The Cyber Resilience Act (CRA) – the regulation that mandates cybersecurity for EU market access

By definition, the CRA covers any digital product or component, including those that connect directly or indirectly to a device or network.

It builds upon the European New Legislative Framework, which has traditionally been used for safety-related legislation (such as toys or electrical equipment), but expands it to cybersecurity and a full life-cycle approach.

• The act aims to ensure that products are "Secure by Design" and "Secure by Default," meaning cybersecurity must be integrated into the product at every stage of development.
• Beyond technical security, the CRA seeks to increase transparency for consumers and businesses alike.
• By showcasing products as the most secure, the EU aims to boost the international standing of European companies, therefore increasing global competitiveness. 

The CRA applies to a wide range of economic operators, including manufacturers, importers, and distributors of digital products available in the EU market.

Companies based both within the EU Member States and those outside the EU that wish to sell their products to European customers are impacted.

Specific target groups:

• Manufacturers of software and hardware.
• Importers and distributors placing digital products on the EU market.

Organizations integrating digital products into their business operations.

The scope of the act is exceptionally broad, covering nearly the entire digital supply chain. Affected products include:

• IoT devices (fitness trackers, sensors, patient monitoring, smartwatches, etc.)
• smart home equipment
• network components (such as routers and firewalls)
• software applications
• specialized industrial systems
• mobile apps, which are specifically subject to the CRA as they qualify as software products placed on the market.

• non-commercial products (that are not distributed in a business context)
• standalone Software-as-a-Service (SaaS) products, unless they are part of a product with digital elements
• products already governed by strict sectoral laws, (such as medical devices or aviation components), because they are already covered by their own specific cybersecurity regimes.

For any company selling digital products in the EU, the CRA introduces new obligations regarding risk management, vulnerability detection, and supply chain security.

Businesses are now required to meet stricter security standards; failing to comply could lead to significant consequences (financial and operational risks).

One of the major risks is losing access to the EU market entirely if a product does not meet compliance requirements.

The penalties for non-compliance are significant.

• Financial fines: companies may face financial penalties of up to €15 million or 2.5% of their global annual turnover, whichever is higher.
• Operational impacts: non-compliant products may be banned from the EU market or subject to forced recalls.
• Legal risks: substantial reputational damage and legal liability

The implementation of the CRA is a multi-year process, but the first critical milestones are approaching rapidly.

Key milestones:

• September 11, 2026: Manufacturers must report any actively exploited vulnerabilities or severe security incidents via the Single Reporting Platform developed by ENISA.
• December 2027: The CRA becomes fully applicable.  All products must meet all cybersecurity requirements to be legally sold.

The CRA is a foundational piece of the EU's broader cybersecurity strategy and is designed to complement existing regulations like NIS 2 Directive and DORA.

While NIS 2 focuses on the security of network and information systems for critical infrastructure, and DORA targets the operational resilience of the financial sector, the CRA fills the gap by regulating the security of the products themselves.

To avoid administrative burdens, the CRA introduces a Single Reporting Platform to prevent double reporting.

This ensures that when a manufacturer reports a vulnerability under the CRA, the information is shared with ENISA and relevant national authorities, aligning with the incident reporting requirements found in NIS2 and DORA.

This harmonized approach ensures that the entire digital ecosystem (from the devices of end users to the infrastructure they connect to) is protected by a consistent legal framework.

The CRA uses a fair and risk-based system categorized into three levels:

• Default Products (Lowest Risk): Manufacturers may use self-assessment (Module A) to declare conformity and apply the CE marking.
• Important Products (Class 1 & 2):
  • Class 1 requires a notified body if standards aren't used; otherwise, a third-party evaluation is required.
  • Class 2 must always undergo a mandatory third-party conformity assessment by an independent "Notified Body"
• Critical Products (Highest Risk; examples: smart meter gateways, firewalls, and operating systems): Always require a third-party conformity assessment and external verification by a Notified Body. 

Our team of experts in cybersecurity, regulatory compliance, law, and risk management will help you meet all CRA requirements.

Deloitte provides a comprehensive approach to cyber risk management and CRA compliance through various specialized services.

Specifically, our team can assist with:

• Product portfolio & gap analysis: identifying which products are subject to the CRA and assessing your current state against requirements.
• Corrective actions: we propose clear, prioritized steps to close compliance and security gaps and prioritize necessary actions.
• Implementation support: we support technical documentation and preparation for the conformity assessment process.
• Conformity assessment & documentation: we support technical documentation and preparation for the conformity assessment process.
• Vulnerability & update management: we help companies manage security updates and handle vulnerability disclosures effectively.
• Supply chain & third-party security: we implement security standards across suppliers and external partners and conduct third-party assessments.
• Methodological support and expert consultations during the implementation of CRA requirements.