The European Union’s Cyber Resilience Act introduces stricter cybersecurity requirements for all products with digital elements, mandating protective measures throughout their entire lifecycle. Given the complexity of the new regulatory framework, this article provides a clear and structured overview of the main obligations and implications for businesses.
What is the Cyber Resilience Act
The Cyber Resilience Act (CRA) is one of the EU’s first legislative initiatives designed to improve the cybersecurity of products and services with digital components, which are increasingly integrated into both industrial systems and everyday life. Devices such as industrial sensors, PLCs, remote control systems, as well as network technologies like firewalls and routers, and consumer products such as smartwatches, fall within the scope of this regulation.
The CRA aims to provide companies with a clear framework to ensure the security and reliability of IoT devices used in industrial contexts, while also helping consumers make more informed decisions when purchasing and using connected devices. With the CRA in force, all devices and systems placed on the EU market, whether from European companies or international suppliers, must meet strict cybersecurity standards. This includes devices used in industrial automation. Companies will be required to implement advanced protection measures to reduce cyber risk, ensuring that their systems and infrastructures are resilient to attacks and capable of maintaining continuous operations while safeguarding sensitive data.
Risk classification and compliance
The CRA introduces a detailed risk-based classification system for digital products, dividing them into three main categories:
- Class II: High-risk products that require certification by an accredited body
- Class I: Medium-risk products that require appropriate control and compliance measures
- Default category: Low-risk products for which a manufacturer’s self-declaration of conformity is sufficient
Cybersecurity requirements and legal obligations under the CRA
This regulatory framework requires companies in the manufacturing and industrial automation sectors to comply with high standards of security and transparency, ensuring ongoing protection against cyber threats. Specifically:
- Risk assessment: Manufacturers must continuously assess and mitigate cybersecurity risks throughout the entire product lifecycle
- Monitoring and updates: After being placed on the market, products must be continuously monitored to identify cybersecurity threats, and timely updates must be provided, free of charge, for at least five years. In urgent cases, immediate action is required
- Incident reporting: Exploited vulnerabilities and security incidents must be reported to national authorities through ENISA, within 24 hours for early warnings and 72 hours for complete notifications
- Transparency: Manufacturers must provide detailed technical documentation and clear instructions for end users, ensuring they are well informed about the security features of the products