Cyber

Resilience

ACT (CRA).

The Cyber Resilience Act (CRA) is intended to increase the security of digital elements and leads to increased obligations for companies. Our team advises and supports companies in implementing the legal requirements.

Call now!

The Cyber Resilience Act (CRA)

In our increasingly digitalized world, cyberattacks are a constant threat that can severely affect companies of all sizes. From data leaks and operational downtime to massive financial losses – the consequences of a lack of cyber security are far-reaching. This is precisely where the European Union’s new Cyber Resilience Act (CRA) comes in.

This groundbreaking regulation, also known as the Cyber Resilience Regulation, marks a decisive step towards strengthening the cyber resilience of digital products and services. For many companies, this means a need for action. As your specialist law firm, we would like to give you a comprehensive overview of the CRA and show you how we can support you in implementing it in compliance with the law.

What is the Cyber Resilience Act (CRA)?

The Cyber Resilience Act is an EU regulation that aims to improve the digital security of products with digital elements that are placed on the EU market. The aim is to make these products more secure from the ground up in order to better withstand cyber threats. This is also referred to as the principle of “security by design” and “security by default”.

In essence, this means that manufacturers and providers of digital products must ensure that their products meet certain security requirements throughout their entire lifecycle – from development to deployment and maintenance.

What is the purpose of the CRA?

The CRA pursues several important goals:

Increasing the cyber security of products: Consumers and companies should be able to rely on the fact that the digital products they use have an appropriate level of security.
Strengthening trust in digital products: Clearly defined security standards will strengthen trust in the digital single market.
Defense against cyber threats: Products should be designed from the outset to be more resistant to cyber attacks.
Promoting transparency: Users should be better informed about the security features of products.
Reducing fragmentation: Uniform rules throughout the EU should avoid a patchwork of different national regulations and thus facilitate trade.

In short, the CRA wants to make Europe more secure – for digital users and for companies.

Who is affected by the CRA?

The scope of the CRA is broad and basically affects all manufacturers and providers of products with digital elements that are placed on the market in the EU. This includes both hardware and software that can receive or send data via a direct or indirect logical connection.

This covers a wide range of products and industries, including, for example

Information technology (IT) and software development

Operating systems: Windows, macOS, Linux, Android, iOS.
Application software: browsers, e-mail programs, office software, CRM systems, ERP software, video conferencing tools.
Network devices: routers, switches, firewalls, WLAN access points.
Security components: Antivirus software, encryption tools, VPN clients.
Cloud solutions and SaaS products: Software-as-a-Service offerings that are directly integrated into products or significantly determine their functionality (e.g. cloud management software for IoT devices).

Internet of Things (IoT) and smart devices

Smart household appliances: refrigerators, washing machines, thermostats, lighting systems.
Wearables: smartwatches, fitness trackers.
Smart security cameras and alarm systems.
Industrial IoT devices (IIoT): sensors, actuators, control systems in production facilities or energy supply.
Smart home hubs and gateways.

Automotive industry

Control units and infotainment systems in vehicles: everything that is digitally networked or controls software functions.
Driver assistance systems.
Charging stations for electric vehicles, if they have digital elements.

Medical technology

Connected medical devices: monitoring devices, infusion pumps, diagnostic imaging systems with network connection.
Telemedicine applications and health apps that interact with hardware.

Industry and mechanical engineering

Industrial control systems (PLCs) and SCADA systems.
Robotics and automation systems.
Digitally controlled machine tools.

Consumer electronics

Smart TVs, streaming devices.
Gaming consoles.
Printer and scanner with network functions.

Energy and utilities industry

Smart meters and intelligent electricity grids (smart grids).
Control components for critical infrastructures (e.g. in power plants or water supply systems).

It is crucial to check whether your company falls under the scope of the CRA. Even if you are not a classic hardware manufacturer, as a software developer or provider of cloud services you may be affected if your offerings include products with digital elements or interact strongly with them. The criterion is often whether a product establishes a “direct or indirect logical connection” for data communication.

What obligations are associated with the CRA?

The CRA sets out a number of basic safety requirements and obligations for stakeholders. The most important of these include:

Security throughout the entire life cycle (“security by design”): Products must be developed and manufactured in such a way that they warrant a high level of cyber security. This means that security aspects must be integrated into the design and development process right from the start.
Risk assessment and management: Manufacturers must carry out a comprehensive risk assessment before placing products on the market and take appropriate measures to mitigate cyber risks.
Adequate security features: Products must provide basic security features, such as protection against unauthorized access, data integrity, confidentiality and availability. This often includes secure default configurations, avoidance of known vulnerabilities and secure authentication mechanisms.
Provision of software updates: Manufacturers are obliged to provide security updates and patches for a reasonable period of time to fix known vulnerabilities. This period may vary depending on the product and must be clearly communicated.
Obligation to report security incidents and vulnerabilities: Serious security incidents affecting the product or discovered vulnerabilities must be reported to the relevant authorities (e.g. ENISA).
Provision of information and documentation: Users must receive clear and understandable information about the safety of the product, and manufacturers must provide technical documentation that demonstrates compliance with the requirements.
Conformity assessment procedure: Products must undergo a conformity assessment procedure to demonstrate that they meet the CRA requirements. The complexity of the procedure depends on the risk class of the product, with higher risk products being subject to more stringent testing.
CE marking: Once the conformity assessment procedure has been successfully completed, the product must bear the CE marking, which indicates its conformity with EU regulations.

These obligations require a realignment of many processes within your company, from product development to quality management and risk management.

How and by when are these obligations to be implemented?

The Cyber Resilience Act has already come into force. However, there are transitional periods to give companies sufficient time to adapt. Most of the provisions will be fully applicable by the end of 2027. This applies in particular to the basic security requirements and reporting obligations. The reporting obligation for actively exploited vulnerabilities will take effect even earlier, namely in 2025.

Implementing CRA duties requires a strategic approach and careful planning. Here are some steps you should consider:

Analysis of the product portfolio: Identify precisely which of your products fall under the scope of the CRA and in which risk category they are categorized.
GAP analysis: Compare your current security processes, product features and documentation with the detailed requirements of the CRA to identify gaps.
Adaptation of development processes: Integrate “Security by Design” and “Security by Default” principles firmly into your product development and software life cycles (SDLC).
Implement risk management systems: Establish robust processes for continuous risk identification, assessment and mitigation throughout the product lifecycle.
Employee training: Sensitize and train your teams – from developers to quality managers to management – comprehensively with regard to cyber security and the new CRA requirements.
Preparation for conformity assessment: If necessary, select a notified body for the conformity assessment and prepare the necessary documents and evidence.
Adaptation of contracts: Check supplier and customer contracts for the need for adjustments in order to contractually anchor the CRA requirements and clearly regulate responsibilities.
Establish reporting processes: Define clear internal processes for detecting, assessing and reporting security incidents and vulnerabilities.

It is advisable to start this process at an early stage, as implementation can be complex and tie up considerable internal resources. A proactive approach minimizes risks and enables smooth adaptation.

What are the sanctions for non-compliance?

Failure to comply with the Cyber Resilience Act can have significant consequences, both financial and reputational. The CRA provides for severe fines to remind companies of their compliance obligations:

Fines for serious violations: Fines of up to €15 million or 2.5% of the worldwide annual turnover of the previous financial year, whichever is higher, may be imposed for serious breaches of the requirements of the CRA, in particular in relation to the essential safety requirements and reporting obligations.
Fines for less serious infringements: Even for less serious violations (e.g. formal errors or the lack of required documentation), severe fines of up to 10 million euros or 2% of annual global turnover are possible.
Fines for incorrect or missing information: Fines of up to €5 million or 1% of annual global turnover can be imposed for providing false, incomplete or misleading information.
Product recall and sales ban: Products that do not meet the requirements can be withdrawn from the market or banned from being placed on the market. This can lead to massive sales losses and storage costs.
Reputational damage: The public perception of your company can suffer massively, which has a long-term impact on customer relationships, market position and investor confidence. A breach of the CRA signals a lack of due diligence in the area of cyber security.

In view of these potential sanctions, it is essential to take the CRA seriously and take the necessary steps to ensure compliance in good time.

How we can support you

The Cyber Resilience Act poses new challenges for many companies. The complexity of the regulation, the technical requirements and the potential legal risks require sound expertise in IT law.

We offer you comprehensive advice and support for all questions relating to the CRA:

Initial assessment and GAP analysis: We check whether and to what extent your company is affected by the CRA, which products are relevant and identify specific areas for action.
Legal advice on CRA compliance: We support you in interpreting the regulation and deriving specific, legally compliant measures for your company.
Adaptation of contracts: We help you to draft or adapt supplier, customer and software contracts with regard to CRA requirements in order to clearly regulate responsibilities.
Advice on reporting obligations: We support you in the implementation of reporting obligations in the event of security incidents or vulnerabilities to the responsible authorities.
Support with conformity assessment procedures: We advise you on the selection of notified bodies and the preparation of the necessary technical documentation and evidence.
Risk management and liability issues: We analyze and evaluate legal risks in the context of the CRA and develop strategies to avoid liability.
Representation in sanctions and official proceedings: In the event of official investigations, impending sanctions or disputes, we represent your interests consistently.