Understanding the EU Cyber Resilience Act: Why it Matters & Compliance

The digital world is increasingly connected as the prominence of IoT devices continues to grow exponentially. Everything from smart home devices to critical infrastructure is online, making cybersecurity a global priority for the safety and security of people and international infrastructure.

The growing number of connected devices comes with a skyrocketing cost of cybercrime. Current estimates predict the cost of cybercrime will exceed 20 trillion USD by 2026, which is 150 percent larger than the 2022 figure. 

To combat today’s cyber threats, the European Union (EU) has introduced the Cyber Resilience Act (CRA)—an extensive piece of legislation aimed at strengthening the cybersecurity of products with digital elements (PDEs) sold within the EU.

The Cyber Resilience Act covers a diverse range of PDEs, with multifaceted compliance requirements and extensive legal and financial penalties. Ensuring compliance will be crucial for the success of manufacturers worldwide as the CRA begins to take effect.

What is the EU Cyber Resilience Act (CRA)?

The European Parliament approved the EU Cyber Resilience Act in March 2024 and enacted it in October 2024, implementing reporting mandates. By 2027, after 36 months of mandated reporting, the CRA will be in full effect across the European Union.

The CRA establishes consistent cybersecurity requirements for PDEs, including hardware-software and software-only products, ensuring security throughout the lifecycle.

The CRA broadly impacts all digital products in the EU, except for sectors like medical, military, automotive, aviation, and maritime.

The key objectives of the CRA are to reduce vulnerabilities in digital products, minimize the risk of cyberattacks, and ensure a high level of cybersecurity for all products on the market.

Failure to comply with the CRA could lead to significant penalties of up to €15 million or 2.5 percent of a company’s global turnover (revenue), whichever is higher. The CRA effectively bans non-compliant products from EU sales and may revoke their required CE mark.

Why Does the Cyber Resilience Act Matter?

The CRA directly responds to the EU’s growing concern over cybersecurity. The increasing number of connected devices—ranging from consumer gadgets to industrial control systems—has made the landscape more vulnerable to cyberattacks.

The CRA aims to fill gaps in current cybersecurity frameworks and practices by ensuring that products are secure by design, fully disclose software dependencies, and can be reset to secure default configuration as needed.

The EU Cyber Resilience Act ensures security is integral to development, covering a wide range of products and industries.

By enforcing stricter standards and expanding accountability, the EU is proactively protecting citizens, businesses, and critical infrastructure from the ever-evolving cyber threat landscape.

Does the CRA Apply to You?

If your company develops, manufactures, or distributes products with digital elements in the EU, the CRA likely applies. The CRA applies to any new products with digital elements (PDE) that connect directly or indirectly to a device or network including:

• Smart home devices (e.g., security cameras, smart door locks, appliances)
• VPN software
• Antivirus programs
• Operating systems
• Firewalls and intrusion prevention systems

In addition to generic PDEs, the CRA categorizes “cybersecurity and network management products” into Class I and Class II, facing stricter requirements. If your products serve essential cybersecurity functions, you are likely in one of these classes and must adhere to enhanced compliance measures.

Software-Only Products Under the CRA

The EU Cyber Resilience Act includes software-only products under PDEs, categorizing many as class I or II based on purpose.

• Operating Systems: The CRA requires platforms like Linux, which manage hardware and system resources, to incorporate strong security measures.
• Antivirus and Security Tools: As critical defenses against malware and other threats, antivirus software must meet stringent CRA standards to ensure they effectively safeguard digital environments.
• VPNs: The CRA fully covers VPNs, ensuring they encrypt connections and protect user data with the highest security standards.

What About Free and Open Source Software (FOSS)?

One common question concerns free and open-source software (FOSS). By nature, FOSS does not fall under CRA regulations unless it is part of a commercial activity. For example, if open-source software is used in a for-profit or monetized product, it is subject to the CRA. Even if the software is freely available, integrating it into a commercial product puts it under the act’s purview.

CRA: Key Compliance Requirements

The Cyber Resilience Act enforces rigorous standards to ensure cybersecurity from a product’s development to end-of-life stages. To comply with standards, a PDE must consider cybersecurity throughout the entire lifecycle, and the manufacturer must take multiple considerations.

The requirements stand to bolster security and are heavily penalized to ensure compliance:

1. Secure by design: Products must be developed with security as a primary concern, including configurations that minimize vulnerabilities.
2. Software Bill of Materials (SBOM): Manufacturers must maintain an SBOM, a detailed list of the software components used in a product, to facilitate identifying and addressing vulnerabilities.
3. Vulnerability management: Manufacturers must continually test and assess their products for vulnerabilities. Manufacturers must quickly fix vulnerabilities and provide secure updates, ideally through automatic, opt-in mechanisms.
4. Transparency and disclosure: Manufacturers must disclose fixed vulnerabilities to the public, ensuring users are informed and can take action.
5. Penalties for noncompliance: Manufacturers that fail to comply with CRA requirements face hefty fines and the potential loss of their CE certification, meaning their products can no longer be sold in the EU.

How to Prepare for EU Cyber Resilience Act Compliance

Manufacturers must act now to ensure compliance with the CRA before it takes full effect. The legislation requires navigating comprehensive steps and considerations, with the main preparations being:

1. Conduct a risk assessment: Evaluate your current products to understand if and how the CRA applies. Consider their risk level, especially if they fall under Class I or II.
2. Build security into the development process: Adopt a security-by-design approach, where security considerations are embedded from the outset rather than being added later.
3. Maintain an SBOM: Create and update a detailed list of your product's software components. Ensure that this information is machine-readable, easy to locate, and ready to share with stakeholders if necessary.
4. Vulnerability management plan: Develop a robust process for identifying, remediating, and disclosing vulnerabilities in your product. The process should include plans for quickly and efficiently issuing secure software updates with user communications or control (acceptance).
5. Enable comprehensive OTA capabilities: Implement a robust over-the-air update system to ensure consistent, timely patches for ongoing compliance.
6. Collaborate with experts: The CRA's complex requirements make it essential to work with experts in cybersecurity, legal, and regulatory compliance.

The Cyber Resilience Act mandates security for connected products to counter rising cyber threats. It ensures manufacturers prioritize security throughout the product lifecycle.

For companies in the EU, CRA compliance is essential—not only legally but for staying competitive in a regulated market.

The CRA has some of the largest monetary penalties and scope of all security regulations, and all data collected will be fully subject to review by 2027. Manufacturers must act now to ensure products meet CRA standards and avoid the costly consequences of noncompliance.

Embedding cybersecurity and ensuring CRA compliance helps mitigate risks and provides a competitive edge with secure, resilient products.