From connected home cameras and smart appliances to password managers and other hardware and software, our daily lives are intertwined with and dependent on technology more than ever before. This interconnectedness comes with inherent risks, including dramatic increases in cyber-attacks on products with digital elements. To better protect organisations and individual consumers across the European Union against cyber-attacks, the EU Commission is introducing the Cyber Resilience Act (CRA), with new, standardised product cybersecurity requirements. These new requirements reach far beyond any current EU product security standards and will have a substantial impact on the manufacturing, distributing and importing of products with digital elements in the EU.
Cyber-attacks on organisations and individual consumers are predicted to occur every two seconds by 2031, costing victims an estimated US$265 billion annually1. Consumers are often unaware of the security level in products with digital elements and of the fact that manufacturers, though their reputation may be damaged, do not have to bear the costs of cybercrime attacks.
In the current product security landscape within Switzerland and across the European Union the lack of a regulatory framework means that products with digital elements are not all held to the same set of cybersecurity standards. Consumers therefore have little guarantee that a product with digital elements has been developed with security in mind.
To enhance product security within the European Union and to better protect companies and consumers against cyber-attacks, the EU Commission proposed the Cyber Resilience Act (CRA) in 2022, and it is likely to be enacted at the beginning of 2025.
The CRA defines cybersecurity requirements for products with digital elements. Importers2 , manufacturers3 , and distributors4 must adhere to it.
Importers, manufacturers, and distributors of products with digital elements in the EU will need to be more diligent in their entire process, from development through to production, marketing and distribution of the product and beyond. This applies to all software or hardware products and to their remote data processing solutions, including software or hardware components that are placed on the market separately.5
The CRA will have the largest impact on manufacturers producing products with digital elements, including Swiss manufacturers selling products with digital elements in the European Union.
The CRA classifies and distinguishes these products by the category of the product, based on their vulnerability and the degree of risk they present.
The graphic below provides a complete overview of the CRA’s product categories and the requirements for them.
Manufacturers can choose between the following two routes to demonstrate conformity with the CRA’s requirements:
Manufacturers can use the harmonised standards and common specifications to demonstrate conformity with the CRA by conducting an internal assessment against the requirements in these standards and specifications. This has been introduced to help smaller organisations demonstrate compliance. The Harmonised Standards and Common Specifications will be specified later by the European Commission.
The European Cybersecurity Certification Scheme (EUCC) is the first cybersecurity certification scheme in the European Union. It certifies ICT products (including technical components such as chips and smartcards, as well as hardware and software).10 The EUCC is based on Regulation EU 2019/881 (EU Cybersecurity Act) and common international standards such as ISO/IEC 15408 and ISO/IEC 18045.11
Specific implementation controls and guidelines are yet to be defined. Based on the EU Regulation 2019/881 and ISO 15408, these are typical controls manufacturers of critical products might expect at a ‘Substantial’ (EAL4, coming from ISO/IEC 1540812) level:
The EUCC level of ‘substantial’ mandates that manufacturers undergo a third-party assessment. In the future the Commission will assess whether further certification schemes specific to the CRA will be needed. It may release delegated acts to specify how the EUCC certificate can be used to suspend the obligation to carry out the third-party conformity assessment for manufacturers.13
Product classes
Please refer to the drop-down menus below to check the requirements for each product class as defined in the CRA.
The CRA obliges importers, manufacturers, and distributors of products with digital elements to meet demanding new cybersecurity requirements. It is likely to be implemented as soon as the beginning of 2025. It might also introduce new challenges irrespective of each product category, such as alignment of vulnerability and incident management processes and risk management with the CRA, as well as overall governance of the new and amended processes. On the other hand, it brings opportunities for organisations to differentiate their products with digital elements from a quality perspective and become a leader and model producer of secure products within their industry.
When the CRA will officially come into force (probably at the beginning of 2025), organisations that manufacture, distribute, or import products with digital elements for the EU market will have 36 months to adapt to the new requirements, as laid out in the legislation.17 In case of non-compliance, market surveillance authorities could prohibit or restrict products on the market and impose fines.18
We are well aware of the challenges and complexities that may arise from the introduction of the CRA. Please see below how we can help your organisation.
Our approach helps manufacturers navigate their way through the CRA in the most efficient and effective way, tailored to your organisation.