The EU Cyber Resilience Act: A New Horizontal Legal Framework for Cybersecurity in Digital Products

Written By Nicoletta Kouvara

On 23 October 2024, the European Union adopted Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (the “Cyber Resilience Act” or “CRA”). The Regulation was published in the Official Journal on 20 November 2024 and will apply from 11 December 2027, subject to limited transitional provisions.

The CRA establishes, for the first time at Union level, a harmonised legal framework imposing binding cybersecurity obligations on a wide range of digital products. It requires compliance with cybersecurity requirements not only at the design and development stage but also throughout the product lifecycle, including post-market surveillance, vulnerability handling, and incident reporting.

Regulatory Context and Objective

The CRA forms part of the European Commission’s broader EU Cybersecurity Strategy and aims to strengthen the digital resilience of the internal market. In contrast to sector-specific instruments, the CRA introduces a horizontal framework applicable to most software and connected devices placed on the Union market, regardless of sector.

Its core objective is to enhance legal certainty and user trust in the digital single market by ensuring that products with digital elements (“PDEs”) are secure by design and by default, and that they remain secure for the duration of their intended use.

Scope of Application and Excemptions

The CRA applies to products with digital elements, broadly defined to include software or hardware that has a direct or indirect logical or physical connection to a device or network (Article 2(1); Article 3(1)).

Importantly, the Regulation applies not only to economic operators established in the European Union, but also to non-EU manufacturers, importers and distributors that place products on the EU market or offer them to users within the Union (Article 3(22); Recital 13). This extra-territorial effect aligns with the EU's approach in instruments such as the GDPR and the Digital Services Act.

The CRA lays down:

  • rules governing the making available on the market of PDEs to ensure their cybersecurity;

  • essential cybersecurity requirements for design, development, and production;

  • obligations regarding vulnerability handling during the product’s support period; and

  • rules on market surveillance, monitoring, and enforcement (Article 1).

It is worth noting that the CRA does not apply to products with digital elements where sectoral legislation provides for equivalent or higher levels of cybersecurity protection, such as:

  • Medical devices (Regulations (EU) 2017/745 and 2017/746),

  • Certain automotive and aviation products (e.g. Regulation (EU) 2019/2144 and Regulation (EU) 2018/1139),

  • Marine equipment (Directive 2014/90/EU),

  • Products developed or modified exclusively for national security or defence purposes,

  • Spare parts manufactured to the same specification as original components.

Key Provisions

1. Essential Cybersecurity Requirements

Manufacturers are required to ensure that PDEs comply with essential cybersecurity requirements, as set out in the Regulation. These cover both:

  • technical requirements for design, development, and production, including protection against unauthorised access, data integrity, and secure default settings; and

  • vulnerability handling processes, including security updates, incident response, and coordinated vulnerability disclosure.

Compliance with these requirements is a prerequisite for affixing the CE marking and legally placing the product on the Union market.

 2. Cybersecurity Risk Assessment

Manufacturers are required to perform and document a cybersecurity risk assessment. This must be proportionate to the nature and risk of the product, included in the technical documentation, and kept up to date throughout the product’s support period.

The support period must reflect the expected use of the product and must be at least five years, unless a shorter period of use is objectively justified. During this period:

  • Security updates must be made available for at least the support period and, in any case, for a minimum of five years from placement on the market, unless a shorter period is appropriate;

  • The manufacturer must operate appropriate vulnerability handling processes.

3. Product Classification and Conformity Assessment

PDEs are categorised into two tiers:

  • Important products, subject to enhanced conformity assessment procedures involving third-party review; and

  • Critical products, which may be required to undergo mandatory EU cybersecurity certification at a minimum assurance level of “substantial”.

The Commission may adopt delegated acts to update the lists of important and critical products and specify the applicable conformity obligations based on assessed cybersecurity risk.

4. Reporting Obligations and Enforcement

Manufacturers must notify the following to the EU Agency for Cybersecurity (ENISA) and the designated national computer security incident response teams (CSIRTs):

  • Actively exploited vulnerabilities – within 24 hours (initial report) and 72 hours (follow-up);

  • Severe cybersecurity incidents – subject to the same reporting timelines,

via a centralised EU single reporting platform operated by ENISA.

Failure to comply with the reporting or product requirements may result in corrective measures, product withdrawal or recall, and the imposition of administrative fines by national market surveillance authorities.

5. Software Bill of Materials (SBOM)

Manufacturers are also required to compile and maintain a Software Bill of Materials (SBOM), detailing third-party software components and their supply chain linkages. This is of particular relevance where free and open-source software (FOSS) is integrated into commercial PDEs.

The Commission may, by implementing acts, standardise the format and content of SBOMs, recognising the growing regulatory emphasis on software supply chain transparency.

6. Language and Contact Requirements

Manufacturers must provide users with:

  • Clear instructions and information in a language easily understood by users and market authorities;

  • Information about the end of the support period, visibly at purchase and, where technically feasible, via device notification.

They must also appoint a single point of contact for cybersecurity communications, including vulnerability disclosures. This contact must support multiple means of communication (not limited to automated tools) and must be clearly identifiable and accessible to users.

Considerations for Manufacturers, Importers and Distributors

The obligations imposed by the CRA are extensive and will require substantial operational, contractual and technical adaptations by manufacturers, importers and distributors alike.

In particular, these market participants, both within and outside the EU, will need to:

  • Conduct a product portfolio mapping exercise to identify PDEs falling under the CRA;

  • Review and revise product design, development and testing practices to reflect the applicable cybersecurity requirements;

  • Prepare conformity assessments, technical documentation, and SBOMs;

  • Implement structured processes for vulnerability reporting and incident handling;

  • Assess supply chain dependencies and verify third-party software provenance, especially in the context of SBOMs;

  • Update user documentation, contractual terms, and vendor agreements to reflect post-market obligations.

The compliance burden will vary based on product classification and the market participant’s role in the supply chain, but even non-critical or legacy products may be caught if updates or support continue beyond 11 December 2027.

Transitional Provisions and Next Steps

The main obligations of the CRA will apply from 11 December 2027, although certain delegated and implementing acts may be adopted earlier. It is therefore advisable for organisations to initiate readiness assessments and compliance planning during the current transitional period.

How Aptus Legal Can Assist

At Aptus Legal, we advise clients on the legal and regulatory implications of EU digital law, including the Cyber Resilience Act, the NIS2 Directive, the Digital Operational Resilience Act (DORA), and the AI Act.

Our services include:

  • Legal gap analysis and compliance strategy,

  • Review and redrafting of technical documentation and commercial contracts,

  • Conformity assessment support and CE marking guidance,

  • Workshops for in-house legal, tech and compliance teams.

For more information, please contact Aptus Legal by clicking here or send an email to info@aptuslegal.com.

Nicoletta Kouvara
Next

The Startup Legal Guide: Essential Legal Considerations for Startup Founders