We offer a tailored assessment of your current cybersecurity practices and a clear, actionable roadmap to help you become fully compliant with the CRA. Our team of cybersecurity experts alongside our legal expert partner will work closely with you to prepare and implement necessary actions.

With the Cyber Resilience Act (CRA), the EU addresses rising cybersecurity threats
associated with so-called digital products. For this purpose, the new law mandates
cybersecurity requirements for “connected products” and “non-embedded software”
on the European market.
Adopted on 10 October 2024, the regulation is regarded as a significant step forward
in the EU’s cybersecurity framework by holding manufacturers and also merchants
accountable for cybersecurity practices, with penalties for non-compliance.

Under the CRA, manufacturers of smart devices and electronic consumer goods
must integrate cybersecurity into both the design process and the consumer
lifecycle of their products. cybersecurity risks to end-users and after-sales risk
monitoring and mitigation.

The CRA targets businesses that manufacture or sell“products with digital elements” within
the EU, including non-EU businesses that distribute such products in the EU. This includes
producers of hardware and software with internet connectivity or network capability, as well
as “connected” consumer devices, such as smartphones, wearables, home assistants, and
smart appliances. Businesses providing “non-embedded software” are also covered under the
CRA.

• Everyday smart devices like wearable devices and connected electronic consumer
  goods like smart household appliances fall under the definition of “products with
  digital elements”, meaning that they fall in the lowest category which has the least
  compliance requirements.
• However, devices like babyphones, smart door locks, or virtual assistants fall in the
  category of “important products with digital elements” with stricter compliance
  requirements.

It is important to understand, that in order to be “technology neutral”, the CRA cannot
prescribe specific measures, such as the use of a specific encryption algorithm – instead, it
includes a list of cybersecurity principles that manufacturers must put into practice.

Businesses must be able to demonstrate that cybersecurity is taken into account in
the planning, design, development, production, delivery and maintenance phases of
their products. Specifically, smart device and electronic consumer goods
manufacturers are required to implement the following measures:

• Develop and implement a cybersecurity compliance programme to standardise
  cybersecurity practices for all products during their entire lifecycles.
• Specifically, ensure that all products are only brought to market without known
  security vulnerabilities.
• Ensure products have secure default settings to reduce vulnerabilities upon activation.
• Minimise the attack surface and reduce the impact of security incidents.
• Protect products against unauthorised access through authentication systems.
• Ensure the confidentiality, integrity and availability of user data, through measures
  such as encryption and data minimization, and the ability to delete all user data.
• Provide end-users with security instructions and any relevant certifications, as well as
  with information about the cybersecurity level of the product and any vulnerabilities.
• Develop a capability to fix security vulnerabilities through updates, ideally
  automatically.
• Minimise the negative impact on other devices or networks
• Establish a reporting mechanism for cybersecurity breaches or product vulnerabilities.
• Regularly test the security of the product, and monitor security-related information.
• Document all cybersecurity measures to demonstrate compliance with the above
  requirements to the competent authorities.

The EU has set forth a staggered compliance timeline to help businesses meet the
new requirements.

• Following the act’s publication, which is expected for mid-November 2024
• manufacturers have a 36-month transition period, i.e. until November 2027, to
  implement all the required measures, with some vulnerability notification obligations
  entering into force before then.
• After this period, the CRA will come into full effect, with regulators actively
  monitoring compliance and enforcing penalties for violations. Non-compliance may
  result in significant fines based on a percentage of annual global turnover.

Affected businesses are recommended to begin updating – and documenting – their
product design and security processes in the first quarter of 2025 to allow enough
time for the necessary internal adjustments.
‍
Management should designate a CRA compliance team to oversee the adaption and
documentation the required cybersecurity measures, and schedule regular internal
progress checks to ensure that the new compliance requirements are met by
November 2027.
‍
‍

• Affected businesses are recommended to begin updating – and documenting
  – their product design and security processes in the first quarter of 2025 to
  allow enough time for the necessary internal adjustments.
• Management should designate a CRA compliance team to oversee the
  adaption and documentation the required cybersecurity measures, and
  schedule regular internal progress checks to ensure that the new compliance
  requirements are met by November 2027.