The EU Cyber Resilience Act: Five Things You Need To Know

6 minute read

In September 2022, the EU Commission introduced a proposed regulation designed to regulate products in the EU market with a “digital element”.

Whilst the newly adopted and updated Network Information Security Directive (NIS 2) intended to focus on a broader concept of critical infrastructure and the Digital Operations Resilience Act (DORA) is intended to focus on financial institutions, the proposed Cyber Resilience Act (“CRA”) seeks to impose obligations on the connected hardware and software ecosystem. Essentially, the CRA seeks to implement a range of obligations on manufacturers, importers and distributors within the EU market.

1. Who is the CRA likely to impact?

The CRA applies to the entirety of a product’s supply chain and intends to encompass manufacturers, importers and distributors to enhance consumer trust and customer safety. The CRA introduces the concept of “products with digital elements” (“PDE”) and defines them as any software, hardware or device that processes data or connects to a network, including specific component parts. The Internet of Things (IoT) is clearly targeted. To fall within the scope of the CRA, those PDEs must also be “available” on the EU market.

The CRA does not apply to the following, as they are managed under separate legislation:

  • Medical Devices
  • Motor Vehicles
  • Military hardware

The full scope of the CRA’s application to software is unclear at this stage. Recent texts have indicated that the CRA may only apply to remote data processing solutions that support the functioning of a particular device or hardware. For example, an app developed to support the functionality of a smart product would fall within the scope of the CRA as it is most likely that it was developed by the product manufacturer.

For a sector specific comparison relating to smart medical devices, please see Global Authorities Ramp Up Medical Device Cybersecurity Expectations: What Medical Device Companies Need to Know.

2. What measures will manufacturers impacted by the CRA need to take?

  • Cyber Risk Management - The CRA will require that a cyber risk assessment be conducted before a PDE is placed on the market. Manufacturers will also have additional due diligence requirements regarding their third-party suppliers of components, especially where those components may impact the overall security of the device. Annex 1 of the CRA outlines a number of ‘essential’ cybersecurity requirements that must be in place before a product goes to market, including:
    • Security Measures against unauthorised access such as Endpoint Detection and Privilege Management;
    • Data minimisation; and
    • Vulnerability and Patch Management.
  • Vulnerability Management – During the PDE market lifecycle, manufacturers will be required to effectively manage product vulnerabilities including through regular testing, patch management, responsible disclosure programmes and clear documentation.
  • Conformity Assessment Regime – Manufacturers will be required to ensure that the above measures adhere to the relevant conformity assessment regime. Currently, the proposed distinction for the difference classes lies between ‘default category products’ critical products and higher risk products. In order to demonstrate a level of conformity, manufacturers will be required to link an EU standard declaration of conformity with the PDE.
  • Appointed Representative – Under the CRA, specific tasks may be performed on behalf of the organisation by an authorised representative. This can include acting as the point of contact with the market surveillance authorities. However, certain internal risk assessment activities can only be performed by the organisation itself.
  • Record Keeping – Manufacturers will be required to collate the relevant information associated with the product manufacture and component parts of the PDE. There is also an obligation to update those records during the product lifetime, or at five-year increments. Document retention requirements are also imposed on organisations to maintain those records for ten years after the PDE is placed on the market.

3. What measure will importers and distributors have to take?

Distributors and importers are also within the scope of the CRA. Under the current proposal, they will be required to confirm the completion of the relevant certificate of conformity has been carried out by the manufacturer, prior to the PDE being placed on the EU market. It is likely that the requirements will align with the current regime for the ‘CE’ marking.

In the event that a vulnerability is identified, importers and distributors will also be under an obligation to inform the manufacturer to allow them to deploy the relevant vulnerability management steps. In the event of a significant vulnerability, importers and distributors will also be required to inform relevant authorities.

4. What are the incident reporting requirements?

Manufacturers will be required to notify ENISA of a security event or vulnerability within 24 hours of becoming aware of the issue. ENISA will then take steps to engage with relevant CERT teams, Member States and wider market surveillance authorities.

5. What are the consequences of noncompliance?

The CRA will introduce a sanctions regime for non-compliance. The potential maximum fines for non-compliance could range from either (1) €5 - €15 million; or (2) 1 – 2.5% of global annual turnover, whichever is greater. The CRA also categories breaches as relating to:

  1. Breach of essential requirements;
  2. Breach of other requirements under the CRA; or
  3. Failure to provide accurate information.

Notably, where non-compliance with the CRA may also involve a personal data breach, it is not clear whether fines will be imposed under the GDPR, if the breach arises from the same security event. If the event impacts service delivery relating to critical infrastructure, requirements under NIS2 may also be triggered.

6. Will the CRA impact organisations in the UK in the same manner as the EU?

As the CRA is a proposed EU Regulation, it will have direct effect once adopted by the European Parliament and Council. Unlike other EU cybersecurity legislation such as DORA and NIS2, the proposed regulation will not require implementation by each member state. It is not clear whether these obligations will transfer to the UK, however, some requirements were introduced in May 2022 in the proposed Product Security and Telecommunications Infrastructure Bill.

Next Steps

As outlined above, the European Parliament and the Council will examine the proposed text, followed by institutional negotiations and once adopted, Member States will have two years to adapt to the new requirements. Usually, it takes between 18 months and three years to work through the ordinary legislative procedure.


Orrick is advising global manufacturers and distributors on growing with cybersecurity in mind, day-to-day business functions, and preparing and responding to cybersecurity incidents around the globe. Contact one of the authors if you have questions.