New product cybersecurity requirements are coming to the EU single market. After years of intense debate and negotiation in Brussels, the European Union’s Cyber Resilience Act (CRA) officially entered into force on December 10. This landmark regulation aims to address cybersecurity risks posed by digital products, ensuring that security remains a priority throughout their lifecycle.

Proposed in September 2022 by Thierry Breton, then-Commissioner for the Internal Market, the CRA applies to “products with digital elements” (PDEs) that are made commercially available in the EU single market. In the regulation, PDEs are defined as products that have “a direct or indirect logical or physical data connection to a device or network.” In practice, this includes devices – e.g., laptops, smartphones, IoT devices, routers, etc. – software, and components including hardware and software, e.g., computer processing units (CPUs), video cards, software libraries, etc.

The CRA introduces stringent requirements for manufacturers of PDEs, including:

1. Product cybersecurity requirements - Manufacturers must ensure that their PDEs:
   • Are designed, developed, and produced in a way that they ensure an appropriate level of cybersecurity based on the risks
   • Are made available without known exploitable vulnerabilities 
   • Are made available with a secure by default configuration
   • Support security updates to address vulnerabilities
   • Protect the confidentiality and integrity of essential and basic functions 
   • Protect availability of essential functions during an incident

2.  Vulnerability handling requirements - Manufacturers must:
   • Identify and document vulnerabilities and components in their products, including creating Software Bills of Materials (SBOMs)
   • Regularly test, assess, and remediate vulnerabilities
   • Establish and enforce Coordinated Vulnerability Disclosure (CVD) processes

3. Reporting requirements - Manufacturers must adhere to strict timelines for:
   • Vulnerability Reporting - Submit an early warning notification within 24 hours of discovering an actively exploited vulnerability, provide a detailed notification within 72 hours, and deliver a final report 14 days after implementing a corrective measure
   • Incident Reporting - Notify authorities of any incidents impacting PDE security within 24 hours, submit an incident report within 72 hours, and provide a comprehensive report within one month of the initial notification

In addition, the CRA also requires importers and distributors to ensure that the PDEs they make available comply with the regulation.

The requirements in the CRA are distinct from those included in the NIS 2 Directive, which is currently being transposed by EU Member States. Whereas the CRA focuses on product cybersecurity, the NIS 2 Directive seeks to improve organizational cybersecurity and risk management. This distinction is reflected in their respective reporting requirements. 

Under the CRA, manufacturers must report cyber incidents affecting the security of a PDE and disclose vulnerabilities. In contrast, the NIS 2 Directive requires covered entities to report significant cyber incidents, or those that could cause severe operational disruptions, financial losses, or considerable material or non-material damage affecting the covered entity itself.

Moving forward, the CRA’s reporting requirements will enter into force on September 11, 2026 and all other requirements will become applicable on December 11, 2027.

Read CCPL’s previous coverage of the CRA here:

• Vulnerability Management Under The Cyber Resilience Act
• Joint Letter of Experts on CRA and Vulnerability Disclosure
• EU’s Cyber Resilience Act can bolster security, but lacks structure
• Where the EU’s Cyber Resilience Act stands

‍