Cyber Resilience Act: A New Chapter in EU Cybersecurity Regulation

Published

Dec 02 2024

Written By

I am a Principal Regulatory Counsel in our Regulatory & Public Affairs practice in the Netherlands and Brussels. I have a focus on tech and comms and digital markets regulation, drawing on in-depth business knowledge and extensive experience in TMT and public administration.

Sectors

Technology & Communications

Scope of application

The CRA applies to connected software and hardware products, regardless of whether they connect directly or indirectly to another device or network. Exceptions include products already governed by specific regulations, such as medical devices, aeronautical equipment, and cars. This broad scope encompasses consumer electronics and complex industrial systems.

Objectives of the CRA

The CRA seeks to strengthen consumer protection and bolster cybersecurity by:

Mandating security measures: Manufacturers must provide ongoing security support and software updates for products.
Enhanced safety: Products should only be made available on the European market on the basis of a third party or self-conformity assessment.
Reducing vulnerabilities: The Regulation aims to minimise weaknesses in products with digital elements.
Boosting user trust: By enhancing security standards, the CRA aims to foster confidence in digital products.
Harmonising rules: Establishing a unified cybersecurity framework for products across the EU.

Obligations under the CRA

The CRA introduces comprehensive obligations for manufacturers, distributors, and importers of digital products, including standalone components and remote data processing solutions.
To find out more about the CRA, please read this article: New cybersecurity requirements for products with digital components - adoption of the Cyber Resilience Act (CRA)