Today’s technology landscape is evolving at unprecedented speed, creating complex challenges for organizations striving to keep pace. While these advancements fuel business growth and innovation, the same technologies are increasingly exploited by cyber‑criminals to launch highly sophisticated and targeted attacks. As the threat landscape expands in scale and complexity, organizational continuity strategies must evolve beyond traditional security controls and align with the principles of true cyber resilience.

Insecure digital products—ranging from devices running outdated firmware to misconfigured cloud environments and vulnerable third‑party components—have emerged as primary catalysts for modern data breaches. In response, regulatory bodies, particularly in the European Union, are strengthening mandates to ensure organizations can not only prevent cyber incidents but also withstand, respond to, and rapidly recover from them. The EU’s Cyber Resilience Act exemplifies this shift, establishing a robust framework to elevate digital product security, enhance operational resilience, and reinforce trust in the digital ecosystem.

Introducing the Cyber Resilience Act: The Cyber Resilience Act (EU Regulation 2024/2847) is an EU‑wide cybersecurity regulation that applies for economic operators involved in the production and distribution of product with digital elements (PDEs), extending the requirements throughout the product lifecycle. The Cyber Resilience Act sets out uniform cybersecurity requirements for the design, development, production, and distribution of products to safeguard consumers and businesses that rely on software or other products with digital elements. The CRA aims to mitigate the lack of cybersecurity posture of many products and the delays in delivering necessary security updates.

Scope and Covered Products: CRA applies to “products with digital elements,” meaning any hardware or software product and its remote data‑processing solutions, including components sold separately.

Software: Computer code forming part of an electronic information system (e.g., operating systems, applications).

Hardware: Physical electronic systems or components that process, store, or transmit digital data (e.g., chips, processors).

Remote data processing solutions: Cloud or remote services provided by or for the manufacturer and essential for a product to function (e.g., cloud features enabling smart‑home device control).

Economic operators in scope: Manufacturers, importers, distributors, and others supplying digital products in the EU market.

Core Obligations Under the CRA:

i. Manufacturers: It is mandatory for the manufacturer of products with digital elements to comply with cybersecurity requirements prior to making them available in the market.

• Ensure cybersecurity risks are assessed, products are securely configured, protected from unauthorized access, maintain data confidentiality and integrity, preserve essential functions, and minimize negative impacts.
• Vulnerabilities should be identified, assessed, documented and addressed promptly.
• Implement robust security testing and assessments, establish a clear vulnerability‑disclosure policy, and maintain mechanisms to deliver automatic security updates.
• Ensure the use of secure, reliable components and apply appropriate due diligence when procuring them from third‑party suppliers.

ii. Importers, Distributors and Other Third Parties:

• Importers must verify that the manufacturer has completed the required conformity assessment, ensure technical documentation is made available, provide the appropriate contact details, and supply clear, user‑friendly instructions and product information.
• Distributors must exercise due diligence to ensure that manufacturers and importers have met their compliance obligations. They must not place non‑compliant products on the market and should notify the manufacturer and market‑surveillance authorities of any identified cybersecurity risks.
• A natural or legal person that performs a substantial modification to a product with digital elements and subsequently places it on the market is deemed a manufacturer and becomes subject to the full set of manufacturer obligations.

iii. Software Developers:

• Ensure software products comply with CRA requirements, provide secure default settings and implement up-to-date security measures.
• Identify and remediate vulnerabilities, report cybersecurity incidents, process only necessary data and offer secure options for data deletion and data transfer.
• Maintain Technical Documentation such as Software Bill of Materials and EU Declaration of Conformity. Keep records of all economic operators and retain information for 10 years.

Specific reporting obligations for Manufacturers:

• Notify the CSIRT within 24 hours of identifying vulnerabilities in their products.
• Notify the CSIRT within 24 hours of any incident that affects the product’s safety.
• Inform users promptly about incidents and provide appropriate mitigation measures.
• Report vulnerabilities in embedded components to the respective component maintainers.

Supervision, fines & enforcement:

Non-Compliance with the CRA may result in penalties of up to the higher of €15 million or 2.5% of the entity’s worldwide annual turnover for the preceding financial year.

How the CRA supports European Union’s evolving digital landscape:

The CRA plays a critical role in enabling European Union’s technological future by:

• Creating a harmonized cybersecurity baseline
• Making “Secure‑by‑Design” mandatory
• Increasing consumer trust and market competitiveness
• Alignment with European Union’s wider Cybersecurity Strategy

EU has several acts and regulations such as GDPR, DORA, and NIS2; however, the CRA differs in scope because it focuses specifically on the security of products, rather than on services or data‑processing activities.

Key Highlights: Products will bear the CE marking as evidence of conformity with the CRA, while national market‑surveillance authorities will oversee and enforce compliance. The Cyber Resilience Act (the “CRA”) entered into force on 10 December 2024, with reporting obligations to apply as of 11 September 2026 and full applicability from 11 December 2027. Manufacturers of covered products should commence compliance preparations without delay to minimize disruption to development processes and limit Non-Compliance exposure.