Objectives

The CRA sets forth mandatory cybersecurity requirements for products with digital elements offered within the EU market. Its overarching goals are to (i) enhance the cybersecurity of digital products, (ii) protect consumers and businesses against the risks posed by inadequate cybersecurity measures, (iii) encourage manufacturers to integrate security by design across the digital product lifecycle; and (iv) complement existing cybersecurity regulations, such as the NIS2 Directive and the Digital Operational Resilience Act (the DORA).

Implementation timeline

The CRA follows a phased implementation approach:

  • 11 December 2024: the CRA enters into force.
  • 11 June 2026: obligations for notifying conformity assessment bodies become applicable.
  • 11 September 2026: reporting obligations for vulnerabilities and security incidents become applicable.
  • 11 December 2027: all CRA provisions become applicable.

Scope

The CRA applies to a wide range of products with digital elements, which is defined as any hardware or software product and its remote data processing solutions that connect (in)directly to devices or networks. This includes physical devices (e.g. IoT devices, routers, smart home systems, and industrial hardware), software products (e.g. apps, operating systems, cloud services, and development tools), and components sold separately (e.g. digital libraries, APIs, and firmware updates).

The CRA has a wide territorial reach, applying to any company making digital products available on the EU market, regardless of their location.

Classification of digital products

The CRA adopts a risk-based classification system, which dictates the applicable cybersecurity requirements and conformity assessment procedures, based on the digital product's cybersecurity risk:

  • non-critical products (e.g. photo editing software, text processors, and simple smart home devices) comprise approximately 90% of the market and are subject to general requirements.
  • important products are divided into Class I (e.g. identity management systems, browsers, and password managers) and Class II (e.g. firewalls, intrusion prevention systems, and secure microprocessors).
  • critical products are associated with essential entities (as defined under the NIS2 Directive) or critical supply chains (e.g. smart meter gateways, advanced cryptographic devices, and tamper-resistant hardware).

Key stakeholders and their obligations

The CRA impacts a broad range of economic operators:

  • Manufacturers: entities developing, manufacturing or designing digital products to be place on the EU market have the most extensive responsibilities in relation to their products with digital elements, including:
    • cybersecurity by design (embedding security features during development);
    • conformity assessments (ensuring digital products comply with CRA requirements before market introduction);
    • documentation (preparing technical documentation, user instructions, and conformity declarations);
    • vulnerability and incident reporting (notifying authorities within 24 hours of identifying actively exploited vulnerabilities or following major incidents); and
    • lifecycle management (monitoring and addressing vulnerabilities post-market through updates and patches).
  • Importers: EU entities placing digital products from a non-EU entity on the EU market must ensure that the manufacturer carried out and has drawn up the relevant documentation, maintains documentation and ensures that products bear the CE marking and conformity declarations.
  • Distributors: entities in the supply chain making digital products available on the EU market must verify compliance by the manufacturers and importers of the digital products they distribute and that products display the relevant CE marking.
  • Open-source software stewards: entities that systematically provide support for the development of free and open-source software that is intended for commercial activities, must put in place and document a cybersecurity policy to foster the development of a secure digital product and effective handling of vulnerabilities.

Non-compliance and penalties

Non-compliant digital products may not be placed on the EU market. If a non-compliant digital product is put on the EU market, this may result in the relevant economic operators being obliged to take the necessary corrective measures or, if appropriate, to withdraw or recall the digital product. The CRA enforces strict penalties to ensure adherence with these obligations, including administrative orders to cease non-compliant activities, penalties up to €15 million or 2.5% of global annual turnover (whichever is higher) and any additional corrective measures imposed by authorities.