Cyber Resilience Act (CRA)

The Cyber Resilience Act establishes cybersecurity requirements for products containing digital components available on the European market. 

Getting off to a good start

The Cyber Resilience Act (CRA) is an EU regulation published on November 20, 2024. It establishes cybersecurity requirements for all "products with digital components" placed on the European market:

  • Connected devices: smartphones, laptops, cameras, smartwatches, connected toys, modems, firewalls, smart meters, hospital IT equipment (routers, IoT gateways), etc.
  • Software sold separately: accounting software, mobile gaming apps, electronic health record (EHR) software, remote monitoring apps, etc.

Objective: to make connected products safer through:

  • Security by design,
  • Security by default,
  • Transparency for users,
  • Vulnerability management throughout the entire lifecycle

In practice

The CRA applies to: All manufacturers (including those based outside the EU) that place products on the EU market, as well as importers, distributors, open-source foundations, testing bodies, and public authorities.

Excluded: Non-commercial open-source software, identical spare parts*, prototypes* (for testing/trade shows), unfinished software used for testing purposes*, cloud/SaaS services that do not provide remote data processing essential to the product’s operation (cloud providers fall under NIS2), as well as defense-related products or those already covered by other specific European regulations.

*subject to conditions

For e-health:

  • Medical devices bearing a CE marking under the MDR (Medical Devices Regulation) or IVDR (In Vitro Diagnostic Regulation) are not subject to the CRA, as these regulations already cover digital security.
  • Otherwise, an application, software, or connected device not covered by sector-specific regulations may be considered a "product with digital elements" and is therefore subject to the CRA’s requirements.

When?

  • November 20, 2024 

    CRA Publication.

  • Phased implementation

    in all EU countries.

  • Three years after the effective date (2027)

    All requirements apply (security by design/by default, vulnerability management, transparency, etc.).

Relief measures for SMEs and startups

  • Streamlined bureaucracy: simplified compliance procedures
  • Planned support: practical guides, assistance from national authorities (Goal: to avoid a disproportionate burden on small organizations). 

Several projects are being funded to support micro, small, and medium-sized enterprises (MSMEs), such as those focused on compliance or participation in standardization efforts: More information available here

Key requirements (to anticipate)

The CRA establishes these requirements to ensure a minimum level of product safety, not only before products are placed on the market in the European Union, but also throughout their entire lifecycle.

Security by design

Products must be designed with digital security in mind. 

For example: 

  • Design to minimize the attack surface
  • Encrypt stored/transmitted data,

Security by default

The product's default settings should, whenever possible, help reduce vulnerabilities without requiring user intervention

For example: 

  • Prohibit weak default passwords
  • Ensure that security updates are installed automatically, etc.

Transparency for the user

The goal is to enable users to choose a product based on its level of cybersecurity, not just on price or features.

Key action: 

  • Clearly display the “end of support date” (the date until which security updates are provided) on the product or packaging.

Vulnerability and Incident Management

Manufacturers must report:

  • All exploited vulnerabilities and serious incidents affecting product security.
  • Deadlines: initial alert within 24 hours, full report within 72 hours.

A centralized European platform (with national contact points) will be established to facilitate communication between manufacturers, the functional alert chain (CERT Santé, FSSI, DNS, CERT-FR), and ENISA. A European information page with frequently asked questions is already available: Access the FAQ 

Conformity Assessment

 The procedure for determining whether products comply with CRA regulations may vary:

Standard productsgeneral procedure.

Sensitive products (“important” or “critical,” e.g., password managers, firewalls, smart cards) → stricter assessment procedures:

  • Obtain EU cybersecurity certification (or equivalent national certification)
  • external audit under the current product legislation framework (NLF)
  • Comply with harmonized standards recognized at the European level 

Documentation

Cyber Resilience Act Règlement (UE) 2017/745 du Parlement européen relatif aux dispositifs médicaux (MDR) Règlement (UE) 2017/746 du Parlement européen relatif aux dispositifs médicaux de diagnostic in vitro Page d’information européenne, incluant une FAQ (en anglais) Page d'information de l'ANSSI

A Foundational European Framework for Cybersecurity

The Cyber Resilience Act stands as a key European regulation aimed at strengthening the cybersecurity of products with digital components placed on the European market. Published by the European Union, this regulation establishes a common set of requirements to better protect digital uses and raise the security level of products, from the design stage and by default. The CRA thus aligns with a cyber resilience approach, integrating security as a fundamental element of digital product quality.

Clear objectives to strengthen the security of digital products

The Cyber Resilience Act has a central objective: to make connected products safer throughout their lifecycle. It is based on several key principles that guide the obligations imposed on relevant stakeholders:

  • Integrating security from the product and software design phase,
  • The implementation of security settings enabled by default,
  • Greater transparency toward users,
  • Continuous management of vulnerabilities after the product is placed on the market.

These requirements reflect the European Commission’s commitment to making cybersecurity an essential prerequisite for the marketing of digital products within the Union.

A broad scope of stakeholders affected by the regulation

The scope of the CRA is intentionally broad. It applies to all manufacturers placing products with digital components on the European market, including those established outside the EU. It also applies to importers, distributors, certain open-source foundations, as well as assessment bodies and public authorities. This comprehensive approach aims to ensure a consistent level of security, regardless of the product’s geographic origin or distribution method.

Obligations Tailored to the Digital Health Sector

In the digital health sector, the Cyber Resilience Act aligns with existing regulations. Medical devices that already bear a CE mark under the MDR (Medical Device Regulation) or the IVDR (In Vitro Diagnostic Regulation) are not subject to the CRA, as these regulations already cover digital security. However, an application, software, or connected device that does not fall under a specific sectoral framework may be considered a product with digital elements and thus falls within the scope of the regulation. This distinction helps clarify the applicable obligations and secure digital solutions used in sensitive environments.

A phased implementation to support compliance

The Cyber Resilience Act provides for phased implementation across all European Union countries. All requirements will be fully applicable three years after the regulation enters into force, giving companies the necessary time to adapt their practices. To avoid a disproportionate burden, flexibility measures are provided for SMEs and startups, including simplified compliance procedures and support from national authorities. This phased approach facilitates a realistic adoption of the CRA’s requirements by all market participants.

Cyber Resilience as a Driver of Trust and Competitiveness

Beyond regulatory compliance, the Cyber Resilience Act encourages companies to establish a genuine security framework for their digital products. By strengthening cyber risk management and user protection, compliance with the CRA helps build trust in solutions brought to the European market. For manufacturers and software publishers, this proactive approach also represents a competitive advantage, establishing a positioning based on quality, security, and mastery of cybersecurity challenges within the European Union.

Show more