatic) security updates.
  • Prevention of unauthorized access via access control (Part I, paragraph 2(d)) Example: Multi-factor authentication and user access management are implemented.
  • Confidentiality of data protected by encryption (Part I, paragraph 2(e)) Example: Stored and transmitted data are protected by encryption.
  • Integrity of data, commands and configurations protected (Part I, paragraph 2(f)) Example: Digital signatures and integrity checks detect unauthorized modifications.
  • Data minimisation (Part I, paragraph 2(g)) Example: Only data necessary for functionality are collected and processed.
  • Core functions remain available after incidents (Part I, paragraph 2(h)) Example: Fault-tolerant, redundant architecture and DDoS protection measures are implemented.
  • Minimal negative impact on other devices and networks (Part I, paragraph 2(i)) Example: Restricted network access and bandwidth control are enforced.
  • Minimisation of attack surface (Part I, paragraph 2(j)) Example: Unnecessary ports, services and interfaces are disabled.
  • Damage limitation in the event of incidents (Part I, paragraph 2(k)) Example: Mechanisms such as sandboxing, least privilege and address space layout randomisation (ASLR) are used.
  • Security monitoring and logging (Part I, paragraph 2(l)) Example: Security-relevant events are logged and monitored.
  • Secure data sanitisation (Part I, paragraph 2(m)) Example: Full and secure erasure of all data and settings is possible for the user.

Manufacturers must also ensure vulnerabilities are effectively addressed during the entire support period.

Key requirements in this regard include:

  • Documentation of vulnerabilities and components (Part II, paragraph 1) Example: A software bill of materials (SBOM) is provided in a common, machine-readable format.
  • Timely remediation of vulnerabilities (Part II, paragraph 2) Example: Security updates are published promptly after discovery of a vulnerability.
  • Regular security testing (Part II, paragraph 3) Example: Penetration tests and code reviews are performed routinely.
  • Disclosure of remediated vulnerabilities (Part II, paragraph 4) Example: Details on vulnerabilities and security updates are published.
  • Coordinated vulnerability disclosure (Part II, paragraph 5) Example: A policy for timely remediation and controlled disclosure is implemented.
  • Point of contact for vulnerability reports (Part II, paragraph 6) Example: A secure communication channel for vulnerability reporting is provided.
  • Secure distribution of updates (Part II, paragraph 7) Example: Security updates are distributed via encrypted and authenticated channels.
  • Timely and free provision of security updates (Part II, paragraph 8) Example: Security updates are provided promptly and generally free of charge.

Reporting obligations under the CRA

Manufacturers are obliged to report vulnerabilities and security-relevant incidents comprehensively and promptly to ensure product cybersecurity and enable a rapid response to potential threats.

These reporting obligations include notification to the competent CSIRT and to ENISA via a unified reporting platform. The reporting duties are divided into specific timeframes to ensure information on vulnerabilities and security incidents is conveyed promptly and accurately.

Below are the detailed manufacturer obligations divided by vulnerabilities and security-relevant incidents, and the corresponding timeframes.

Handling vulnerabilities

Manufacturers must promptly report actively exploited vulnerabilities found in their products to minimise exploitation by attackers and to ensure product security. These reports must be made within specified deadlines so that competent authorities can be informed quickly and take appropriate measures.

First early warning

The first early warning must be made within 24 hours of becoming aware of the actively exploited vulnerability. This notification must be sent to the competent CSIRT and to ENISA and include an initial alert about the vulnerability including the Member States where the product is available (Article 14(2)(a)).

Detailed notification

Within 72 hours of becoming aware of the vulnerability, a detailed vulnerability notification must be sent to the competent CSIRT and to ENISA. This notification must include general information about the affected product, the general nature of the vulnerability and exploits, the corrective or mitigation measures taken and measures users can take. It must also indicate how sensitive the reported information is (Article 14(2)(b)).

Final report

No later than 14 days after a corrective measure is available, a final report must be submitted to the competent CSIRT and to ENISA. This report must include a detailed description of the vulnerability, including its severity and impact, information about the attacker (if available) and details of the corrective measures taken (Article 14(2)(c)).

Handling security-relevant incidents

Manufacturers must also report serious security incidents that may affect the security of their products. These reports must be made within specified deadlines to ensure the impact of such incidents is minimised and appropriate countermeasures are taken rapidly.

First early warning

The first early warning must be made within 24 hours of becoming aware of the security-relevant event. This notification must be sent to the competent CSIRT and to ENISA and provide a preliminary description of the incident, including whether the incident is suspected to be due to unlawful or malicious actions, and information on affected Member States (Article 14(4)(a)).

Detailed notification

Within 72 hours of becoming aware of the incident, a detailed incident notification must be sent to the competent CSIRT and to ENISA. This notification must include general information on the type of incident, an initial assessment, corrective or mitigation measures taken and measures users can take. It must also indicate how sensitive the reported information is (Article 14(4)(b)).

Final report

Within one month of the detailed notification, a final report must be submitted to the competent CSIRT and to ENISA. This report must provide a detailed description of the incident, including its severity and impact, the nature of the threat or cause of the incident and the measures taken and ongoing (Article 14(4)(c)).

Notification of users

Manufacturers must inform affected users and, where necessary, all users about actively exploited vulnerabilities or security incidents. This information must also include risk mitigation and remedial measures that users can take (Article 14(8)).

Obligations of other actors

Beyond manufacturers, the CRA defines additional requirements for importers and distributors of products as well as open-source software maintainers.

Importers

Under Article 19, importers may place on the market only products that comply with the essential requirements. They must ensure the manufacturer has carried out the conformity assessment procedures, that technical documentation is available and that the CE marking has been affixed. They must provide their name and contact information on the product, the packaging or in the accompanying documents. In case of non-compliance or safety risks, they must take measures and inform the competent authorities. The EU declaration of conformity and the technical documentation must be kept for at least 10 years, and importers must cooperate with market surveillance authorities upon request.

Distributors

Under Article 20, distributors must act with due care and ensure that the product bears the CE marking and meets the requirements. They must check whether the manufacturer and importer have provided the necessary information and markings. If they suspect non-compliance or safety risks, they must not place the product on the market and must inform the manufacturer and market surveillance authorities. Distributors must also cooperate with authorities and provide relevant information upon request.

Open-source software maintainers

The CRA recognises the special role of free and open-source software (FOSS) in the digital ecosystem. FOSS projects generally fall into the self-assessment category. The CRA introduces the concept of an “open-source software steward”, which applies to legal entities that support FOSS projects without directly monetising them.

These open-source software maintainers have specific but less extensive obligations than commercial software manufacturers. Under Article 24, maintainers must adopt and document a cybersecurity policy that promotes secure development and handling of vulnerabilities. They must cooperate with market surveillance authorities and provide required documentation on request. Maintainers are obliged to report actively exploited vulnerabilities and serious incidents insofar as they are involved in the development of the products or these incidents affect their systems.

The precise impacts of the CRA on the open-source community and the associated challenges and opportunities are examined in the article “Der Cyber Resilience Act und seine Auswirkungen auf Open-Source-Software”.

Non-compliance with the CRA

Sanctions and consequences for non-compliance are structured and tailored to different types of violations to ensure product security:

  • Non-compliance with essential requirements: Failure to comply with the essential cybersecurity requirements in Annex I or obligations under Articles 13 and 14 may be punished with fines of up to 15 million euros or up to 2.5% of the worldwide annual turnover of the preceding financial year, whichever is higher.
  • Violations of procedural and labelling obligations: Violations such as incorrect affixing of the CE marking, absence of the EU declaration of conformity or failure to provide technical documentation can be fined up to 10 million euros or up to 2% of worldwide annual turnover. This category also covers non-compliance by importers and distributors.
  • False statements and misleading information: Providing incorrect, incomplete or misleading information to notified bodies and market surveillance authorities, especially in response to information requests, can lead to fines of up to 5 million euros or up to 1% of worldwide annual turnover.

When determining the amount of fines, the nature, gravity and duration of the infringement as well as economic impact on the affected market are taken into account. The aim is to create a strong deterrent effect while preserving proportionality to enhance security in the EU digital single market.

Implementation of the CRA and the IEC 62443

The IEC 62443 standards series plays an important role in implementing the Cyber Resilience Act. In particular, IEC 62443-4-1, IEC 62443-4-2 and IEC 62443-3-3 address key CRA requirements in the areas of security requirements and vulnerability management.

The detailed mapping of CRA requirements to various standards published by ENISA confirms this relevance. It shows how IEC 62443 covers many CRA requirements, especially in industrial automation and control systems. The standards series therefore provides a valuable framework for manufacturers to systematically implement CRA requirements. At the same time, the ENISA mapping highlights gaps that need further standardisation work to close.

Overall, IEC 62443 helps companies meet CRA regulatory requirements and improve the cybersecurity of their products.

Conformity with the CRA

The CRA introduces a comprehensive system for assessing and ensuring conformity of products with digital elements. The system aims to achieve a high level of cybersecurity and resilience across the EU internal market. Conformity assessment is central and varies depending on the product’s risk classification and criticality.

The conformity assessment procedure to be chosen depends on the product’s risk level.

Products with digital elements

Products with digital elements (Article 6) constitute the base category. These products must meet the basic requirements in Annex I, Part I, and the manufacturing processes must comply with Annex I, Part II. No specific conformity assessment procedures are prescribed for this category, but manufacturers must ensure that products meet security requirements when properly installed, maintained and used as intended.

Important products

Important products with digital elements (Article 7) form the second category. These products are defined by core functionalities corresponding to categories listed in Annex III. They must undergo specific conformity assessment procedures to ensure compliance with the essential cybersecurity requirements.

Important product categories are divided into Class I and Class II as set out in Annex III. These classes are based on:

  • Class I: Products critical for cybersecurity, including authentication, intrusion prevention, endpoint security, etc.
  • Class II: Products that pose a significant risk of adverse effects, such as network management, configuration control, virtualisation or processing of personal data.

For Class I important products: if harmonised standards or European certification schemes for cybersecurity are not or only partially applied, the product and its manufacturing processes must either undergo an EU type-examination (Module B) together with internal production control (Module C) or a comprehensive quality assurance (Module H).

For Class II important products, the manufacturer must demonstrate conformity with the basic requirements by similar procedures or, where applicable, via a European cybersecurity certification under the Cybersecurity Act. Integration of such a product into another product does not automatically subject the latter to the same assessment procedures.

Critical products

The third category covers critical products with digital elements (Article 8). These products are defined by delegated acts of the European Commission and must possess core functions listed in Annex IIIa.

Critical products must obtain a European cybersecurity certificate under the Cybersecurity Act with an assurance level of substantial or higher. Criteria for identifying these products include critical dependency by essential entities and potential for severe disruption of critical supply chains across the internal market.

Annex III for important products (Article 6) may be amended by delegated acts to add or change categories based on cybersecurity functions and risks. The Commission must consider market impacts and Member States’ readiness to adopt certification systems.

For critical products (Article 6a), the Commission may also determine by delegated acts which products require a European cybersecurity certificate and set the appropriate assurance level matching the product’s risks and intended use.

Conformity assessment procedures in the CRA

The CRA provides various conformity assessment procedures to ensure products with digital elements comply with the basic requirements in Annex I. These procedures include:

Internal control

The simplest procedure where the manufacturer verifies and documents conformity internally (Annex VIII, Module A).

EU type-examination

An independent examination of the product design by a notified body followed by internal production control by the manufacturer (Annex VIII, Modules B and C). This is intended especially for important Class I products when harmonised standards, common specifications or European cybersecurity certifications are not fully applied or available.

Comprehensive quality assurance

Under the conformity assessment based on comprehensive quality assurance (Annex VIII, Module H), a notified body assumes overall quality control of the manufacturing process.

European cybersecurity certification

For critical products listed in Annex IV, certification under the Cybersecurity Act is required to demonstrate compliance with the basic requirements, where available and applicable (Article 8(1)). The certification must reach at least a “substantial” assurance level and may require the involvement of a notified body depending on the chosen certification and protection profile.

Currently, the EUCC (EU Cybersecurity Certification Scheme on Common Criteria) is the first scheme under the Cybersecurity Act, based on ISO/IEC 15408 (Common Criteria). It is particularly suitable for security-critical products such as firewalls or cryptographic devices. Further sector-specific certification schemes are in development.

Further information on individual conformity assessment procedures can be found in the contribution to CE marking.

Choosing the conformity assessment procedure

Products in all categories, including non-critical, important (Class I and II) and critical products, can potentially be certified through the legal cybersecurity certification system. For important products not covered by harmonised standards and for critical products lacking an adopted certification system, involvement of a notified body is required (Modules B+C or H). The internal production control method (Module A) primarily applies to non-critical products and to Class I important products only when a harmonised standard has been comprehensively applied.

The following diagram illustrates the decision process for selecting the appropriate procedure under the Cyber Resilience Act.

Product type Internal control (Module A) EU type-examination (Module B+C) Comprehensive quality assurance (Module H) Cybersecurity certificate
Non-critical
Important - Class I <br>(Annex III) (✓)¹
Important - Class II <br>(Annex III)
Critical <br>(Annex IV) (✓)² (✓)²
  1. Use of a harmonised standard is required to achieve full conformity.
  2. Only possible if no delegated act has been adopted that mandates certification for the product category.

Current status and CRA transitional periods

On 20 November 2024 the Cyber Resilience Act (CRA) was published in the Official Journal of the European Union. Key transitional dates:

  • 20.11.2024: Publication of the CRA in the OJEU
  • 10.12.2024: Entry into force of the CRA
  • 11.06.2026: Requirements for conformity assessment bodies
  • 11.09.2026: Reporting obligations for manufacturers
  • 11.12.2027: Full applicability

The final text of the CRA is available in the Official Journal of the EU: https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&amp;ojDate=20112024

Frequently asked questions (FAQ) on the CRA

Have more questions about the Cyber Resilience Act? See the detailed FAQ article: Häufige Fragen zum Cyber Resilience Act

It answers key questions on scope, deadlines and specific requirements for updates and conformity assessment, and offers practical recommendations for companies preparing for the new obligations.

Support for CRA implementation

The Cyber Resilience Act creates the EU’s first unified framework for the cybersecurity of digital products - from operating systems and connected devices to industrial control systems. Manufacturers are required to systematically integrate security requirements into product development, actively manage vulnerabilities and demonstrate conformity.

Secuvi supports companies in translating CRA requirements into existing processes and products. We assist with impact assessments, develop practical implementation strategies and accompany technical, organisational and documentation measures through to market placement.

Whether for new developments or existing product portfolios, we clarify regulatory obligations and help embed security and compliance sustainably in your organisation.

Further information on CRA implementation: secuvi.com