Cyber Laws
open main menu
Cyber Resilience Act legal summary
Part of series: CRA

Cyber Resilience Act (CRA) – legal summary

/ 4 min read
Last updated:

This is a legal summary of the Cyber Resilience Act (CRA). For technical aspects see our technical summary. For ENISA’s mapping of CRA to existing standards, see the reference below.

Chapters excluded (government-focused)

  • Legal basis – legal reasons that allow the EU to create this document
  • Subsidiarity – scaling via non‑governmental entities
  • Results of evaluations/consultations/impact assessments – policy caution notes
  • Budgetary implications – number of ETFs allocated by the EU

Reasons and objectives of the CRA

  • Reason: Enhance cybersecurity in hardware and software products. Objective: reduce vulnerabilities and inconsistent updates; reduce global cybercrime costs.
  • Reason: Improve user understanding and access to cybersecurity info. Objective: informed choices and safer use of digital products.
  • Reason: Implement EU‑level cybersecurity legislation. Objective: address cross‑border threats and gaps (e.g., non‑embedded software).
  • Reason: Establish a coherent, lifecycle‑wide framework. Objective: clear compliance guidelines for producers.
  • Reason: Increase transparency of security features. Objective: empower businesses/consumers and build trust.
  • Reason: Coordinate efforts across Member States. Objective: avoid fragmentation and support a competitive single market.

Interplay policy concepts

  • Requirement: Harmonize criminalization/penalties for offences against information systems (2013 Directive). Reason: uniform response to cybercrime.
  • Requirement: Implement NIS (2016) and NIS2. Reason: maintain a high common level of cybersecurity for essential/important entities.
  • Requirement: Cybersecurity Act (2019) certification framework (voluntary). Reason: enhance security of ICT products/services/processes.
  • Requirement: CRA to set mandatory security requirements for products with digital elements. Reason: fill gaps in current laws.
  • Requirement: NIS2 mandates measures incl. vulnerability handling/disclosure. Reason: strengthen network and information systems.
  • Requirement: Implementing acts under NIS2 for technical/methodological requirements. Reason: uniform standards for providers (e.g., cloud).
  • Requirement: Align CRA specs with NIS2 for SaaS. Reason: ensure high cybersecurity in SaaS and in‑house systems.

Interplay with other EU policies

  • Requirement: Follow ‘Shaping Europe’s digital future’ and EU data strategy. Reason: maximize digital benefits while safeguarding rights and cybersecurity.
  • Requirement: Align with framework for products with digital elements, product safety/liability, and AI Regulation proposals. Reason: maintain coherence.
  • Requirement: Apply CRA to radio equipment within the scope of Delegated Regulation (EU) 2022/30. Reason: cover essential requirements in RED 2014/53/EU.
  • Requirement: Repeal/amend 2022/30 for overlapping radio equipment. Reason: avoid overlap and make CRA the primary law.
  • Requirement: Reuse RED 2022/30 standardization work for harmonized standards. Reason: avoid duplication; efficient standards development.

Proportionality

  • Requirement: Measures necessary to reach objectives without disproportionate costs. Reason: balanced intervention.
  • Requirement: Secure products across lifecycle proportional to risk; objective‑oriented and tech‑neutral. Reason: match entity interests and risks.
  • Requirement: Base essential requirements on widely used standards. Reason: allow tailoring to product specifics/risk.
  • Requirement: Limit third‑party assessment to critical products. Reason: focus intensive efforts where needed.
  • Requirement: Assess SME impact by product market category. Reason: address specific SME effects.
  • Requirement: Allow notified bodies to consider business size in fees. Reason: fairness in conformity costs.
  • Requirement: 24‑month transition period. Reason: preparation time and R&D guidance.
  • Requirement: Balance compliance costs with security/trust benefits. Reason: net positive impact.

Choice of instrument

  • Requirement: Adopt a regulation (not a directive). Reason: directly conditions placing products on the internal market across the EU.
  • Requirement: Avoid transposition variability. Reason: ensure uniform essential requirements and avoid fragmentation/discrimination.

Implementation, monitoring, and reporting

  • Requirement: Monitor implementation, application, and compliance. Reason: assess effectiveness.
  • Requirement: Commission evaluation/review and public report to Parliament/Council at 36 months after application, then every 4 years. Reason: continuous oversight.

Detailed explanation of specific provisions

General provisions (Chapter I)

  • Establish rules for placing products with digital elements on the market.
  • Set essential design/development/production requirements and obligations for economic operators.
  • Define essential requirements for vulnerability handling throughout lifecycle and related obligations.
  • Provide rules on market surveillance and enforcement.

Scope of Regulation

  • Apply to all products with digital elements with direct/indirect data connection to a device or network.
  • Exclude products under specific EU regimes (medical devices, IVDs, civil aviation safety, motor vehicles).

Critical products assessment

  • Critical products with digital elements are subject to specific conformity assessment; classified into Class I and Class II based on cybersecurity risk.

Obligations of economic operators (Chapter II)

  • Manufacturers, importers, and distributors must ensure products meet essential cybersecurity requirements when supplied, installed, maintained, and used as intended.

Conformity assessment (Chapter III)

  • Presumption of conformity when using harmonized standards or common specifications.
  • Products certified under an EU cybersecurity certification scheme may be presumed in conformity.

Notification of conformity assessment bodies (Chapter IV)

  • Member States ensure proper functioning and monitoring of notified bodies responsible for assessments.

Market surveillance and enforcement (Chapter V)

  • National authorities are responsible for market surveillance; economic operators must cooperate.

Delegated powers and committee procedures (Chapter VI)

  • Commission may update critical product lists, specify regulations, and adopt implementing acts.

Confidentiality and penalties (Chapter VII)

  • Maintain confidentiality of information handled in regulatory tasks.
  • Market surveillance authorities may impose fines for non‑compliance.

Transitional and final provisions (Chapter VIII)

  • Set a transition period and specific timelines for manufacturers, notified bodies, and Member States to adapt.

References