Understanding the EU Cyber Resilience Act: Why it Matters & Compliance
Northern.techNorthern.tech
The digital world is increasingly connected as the prominence of IoT devices continues to grow exponentially. Everything from smart home devices to critical infrastructure is online, making cybersecurity a global priority for the safety and security of people and international infrastructure.
The growing number of connected devices comes with a skyrocketing cost of cybercrime. Current estimates predict the cost of cybercrime will exceed 20 trillion USD by 2026, which is 150 percent larger than the 2022 figure.Â
To combat today’s cyber threats, the European Union (EU) has introduced the Cyber Resilience Act (CRA)—an extensive piece of legislation aimed at strengthening the cybersecurity of products with digital elements (PDEs) sold within the EU.
The Cyber Resilience Act covers a diverse range of PDEs, with multifaceted compliance requirements and extensive legal and financial penalties. Ensuring compliance will be crucial for the success of manufacturers worldwide as the CRA begins to take effect.
The European Parliament approved the EU Cyber Resilience Act in March 2024 and enacted it in October 2024, implementing reporting mandates. By 2027, after 36 months of mandated reporting, the CRA will be in full effect across the European Union.
The CRA establishes consistent cybersecurity requirements for PDEs, including hardware-software and software-only products, ensuring security throughout the lifecycle.
The CRA broadly impacts all digital products in the EU, except for sectors like medical, military, automotive, aviation, and maritime.
The key objectives of the CRA are to reduce vulnerabilities in digital products, minimize the risk of cyberattacks, and ensure a high level of cybersecurity for all products on the market.
Failure to comply with the CRA could lead to significant penalties of up to €15 million or 2.5 percent of a company’s global turnover (revenue), whichever is higher. The CRA effectively bans non-compliant products from EU sales and may revoke their required CE mark.
The CRA directly responds to the EU’s growing concern over cybersecurity. The increasing number of connected devices—ranging from consumer gadgets to industrial control systems—has made the landscape more vulnerable to cyberattacks.
The CRA aims to fill gaps in current cybersecurity frameworks and practices by ensuring that products are secure by design, fully disclose software dependencies, and can be reset to secure default configuration as needed.
The EU Cyber Resilience Act ensures security is integral to development, covering a wide range of products and industries.
By enforcing stricter standards and expanding accountability, the EU is proactively protecting citizens, businesses, and critical infrastructure from the ever-evolving cyber threat landscape.
If your company develops, manufactures, or distributes products with digital elements in the EU, the CRA likely applies. The CRA applies to any new products with digital elements (PDE) that connect directly or indirectly to a device or network including:
In addition to generic PDEs, the CRA categorizes “cybersecurity and network management products” into Class I and Class II, facing stricter requirements. If your products serve essential cybersecurity functions, you are likely in one of these classes and must adhere to enhanced compliance measures.
The EU Cyber Resilience Act includes software-only products under PDEs, categorizing many as class I or II based on purpose.
One common question concerns free and open-source software (FOSS). By nature, FOSS does not fall under CRA regulations unless it is part of a commercial activity. For example, if open-source software is used in a for-profit or monetized product, it is subject to the CRA. Even if the software is freely available, integrating it into a commercial product puts it under the act’s purview.
The Cyber Resilience Act enforces rigorous standards to ensure cybersecurity from a product’s development to end-of-life stages. To comply with standards, a PDE must consider cybersecurity throughout the entire lifecycle, and the manufacturer must take multiple considerations.
The requirements stand to bolster security and are heavily penalized to ensure compliance:
Manufacturers must act now to ensure compliance with the CRA before it takes full effect. The legislation requires navigating comprehensive steps and considerations, with the main preparations being:
The Cyber Resilience Act mandates security for connected products to counter rising cyber threats. It ensures manufacturers prioritize security throughout the product lifecycle.
For companies in the EU, CRA compliance is essential—not only legally but for staying competitive in a regulated market.
The CRA has some of the largest monetary penalties and scope of all security regulations, and all data collected will be fully subject to review by 2027. Manufacturers must act now to ensure products meet CRA standards and avoid the costly consequences of noncompliance.
Embedding cybersecurity and ensuring CRA compliance helps mitigate risks and provides a competitive edge with secure, resilient products.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Recent Articles