Skip to main content

Navigating the Cyber Resilience Act and its product security requirements for manufacturers

Is your organisation ready for the upcoming Cyber Resilience Act?

From connected home cameras and smart appliances to password managers and other hardware and software, our daily lives are intertwined with and dependent on technology more than ever before. This interconnectedness comes with inherent risks, including dramatic increases in cyber-attacks on products with digital elements. To better protect organisations and individual consumers across the European Union against cyber-attacks, the EU Commission is introducing the Cyber Resilience Act (CRA), with new, standardised product cybersecurity requirements. These new requirements reach far beyond any current EU product security standards and will have a substantial impact on the manufacturing, distributing and importing of products with digital elements in the EU.

Cyber-attacks on organisations and individual consumers are predicted to occur every two seconds by 2031, costing victims an estimated US$265 billion annually1. Consumers are often unaware of the security level in products with digital elements and of the fact that manufacturers, though their reputation may be damaged, do not have to bear the costs of cybercrime attacks.

In the current product security landscape within Switzerland and across the European Union the lack of a regulatory framework means that products with digital elements are not all held to the same set of cybersecurity standards. Consumers therefore have little guarantee that a product with digital elements has been developed with security in mind.

To enhance product security within the European Union and to better protect companies and consumers against cyber-attacks, the EU Commission proposed the Cyber Resilience Act (CRA) in 2022, and it is likely to be enacted at the beginning of 2025.

The Cyber Resilience Act (CRA) in practice
 

The CRA defines cybersecurity requirements for products with digital elements. Importers2 , manufacturers3 , and distributors4 must adhere to it.

Importers, manufacturers, and distributors of products with digital elements in the EU will need to be more diligent in their entire process, from development through to production, marketing and distribution of the product and beyond. This applies to all software or hardware products and to their remote data processing solutions, including software or hardware components that are placed on the market separately.5
 

Impact of the CRA
 

The CRA will have the largest impact on manufacturers producing products with digital elements, including Swiss manufacturers selling products with digital elements in the European Union.

The CRA classifies and distinguishes these products by the category of the product, based on their vulnerability and the degree of risk they present.

The graphic below provides a complete overview of the CRA’s product categories and the requirements for them.

Product categories and requirements based on the CRA

Two ways to demonstrate conformity
 

Manufacturers can choose between the following two routes to demonstrate conformity with the CRA’s requirements:

If manufacturers decide to opt for the conformity assessment to demonstrate compliance with the CRA (instead of the other options, such as harmonised standards), there are different types of conformity assessments for their product category and levels of risks of adverse effects, as shown in the table below.

The main difference between the classes is the way in which the conformity assessment for the CRA requirements is conducted. Products in which the digital element poses less risk of adverse effects, in terms of their intensity and ability to disrupt, can conform to an internal control (module A) assessment, while products in which the digital element is more critical should adhere to thorough third-party conformity assessments or the EU Cybersecurity Certification (EUCC) controls listed below.

Examples of essential requirements for the conformity assessment

The CRA requirements for the conformity assessments are listed in Annex I (Essential Requirements) of the CRA. These include some of the following requirements:6

  • Ensure protection from unauthorised access through appropriate control mechanisms, including, but not limited to, authentication, identity or access management systems, and report on possible unauthorised access.
  • Protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest and in transit using state-of-the-art mechanisms and other technical means.
  • Ensure vulnerability handling and delivery of products without any known exploitable vulnerabilities, as outlined by the essential requirements in the CRA (Annex I, part I and part II.
  • Conduct a cybersecurity risk assessment and document its outcome considering the assessment for the different product lifecycle phases (i.e., planning, production etc.).
  • Exercise due diligence when integrating components sourced from third parties.
  • Prepare technical documentation including a cybersecurity risk assessment for each product.
  • Affix CE marking visibly on the product or the website accompanying the software product.
  • Provide users with information and with a type, batch, or serial number as well as instructions relating to the product’s use.
  • Report any exploited vulnerability of a product with digital elements to the European Union Agency for Cybersecurity (ENISA) and the Computer Security Incident Response Team (CSIRT – the designated coordinator) without undue delay.
     

Manufacturers can also comply with the CRA by demonstrating conformity through harmonised standards, common specifications or the European Cybersecurity Certification Scheme. See below for definitions:

If your product aligns with these standards (according to internal assessments), there is no need for further conformity testing against the CRA’s requirements. However, the notified body may perform routine checks of your Declaration of Conformity (DoC) against these standards and thespecifications of the certification scheme.

Lower criticality products can rely on the Harmonised Standards and Common Specifications


Manufacturers can use the harmonised standards and common specifications to demonstrate conformity with the CRA by conducting an internal assessment against the requirements in these standards and specifications. This has been introduced to help smaller organisations demonstrate compliance. The Harmonised Standards and Common Specifications will be specified later by the European Commission.

Higher criticality products must rely on the EUCC level of ‘substantial’


The European Cybersecurity Certification Scheme (EUCC) is the first cybersecurity certification scheme in the European Union. It certifies ICT products (including technical components such as chips and smartcards, as well as hardware and software).10 The EUCC is based on Regulation EU 2019/881 (EU Cybersecurity Act) and common international standards such as ISO/IEC 15408 and ISO/IEC 18045.11

Specific implementation controls and guidelines are yet to be defined. Based on the EU Regulation 2019/881 and ISO 15408, these are typical controls manufacturers of critical products might expect at a ‘Substantial’ (EAL4, coming from ISO/IEC 1540812) level:

The EUCC level of ‘substantial’ mandates that manufacturers undergo a third-party assessment. In the future the Commission will assess whether further certification schemes specific to the CRA will be needed. It may release delegated acts to specify how the EUCC certificate can be used to suspend the obligation to carry out the third-party conformity assessment for manufacturers.13

Product classes
Please refer to the drop-down menus below to check the requirements for each product class as defined in the CRA.

Requirement

Perform an own conformity assessment, following the internal control procedure based on Module A, and declare product and process conformity with the essential requirements outlined by the CRA .


Potential challenges

Lack of clarity when navigating which product category the product with digital elements belongs to and the degree of thoroughness of the assessment procedure required.

Requirement
Apply harmonised standards, common specifications (which the Commission will release during the transition period after passing the CRA), or a European Cybersecurity Certification Scheme (EUCC) to demonstrate conformity by performing an internal assessment. Otherwise, engage a third party to perform the assessment, following the procedures outlined in Module B and C, or H.
Potential challenges
Applying harmonised standards, common specifications, the EUCC scheme or having a third party perform an assessment to check for conformity with the CRA may require your organisation to adjust the current product development and manufacturing processes to conform with the in-scope requirements.

Requirement
Apply a third-party conformity assessment based on Module B and C, or H. Alternatively, where it is possible, available, and applicable, apply a EUCC at “substantial” assurance level at the least; this also includes a mandatory third-party assessment.
Potential challenges
Small and medium-sized enterprises (SMEs) that manufacture Class II products may find it challenging to handle the costs and capacity needs involved in establishing and maintaining the procedures that the CRA introduces.
 

Requirement
Apply a European Cybersecurity Certification Scheme (EUCC) at the “substantial” assurance level at least, in alignment with the certification scheme requirements in Article 8(1) in the CRA, which also includes undergoing a mandatory third-party assessment. If the conditions in Article 8(1) are not met, perform the conformity assessment by engaging a third party, similar to class II products, based on modules B and C or H.
Potential challenges
Applying the ‘substantial’ level of cybersecurity certification scheme or having a thorough third party perform an assessment to check for conformity with the CRA may oblige your organisation to adjust current product development manufacturing processes to conform with the cybersecurity-by-design requirements. Additionally, it will be a challenge to stay up to date with the emerging certification schemes landscape, updates through delegated acts, and revised product categories.
 

Conclusions
 

The CRA obliges importers, manufacturers, and distributors of products with digital elements to meet demanding new cybersecurity requirements. It is likely to be implemented as soon as the beginning of 2025. It might also introduce new challenges irrespective of each product category, such as alignment of vulnerability and incident management processes and risk management with the CRA, as well as overall governance of the new and amended processes. On the other hand, it brings opportunities for organisations to differentiate their products with digital elements from a quality perspective and become a leader and model producer of secure products within their industry.

Timeline
 

When the CRA will officially come into force (probably at the beginning of 2025), organisations that manufacture, distribute, or import products with digital elements for the EU market will have 36 months to adapt to the new requirements, as laid out in the legislation.17  In case of non-compliance, market surveillance authorities could prohibit or restrict products on the market and impose fines.18
 

How Deloitte can help your organisation navigate the requirements


We are well aware of the challenges and complexities that may arise from the introduction of the CRA. Please see below how we can help your organisation.

Our approach helps manufacturers navigate their way through the CRA in the most efficient and effective way, tailored to your organisation.

[1] https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/739259/EPRS_BRI(2022)739259_EN.pdf

[2] Article 19 CRA

[3] Article 14 CRA

[4] Article 20 CRA

[5] Article 3(1) CRA

[6] Annex I CRA

[7] https://www.enisa.europa.eu/publications/cyber-resilience-act-requirements-standards-mapping

[8] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0745

[9] An EU Prime! EU adopts first Cybersecurity Certification Scheme — ENISA
(europa.eu)

[10] An EU Prime! EU adopts first Cybersecurity Certification Scheme — ENISA
(europa.eu)

[11 Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (europa.eu)

[12] Article 2(8) Commission Implementing Regulation (EU) 2024/482 of January 2024 (*Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (europa.eu))

[13]Article 27, note 82 and 83 in CRA

[14] Article 32 CRA

[15] Article 32 CRA

[16] Article 32 CRA

[17] Article 71 CRA

[18]8Article 64 CRA

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey