Cyber Resilience Act: Urgent Compliance Deadline Approaching

The Cyber Resilience Act: An Overview

The Cyber Resilience Act (CRA) marks a significant shift in how we approach cybersecurity regulations in the European Union. Set to enter into force on December 10, 2024, and fully applicable from December 11, 2027, the CRA sets forth mandatory cybersecurity requirements for hardware and software products. With the looming deadlines, manufacturers of in-scope products should embark on their compliance journey promptly, lest they risk disrupting their product development cycles or find themselves exposed to potential non-compliance penalties.

What is the CRA?

The CRA is not just another regulatory framework; it’s a vital initiative aimed at fortifying the cybersecurity landscape within the EU. The regulation aims to:

• Minimize the vulnerabilities of products entering the European market, holding manufacturers accountable for cybersecurity in every phase of the product lifecycle.
• Enhance transparency around the security features of hardware and software products.
• Build a more resilient digital marketplace in Europe, bolstering defenses against cyber threats.

Scope of the CRA: What Products are Affected?

The CRA casts a wide net, applying to what it defines as “products with digital elements.” These products include both software and hardware, as well as their accompanying remote data processing solutions. Here’s a breakdown of each component:

• Software: This refers to any component of an electronic information system made up of computer code, including operating systems and various applications.
• Hardware: This encompasses physical electronic systems or components capable of processing, storing, or transmitting digital data, like microprocessors and motherboards.
• Remote Data Processing Solutions: This term pertains to data processing conducted remotely, essential for the product’s functionalities, such as cloud capabilities in smart devices.

Ultimately, this broad definition means that items ranging from laptops to smart baby monitors will find themselves under the CRA’s purview.

Who Needs to Comply?

The CRA extends its reach to manufacturers, importers, and distributors of affected products:

• Manufacturer: This is defined as any individual or company that develops or markets products with digital elements under their own name or trademark.
• Importer: This refers to entities within the EU that market products bearing the name or trademark of foreign manufacturers.
• Distributor: Any part of the supply chain that makes products with digital elements available in the EU, without altering their properties, falls into this category.

Critical Requirements Under the CRA

As compliance becomes mandatory from December 11, 2027, the CRA outlines several crucial requirements for manufacturers of in-scope products:

• Conduct rigorous cybersecurity risk assessments throughout every phase—from planning and design to maintenance—and implement necessary mitigations.
• Ensure strict adherence to the CRA’s essential cybersecurity requirements, preventing products with known vulnerabilities from reaching the market.
• Prepare comprehensive technical documentation, conduct conformity assessments, and affix the CE marking to products.
• Address vulnerabilities or issues identified during the product support period actively.
• Supply necessary documentation and instructions alongside products to inform users.
• Meet transparency obligations regarding product security.

Notably, some products may be classified as “important” or “critical,” which will subject them to enhanced compliance measures. The European Commission retains the authority to adjust the classifications of such products.

Reporting Obligations: Keeping Everyone Informed

Starting from September 11, 2026, manufacturers must inform the European Union Agency for Cybersecurity (ENISA) and relevant national authorities of any actively exploited vulnerabilities or severe incidents related to in-scope products. Such notifications must occur without delay, ideally within 24 hours of becoming aware of the situation. Follow-up reports may also be necessary within a designated timeframe, such as:

• 14 days post-discovery of an actively exploited vulnerability, once a corrective measure is available.
• One month after the initial report for severe incidents.

It’s also crucial to promptly inform users of affected products whenever vulnerabilities arise, thus fostering a stronger communication loop between manufacturers and consumers.

Consequences of Non-Compliance

The stakes are high for non-compliance with the CRA, which could result in steep penalties. Manufacturers could face fines that amount to either €15 million or 2.5% of their global annual turnover from the previous financial year—whichever is greater.

Preparation: Steps to Take Now

To mitigate disruptions and streamline compliance efforts, manufacturers should consider the following preparatory steps:

• Evaluate whether current and future products align with the CRA’s definitions, identifying if they are deemed “important” or “critical.”
• Create a detailed roadmap that outlines how to achieve compliance with CRA requirements by the December 2027 deadline.

If you have questions about navigating the complexities of the CRA or need further assistance, feel free to reach out to John Timmons or Joe Devine for expert insights.

_{White & Case encompasses an international legal practice, including White & Case LLP, a New York State registered limited liability partnership, and all affiliated partnerships, companies, and entities.}

_{This article is provided for general informational purposes and should not be considered a comprehensive legal guide. It is not designed as legal advice.}

_{© 2025 White & Case LLP}