This European regulation aims to increase the security level of digital products by December 2027. Here are 5 key points to understand to prepare for it.
Scientists confirm: This is the most effective way to get your cat’s attention, according to new research
Elderly Couple Refuses Reserved Seats—Viral Train Standoff Sparks Fiery Debate on Courtesy
1. What is the Cyber Resilience Act?
The Cyber Resilience Act (CRA), also referred to in French as “regulation on cyber resilience,” is a European regulation officially adopted on October 23, 2024, and published in the Official Journal of the European Union on November 20, 2024. It establishes cybersecurity rules for manufacturers and developers of products with digital components.
This regulation aims to establish boundary conditions for the development of secure products containing digital elements by ensuring that both hardware and software products released on the market have fewer vulnerabilities and that manufacturers take security seriously throughout a product’s life cycle, the regulation specifies.
Therefore, the goal is to enhance the security of digital products sold in the European market, hold manufacturers accountable for the security of the products they develop, and thus protect European consumers from cyber threats.
Why You Should Never Reheat These Foods in the Microwave – The Hidden Dangers Experts Warn About
I tried the top 5 guard dogs—here’s what makes these breeds the ultimate protectors
2. What are the key measures of the Cyber Resilience Act?
This European regulation on cyber resilience includes several measures to ensure the cybersecurity of digital products within the EU by the end of 2027. Among these, “essential cybersecurity requirements” require that digital products sold in the EU are designed, developed, and produced using a default “security by design” approach, with no known exploitable vulnerabilities.
According to the European Commission’s website, the CRA aims to achieve 4 objectives:
- “ensure that manufacturers improve the security of products containing digital elements from the design and development phase throughout the product lifecycle,”
- “establish a coherent cybersecurity framework, making compliance easier for hardware and software producers,”
- “enhance the transparency of security properties of products with digital elements,”
- and “enable businesses and consumers to use products containing digital elements safely.”
Numerous measures thus punctuate this Cyber Resilience Act, including requirements concerning vulnerability management processes, protection against unauthorized access through appropriate control mechanisms, and the protection of data confidentiality and integrity. Manufacturers must also report security incidents to competent authorities and provide information about the security of their products through technical documentation.
The CE marking should be affixed to products containing digital elements to indicate visibly, legibly, and indelibly their compliance with this regulation, allowing them to move freely within the internal market, adds the CRA.
3. Which digital products are covered by the CRA?
The European regulation on cyber resilience targets “products containing digital elements.” In Article 3 dedicated to definitions, the CRA specifies that this refers to “software or hardware products and their remote data processing solutions, including software or hardware components marketed separately.” A broad range of devices, software, and components falls under this category, classified by the CRA according to their criticality level.
This includes computers, smartphones, cameras, intelligent robots, connected devices, as well as applications, video games, and software. Notably, the regulation also applies to “open and free software,” which is also subject to the measures of the Cyber Resilience Act.
Regarding the economic operators to whom this regulation applies, only open and free software made available on the market, thus provided for distribution or use in a commercial activity, should fall within the scope of this regulation.
However, certain products are excluded from the European regulation, such as software provided as services (SaaS). The reason: they are already covered by other legislation, particularly the NIS 2 directive, which aims to enhance the security level of member states. Also outside the scope of the CRA are certain areas that have specific European legislation or products related to the national security of member states or dealing with classified information.
4. What is the timeline for the European regulation on cyber resilience?
The measures outlined by the Cyber Resilience Act will apply from December 11, 2027. This means that “economic operators,” including manufacturers, software developers, importers, distributors, resellers, and “open software stewards,” will need to integrate cybersecurity requirements and vulnerability management into the lifecycle of their digital products that will be marketed in the European Union from this date. A “sufficient lead time” indicates the CRA (published on November 20, 2024) to allow the various stakeholders to prepare.
The regulation should apply from December 11, 2027, except for reporting obligations regarding actively exploited vulnerabilities and serious incidents affecting the security of products containing digital elements, which should apply from September 11, 2026, and provisions relating to the notification of conformity assessment bodies, which should apply from June 11, 2026.
5. What are the risks for companies not complying with the CRA?
In the event of non-compliance with the Cyber Resilience Act, severe penalties are planned. For companies that do not comply with Articles 13 and 14, i.e., the obligations incumbent on manufacturers, it is planned “an administrative fine of up to EUR 15,000,000 or, if the offender is a company, up to 2.5% of its total global annual turnover achieved in the previous fiscal year, whichever is higher.”
Non-compliance by representatives, importers, distributors, and also entities that do not affix the CE marking “visibly, legibly, and indelibly on the product containing digital elements” may incur “an administrative fine of up to EUR 10,000,000 or, if the offender is a company, up to 2% of its total global annual turnover achieved in the previous fiscal year, whichever is higher.”
Another penalty: “providing inaccurate, incomplete, or misleading information to notified bodies and market surveillance authorities” can be subject to “an administrative fine of up to EUR 5,000,000 or, if the offender is a company, up to 1% of its total global annual turnover achieved in the previous fiscal year, whichever is higher.”
Bonus: Support measures for microenterprises, small and medium-sized enterprises
While the penalties for failing to comply with the Cyber Resilience Act can be substantial, the European regulation has nevertheless provided certain measures to support microenterprises, small and medium-sized enterprises, “including startups.” Each member state will thus have the opportunity to:
- Organize awareness and training activities on the regulation,
- Create a dedicated communication channel with advice on its implementation,
- Support “testing and conformity assessment activities,”
- Set up “regulatory sandboxes in matters of cyber resilience,” to provide “controlled testing environments,”
- Benefit from simplified technical documentation, to reduce administrative burden.
Similar Posts
- Top 5 Cybersecurity Courses: Boost Your Expertise Now!
- Popular Samsung Galaxy S Model Becomes Obsolete: Receives Final Update
- Apple Forced to Open Up iPhone in Japan: EU’s Influence Spreads!
- Cybersecurity Essentials: Top 5 Courses to Master the Basics
- Hackers Shift Headquarters: Is Your Favorite Collaboration Platform Their New Den?
Jordan Park writes in-depth reviews and editorial opinion pieces for Touch Reviews. With a background in UI/UX design, Jordan offers a unique perspective on device usability and user experience across smartphones, tablets, and mobile software.