Cyber Resilience Act (CRA)

The Cyber Resilience Act sets cybersecurity requirements for products with digital elements on the European market. 

To get off to a good start

The Cyber Resilience Act (CRA) is an EU regulation published on November 20, 2024. It sets cybersecurity requirements for all "products with digital elements" placed on the European market:

  • Connected devices: smartphones, laptops, cameras, smartwatches, connected toys, modems, firewalls, smart meters, hospital IT equipment (routers, IoT gateways), etc.
  • Software sold separately: accounting software, mobile gaming apps, electronic health record (EHR) software, remote monitoring apps, etc.

Objective: to make connected products safer through:

  • Security by design,
  • Security by default,
  • Transparency for users,
  • Vulnerability management throughout the lifecycle

In practice

The CRA applies to: All manufacturers (even those based outside the EU) who place products on the EU market, as well as importers, distributors, open source foundations, assessment bodies, and public authorities.

Excluded: Non-commercial open source software, identical spare parts*, prototypes* (testing/trade shows), unfinished software used for testing purposes*, cloud/SaaS services that do not provide remote data processing essential to the functioning of the product (cloud providers fall under NIS2), as well as products related to defense or already covered by other specific European regulations.

*subject to conditions

For e-health:

  • Medical devices with CE marking under the MDR (Medical Devices Regulation) or IVDR (In Vitro Diagnostic Regulation) are not subject to the CRA, as these already cover digital security.
  • Otherwise, an application, software, or connected object not covered by sector-specific regulations may be considered a "product with digital elements" and is therefore subject to CRA requirements.

When?

  • November 20, 2024 

    CRA publication.

  • Gradual implementation

    in all EU countries.

  • Three years after entry into force (2027)

    All requirements apply (security by design/by default, vulnerability management, transparency, etc.).

Relief measures for SMEs and startups

  • Reduced formalities: simplified procedures for compliance
  • Support provided: practical guides, assistance from national authorities (Objective: to avoid a disproportionate burden on small structures). 

Several projects are being funded to support micro, small, and medium-sized enterprises (MSMEs), for example, on compliance or participation in standardization work: More information at this link

Key obligations (to anticipate)

The CRA establishes these obligations in order to guarantee minimum product safety, not only before they are placed on the European Union market, but also throughout their life cycle.

Security by design

Products must be designed with cybersecurity in mind

For example: 

  • Design to minimize the attack surface
  • Encrypt stored/transmitted data

Security by default

The default settings of the product should, as far as possible, help reduce vulnerabilities without requiring user intervention

For example: 

  • Prohibit weak default passwords
  • Provide for automatic installation of security updates, etc.

Transparency for the user

The goal is to enable users to choose a product based on its level of cybersecurity, not just its price or features.

Key measure: 

  • Clearly display the "end of support date" (until when security updates are provided) on the product/packaging.

Vulnerability & Incident Management

Manufacturers must report:

  • All exploited vulnerabilities and serious incidents affecting product safety.
  • Deadlines: initial alert within 24 hours, full report within 72 hours.

A centralized European platform (with national contact points) will be set up to facilitate these exchanges between manufacturers, CSIRTs, and ENISA. A European information page with frequently asked questions is already available: Access the FAQ 

Conformity assessment

 The procedure for assessing whether products comply with CRA rules may vary:

Standard productsgeneral procedure.

Sensitive products ("important" or "critical," e.g., password managers, firewalls, smart cards) → stricter evaluation procedures:

  • Obtain EU cybersecurity certification (or equivalent national certification)
  • External audit under the current product legislation system (NLF)
  • Comply with harmonized standards recognized at the European level 

Documentation

Cyber Resilience Act Règlement (UE) 2017/745 du Parlement européen relatif aux dispositifs médicaux (MDR) Règlement (UE) 2017/746 du Parlement européen relatif aux dispositifs médicaux de diagnostic in vitro Page d’information européenne, incluant une FAQ (en anglais) Page d'information de l'ANSSI