New EU Cyber Resilience Act: practical steps to navigate compliance

The CRA comes into force on 10 December 2024 and businesses will have to comply with the first set of obligations by 11 September 2026.

Earlier this year we published a detailed summary of the CRA here. This article focuses on the practical steps that businesses can consider for compliance with the CRA.

Whom does the CRA apply to?

The CRA applies to manufacturers, importers and distributors of PDEs.

PDEs include products that are directly or indirectly connected to another device or to a network. This encompasses both hardware and software products, and their data processing solutions (e.g. an app that works with a wearable) and components that are sold separately. Examples of PDEs are mobile applications, smartphones, smart watches and smart household devices.

The CRA applies to PDEs that are made available on the EU market, irrespective of where the relevant business is located or where the PDE is manufactured. In other words, if a manufacturer is located outside the EU, or if the PDE is manufactured outside of the EU, it can still be caught by the CRA if the PDE in question is supplied for distribution or use on the EU market .

Key obligations under the CRA

The main obligations for manufacturers include the following:

Essential cybersecurity requirements

• The CRA sets out mandatory cybersecurity requirements for the design, development, production and market availability of PDEs. These requirements ensure that products are secure throughout their lifecycle, from initial design to end-of-life. Products must be designed to prevent known vulnerabilities and include secure configurations by default.

Conformity assessments

• PDEs must undergo conformity assessments to ensure they meet the essential cybersecurity requirements. PDEs that are considered as important or critical (e.g. virtual assistants and firewalls) are subject to more stringent conformity assessment procedures.
• Once a PDE has passed the conformity assessment, the "CE" conformity mark must be affixed on the PDE or its product label.

Transparency requirements

• Manufacturers must provide clear and transparent information about the cybersecurity features of their products. This includes details on how to securely set up and use the product, the PDE's batch or serial number, the manufacturer's contact details and the end date of any support period.

Vulnerability management

• Manufacturers are required to put in place vulnerability handling processes that are compliant with the CRA regarding their PDEs, including providing security updates, for a minimum of five years or the expected product lifetime (whichever is longer).
• After a security update is released, manufacturers must also publicly share details about the resolved vulnerabilities.

Reporting obligations

• Manufacturers have to report actively exploited vulnerabilities and severe incidents impacting the security of their products to the relevant national Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA).
• An early warning notification should be made without undue delay but within 24 hours of becoming aware. An incident or vulnerability notification must then be issued without undue delay but within 72 hours of becoming aware.

The CRA also imposes obligations on importers and distributors, which include the following:

Verification  

• Before placing a PDE on the EU market, importers and distributors must verify that the manufacturer has completed a conformity assessment, provided the necessary technical documentation and that the PDE bears the CE mark.

Notification obligations

• Importers and distributors must also inform the manufacturer if they identify vulnerabilities with the PDE and the relevant authorities if the vulnerability presents a significant risk.

Relevant timelines and practical steps to take

From 11 September 2026, manufacturers must comply with the reporting obligations, irrespective of when the product was placed on the EU market. The rest of the CRA comes into effect on 11 December 2027.

Existing PDEs that have been placed on the EU market before 11 December 2027 will be subject to the CRA if they, from that date, are substantially modified.

To begin to comply with the CRA, businesses can follow these practical steps:

Preliminary assessments:

• Review your product portfolio to identify any existing PDEs which are due to be substantially modified as of 11 December 2027 and establish which PDEs will be placed on the EU market from 11 September 2027 onwards. Begin to develop both in line with the CRA requirements.
• Categorise each PDE according to the CRA, e.g. important or critical.

Compliance measures:

• Assess the applicable obligations to identify any compliance gaps for your PDEs and produce a list of action items to bring the PDEs into compliance.
• Produce realistic project plans and factor in the implementation costs and risks to business continuity in doing so.

Vulnerability handling and reporting:

• Establish procedures for addressing and reporting incidents and vulnerabilities for each product in line with the CRA.

There is a certain degree of overlap between the CRA and other pre-existing EU legislation (NIS2, AI Act), for example, on cybersecurity, incident reporting and conformity assessments. Where possible, businesses should assess to what extent they can leverage or combine such requirements in order to render their compliance to these different laws more manageable and achievable.

What are the risks of non-compliance?

Under the CRA the relevant authorities can mandate corrective actions, such as product recalls or withdrawals from the EU market. In addition, the CRA provides for fines of up to €15 million or 2.5% of the total worldwide annual turnover (whichever is higher).

If you would like to understand how the CRA would apply to your business or would like assistance with compliance, please reach out to any of the authors, or your regular contacts in the Fieldfisher Tech & Data team.

Authored by: Olivier Proust, Irem Güzel and Elle Calam