- Blog, Cyber Security
- Published on: 02.10.2025
- 10:16 mins
European Cyber Resilience Act: What Companies Need to Do Now
Cyberattacks on products with digital elements pose a threat to the health and safety of consumers. If these products are manipulated or fail, it can lead to their functionality becoming limited or even the products becoming dangerous. This is especially true of products that are used in everyday life or in areas where safety is critical – ranging from connected household appliances to entire production chains. The European Cyber Resilience Act (CRA) consolidates cybersecurity regulations for products with digital elements within the European Union. The CRA regulation is intended to guarantee a foundational level of cybersecurity for these types of products within the EU and the EU internal market. The EU Cyber Resilience Act seeks to address current issues, including:
- Insufficient cybersecurity in the development, production, and use of products with digital elements. According to the IBM Cost of a Data Breach Report 2024, in the industrial sector, it takes an average of 199 days to identify a data leak and a further 73 days to resolve it.
- Widespread known vulnerabilities in products with digital elements and a lack of vulnerability management. Meanwhile, the Data Breach Investigation Report 2025 from Verizon states that 20% of all attackers exploit known vulnerabilities.
- Insufficient or a total lack of transparency about incidents and the temporary solution being offered, or fault remediation.
- Inadequate or nonexistent reporting structures in the event of a security incident.
- Insufficient provision of security updates to address these vulnerabilities.
The CRA seeks to change this: the EU regulation obliges companies to make cybersecurity a key component of every product with a digital element throughout the entire product lifecycle.
European Cyber Resilience Act: A Brief Overview
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) – this is the official name of the EU Cyber Resilience Act and relates to all products with digital elements that communicate, directly or indirectly, with other devices, networks, or services, i.e., that use remote data processing. This includes identity management systems, smart meter gateways, microprocessors, and microcontrollers. Products that only work via a cloud connection, such as networked machines or mobile apps, also fall under this category. When we refer to products with digital elements in this article, we are talking about hardware or software that incorporates remote data processing solutions. This does not include medical devices, military products, and systems and components covered by motor vehicle type approval.
New Regulations, A Lot of Uncertainty: Challenges Associated With the CRA
The timeline for the Cyber Resilience Act is as follows:
- The reporting obligation for vulnerabilities and incidents is due to take effect on September 11, 2026. Both the ENISA (European Network and Information Security Agency) and CSIRT (Computer Security Incident Response Team) need to be informed.
- From December 11, 2027, the EU CRA will apply in full to all companies that manufacture, trade, or put into circulation products with digital elements in the EU internal market.
If products do not meet the requirements, companies may face fines, product recalls, or the product may be banned from the EU internal market altogether. This presents many companies with challenges, as they have
… Insufficient capacity: Small and medium-sized companies (SMEs) often lack the personnel resources to implement the CRA stipulations. A Europe-wide survey (Ensuring Cybersecurity Compliance: Assessing SME. Awareness and Preparedness for the Cyber Resilience Act) taken by 416 SMEs showed that only 12.3% are familiar with the Cyber Resilience Act.
… A low level of cybersecurity for products with digital elements: Until now, there haven’t been any consistent regulations concerning the cybersecurity of products with digital elements. Products are brought to market with known vulnerabilities or with insufficient protection across their product lifecycle. The main causes are poor technical implementation, insufficient vulnerability management, unregulated periods of support, and a lack of accountability.
… Lack of information for affected users: When it comes to security vulnerabilities and incidents, there is often a lack of information and security updates for users. Communication channels that facilitate communication between companies and customers are often yet to be established. The CRA requires companies to provide security updates and to inform customers about incidents.
What Does the CRA Mean for You? Obligations – CE Marking – Reporting
What does the regulation cover? What are the resulting obligations, requirements, and responsibilities? Read on to find out.
Responsibilities facing manufacturers, distributors, and importers
The CRA requires economic operators – such as manufacturers, distributors, and importers of products with digital elements – to ensure harmonized cybersecurity standards.
- Manufacturers must consider the technical requirements during the development stage (i.e., security by design); they must also assess and document risks (including for third-party components). Furthermore, they need to ensure security updates and vulnerability management are provided throughout the entire support period. In order to obtain the CE label for products with digital elements, additional cybersecurity requirements must now be implemented as part of the CRA.
- Distributors may only place products with digital elements on the EU internal market if they have a CE marking, i.e., if they have implemented the associated CRA requirements. They need to check whether the manufacturer has met the requirements, need to keep declarations of conformity and other documentation to hand, and need to inform the relevant authorities of any vulnerabilities or risks.
- Importers must ensure that all the required information is provided, must refrain from launching products with security defects, and, in the event of product modifications, must assume the manufacturer's responsibilities.
CRA and the CE label
To continue meeting the CE marking requirements (or to be authorized to use the CE label), companies must now also be able to prove that they meet the mandatory cybersecurity requirements stipulated by the CRA, have undergone a conformity assessment procedure, and that the product has been brought to market without any known exploitable vulnerabilities.
What this means for the product cycle
The CRA demands increased responsibility and transparency from companies and makes it clear that cybersecurity does not end when a product is brought to market. Products with digital elements need to be designed, developed, and maintained to ensure cyber resilience throughout their entire lifecycle. Companies need to systematically assess and minimize the risks and vulnerabilities during the development phase and provide regular security updates throughout the product’s expected lifetime. This is a minimum of five years for all products.
The EU CRA standardizes rules and stipulations for reporting
Under the European Union’s Cyber Resilience Act, manufacturers, distributors, and importers are also duty-bound to meet extensive reporting requirements. Clear rules are also stipulated for market surveillance and sanctions. These include:
- Manufacturers must report serious security incidents
Manufacturers must report security loopholes and vulnerabilities that are being actively exploited to the responsible CSIRT and ENISA via a central reporting platform within 24 hours. In addition, once 72 hours have passed, information must be provided (including to users) about the nature of the incident, the affected vulnerability, and measures to correct, mitigate, or reduce the severity of the incident. After 14 days, the manufacturer must provide a final report on the incident. - Compulsory compliance procedures
Before products containing digital elements are placed on the EU market, manufacturers must carry out a conformity assessment procedure. There are different procedures depending on the product category. These range from internal controls to extensive external full quality assurance. The EU is striving to achieve uniform guidelines across Europe. - National authorities are responsible for monitoring
EU member states’ market surveillance authorities are responsible for coordinated and continuous monitoring of compliance with the CRA regulation via so-called “sweeps”. They work closely with CSIRTs and ENISA. In the case of infringements, they have the power to demand that manufacturers take action. If necessary, they can withdraw or recall products from the market. - Violations of key obligations may result in sanctions
If companies fail to meet the requirements, they face heavy fines. These can amount to up to 15 million euros or 2.5 percent of the global annual turnover.
Classifying Products With Digital Elements in Accordance With the EU Cyber Resilience Act
Products with digital elements are categorized according to different product categories, for example, microcontrollers or identity systems. The following classification determines which conformity assessment procedure is used:
- Important products with digital elements – Class I perform security-relevant functions that may affect other products, networks, or services. These include things like password managers, VPN software, and smart home products. Manufacturers must meet the essential requirements of Annex I of the CRA. The conformity assessment can be carried out by self-assessment under certain circumstances.
- Important products with digital elements – Class II have a significant impact on other systems, services, or users in the event of a security incident. These products typically include firewalls, microprocessors and controllers, and hypervisors. In the case of these products, the conformity assessment must be performed either by an authorized body or via certification in line with a European cybersecurity certification scheme (where available).
- Critical products with digital elements are used in critical infrastructures or particularly sensitive environments. Examples of these products include smart meter gateways, security chips, and hardware with control functions that are critical to security. These products require mandatory certification in accordance with a European cybersecurity certification scheme (where available).
- Products that do not fall under the classification according to Annexes III and IV of the CRA regulation (e.g., simple Internet of Things devices or standardized software solutions without critical functions) must still meet the essential cybersecurity requirements of the CRA. In this case, the conformity assessment is usually completed as part of an internal check.
Trust in Experience and Benefit From Expert Support in Ensuring Compliance With the EU Cyber Resilience Act
The CRA requirements are complex. And this makes it all the more important to address the regulatory challenges early and in a strategic and holistic way. We support companies in the end-to-end implementation of the CRA, utilizing our extensive experience with regulations. We have successfully supported companies in fulfilling the complex requirements of UNECE R155/156, the EU Data Act, and the AI Act. We are here to support you from an initial strategic assessment to technical implementation, training, documentation, and operations. We take a structured, three-stage approach.
Phase 1: Checking what is required
In this first stage, we analyze your company’s status quo and products in view of the requirements of the CRA. Together, we will clarify the specific requirements that the CRA places on your company – whether you are a manufacturer, importer, or distributor. We will identify relevant products and classify your products with digital elements in line with the CRA product categories.
Phase 2: Determining the action needed
We will then carry out a gap analysis and a CRA readiness check. We will examine the extent to which your technical and organizational measures already comply with CRA requirements. In order to do this, we map your existing processes, identify gaps, and determine where action is required. The result: a specially tailored roadmap that serves as an implementation plan for the next phase.
Phase 3: Taking action to move you forward
We then use this roadmap as a basis to implement the measures required and to put them into operation. This phase is not just about technical adjustments but rather about building out the necessary skills, roles, and processes within the company. We will work together with you to develop a rollout plan, accompany you through the compliance assessments and procedures, and ensure that cyber resilience is integrated into your regular processes.
Protect Your Business – With Lasting Cybersecurity
Companies that produce, trade, or market products with digital elements need to act now. The CRA requires the implementation of essential cybersecurity requirements throughout the entire product lifecycle. If you address the requirements of the regulation now, you can reduce the risk of product recalls, fines, or the banning of products.
MHP is here to accompany you along the way – from start to finish. Together, we will create the structures to ensure your company is not just compliant but set for the future. Get the advice you need now.
Legal Disclaimer: This presentation on the EU Cyber Resilience Act is for general information purposes only and does not constitute legal advice. It is therefore no substitute for legal advice in individual cases. Despite careful preparation, we assume no liability for the completeness, timeliness, and accuracy of the information provided
FAQs
The European Cyber Resilience Act (EU CRA or CRA) is the first EU regulation that sets out uniform cybersecurity requirements for products with digital elements. It requires manufacturers, distributors, and importers to guarantee IT security throughout the entire product lifecycle.
NIS2 is an EU directive aimed at operators of essential facilities of social and economic significance (including critical infrastructure), obliging them to implement cybersecurity and incident management measures. The CRA applies to products with digital elements and their cybersecurity throughout the entire product lifecycle. In the future, CRA requirements will also be a prerequisite for CE marking.
The CRA applies to almost all hardware and software products containing digital elements. This includes smart devices, operating systems, security software, and communication components. However, products that already fall under special EU regulations, such as medical devices, are excluded.
No. The requirements depend on the classification of the product, which in turn depends on its cybersecurity risk. For many products, an internal conformity assessment is sufficient. However, an external procedure or a European cybersecurity certification scheme (where available) is required for important or critical products.
The European Cyber Resilience Act came into force on December 10, 2024. Following a transitional period, the requirements will become mandatory for all new products placed on the market from December 11, 2027. However, the obligation to report vulnerabilities and incidents will apply from September 11, 2026. From this date, manufacturers must report certain types of security incidents and actively exploited vulnerabilities to the relevant authorities (e.g., CSIRT).
Kitty Wanke, DFS
Senior Manager
Gordon Brykczynski, CYS
Senior Manager
Maximilian Braun
Senior Consultant
