Cyber Resilience Act (CRA)

The Cyber Resilience Act is a proposed regulation within the EU that aims to enhance security and resilience against cyberattacks. Cyber Resilience Act proposes regulations to improve cybersecurity for digital products. The Act outlines guidelines for companies and organizations to manage their cyber security, including measures for preventing, detecting, and managing cyberattacks.

More Secure Hardware & Software Products

A first-ever EU-wide legislation of its kind: the Cyber Resilience Act introduces mandatory cybersecurity requirements for hardware and software products, throughout their whole lifecycle.

Four specific objectives were set out:

  • Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
  • Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
  • Enhance the transparency of security properties of products with digital elements, and
  • Enable businesses and consumers to use products with digital elements securely.
Internet of Things Globe

Regulation Overview

EU Regulation

Ensure that products with digital elements placed on the EU market have fewer vulnerabilities and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle.


The European Parliament and the Council will examine the proposed Cyber Resilience Act. Once adopted, economic operators and Member States will have two years to adapt to the new requirement

Security by Design

The Cyber Resilience Act mandates companies to incorporate information security and cyber security measures during the product design and development phase, known as security-by-design.

We'll Help You Comply with EU's Cyber Resilience Act
Try Our Platform for Free Today!

The EU Cyber Resilience Act: An In-depth Look

The EU Cyber Resilience Act is a testament to the EU's commitment to safeguarding its digital landscape. It emphasizes not just the role of manufacturers and businesses but also underscores the importance of informed users. For businesses within the EU, understanding and adhering to these requirements is not just about compliance but also about building trust and ensuring a safer digital future for all.

The EU Cyber Resilience Act introduces mandatory cyber security requirements for products throughout their lifecycle and imposes several obligations on businesses operating within the EU. These requirements encompass:

  • Security by Design: Cybersecurity considerations must be integrated into the planning, design, development, production, delivery, and maintenance phases of all products.
  • Documentation: Comprehensive documentation of all cybersecurity risks associated with a product is mandatory.
  • Handling Vulnerabilities: Manufacturers are obligated to ensure effective handling of vulnerabilities for either the entire expected product lifetime or a minimum of five years, whichever is shorter, once the product is sold.
  • User Guidance: Clear and user-friendly instructions for secure product usage, especially for those with digital components, must be provided.
  • Security Updates: Manufacturers are required to make security updates available for a minimum of five years.
  • Incident Reporting: Businesses are mandated to actively report exploited vulnerabilities and significant incidents to the relevant authorities. This encompasses events such as data breaches and ransomware attacks that have a substantial impact on the business.

Incident Reporting

If a manufacturer of a product with digital elements becomes aware of an actively exploited vulnerability in the product, they must report the vulnerability to The European Union Agency for Cybersecurity (ENISA) without delay. It must be reported within 24 hours of discovery of the vulnerability. If a manufacturer becomes aware of an incident affecting the safety of the product, this must also be reported to ENISA within 24 hours. The manufacturer is also obliged to inform the users of the product about the incident and, if possible, propose mitigating measures.

True Unification Holm Security Platform

Ready to Navigate the Cyber Resilience Act? 
Book Your Consultation Meeting Today!


Learn More about CRA

What Are Class I Products in the Cyber Resilience Act?

Class I products have a lower cybersecurity risk level than Class II products but a higher level of risk than the unclassified or default category. A list of Class I products is found in Annex III of the bill and includes:

  • Identity and access management software
  • Browsers
  • Password managers
  • Malicious software detection
  • Products that use virtual private networks
  • Network management, configuration, monitoring, and resource management tools
  • Security information and event management systems
  • Update and patch management tools
  • Mobile device and application management software
  • Remote access software
  • Physical network interfaces
  • Microcontrollers
  • Integrated circuits and gate arrays intended for use by essential entities described in the NIS2 directive
  • Operating systems, firewalls, routers, modems, microprocessors, industrial automation and control systems, and industrial IoT that are not covered by Class II of the Cyber Resilience Act

What Are Class II Products in the Cyber Resilience Act?

Class II are higher-risk products with digital elements with regard to critical cybersecurity vulnerabilities. They are also found in Annex III of the bill and currently include:

  • Operating systems
  • Hypervisors and container runtime systems
  • Public key infrastructure and digital certificate issuers
  • Firewalls for industrial use
  • Industrial intrusion detection/prevention systems
  • General purpose microprocessors
  • Microprocessors for programmable logic controllers and secure elements
  • Routers for industrial use
  • Modems for industrial use
  • Industrial switches
  • Secure elements
  • Hardware Security Modules
  • Secure cryptoprocessors
  • Smartcards, readers, and tokens
  • Industrial Automation & Control Systems intended for the use by essential entities described in NIS2
  • Industrial Internet of Things devices intended for the use by essential entities described in NIS2
  • Robot sensing and actuator components and robot controllers
  • Smart meters

What Are the Essential Security Requirements for Connected Devices?

To comply with the essential security requirements, connected devices or the manufacturers of connected devices must:

  • Be designed, developed, and produced with an appropriate level of cyber security.
  • Be delivered without known exploitable vulnerabilities.
  • Be provided with a secure-by-default configuration.
  • Protect against unauthorized access through tools like authentication and identity management.
  • Protect the confidentiality of data by processing and encrypting relevant data.
  • Protect the integrity of stored, transmitted, or processed data.
  • Minimize data collection only to process what is adequate for the intended use.
  • Mitigate denial of essential functions or services.
  • Reduce the lack of availability of services provided by other devices.
  • Limit attack surfaces.
  • Reduce the exploitative effects and impact of a cyber security incident.
  • Record or monitor relevant security-related information.
  • Address future vulnerabilities through security updates, preferably automatic ones that notify users.

What Are the Essential Vulnerability Requirements for IoT Manufacturers?

In order to meet the essential vulnerability requirements, manufacturers must take the following actions:

  • Document all vulnerabilities and product components.
  • Address and fix vulnerabilities immediately.
  • Regularly test and review product security.
  • Publicly disclose information about vulnerabilities that have been fixed.
  • Establish and enforce coordinated vulnerability disclosure policies.
  • Encourage information sharing about vulnerabilities and provide a contact for reporting.
  • Establish mechanisms for distributing updates that minimize exploitable vulnerabilities securely.
  • Provide security patches promptly and free of charge, along with a clear explanation of their purpose to users.

What Is The EU's Cyber Resilience Act, & What Does it Aim to Achieve?

The EU's Cyber Resilience Act is a legislative framework aimed at enhancing the cybersecurity and resilience of critical infrastructure and digital services across the European Union. Its primary objectives include setting standards for cybersecurity measures, promoting incident reporting, and ensuring a coordinated response to cyber threats at the EU level.

Which Organizations & Entities Are Affected by The Cyber Resilience Act?

The Cyber Resilience Act primarily applies to operators of essential services (OES) and digital service providers (DSPs) operating within the European Union. OES and DSPs are required to adhere to specific cybersecurity obligations outlined in the act. The scope and requirements may vary depending on the sector and size of the organization.

What Are The Penalties for Non-Compliance with The EU's Cyber Resilience Act?

Non-compliance with the Cyber Resilience Act can result in penalties, which can vary based on the seriousness of the breach and the degree of negligence. Penalties may include fines, public reprimands, or corrective measures. It's essential for affected organizations to ensure they meet the cybersecurity obligations to avoid potential legal consequences.