Cyber Resilience Act (CRA)

Open table of contents Close table of contents close categories

Post navigation

Chapter navigation:
Article navigation:
Michał Puk
Contact our expert
Write an inquiry: [email protected]

Last updated: 29.06.2026

Cyber Resilience Act (CRA): New Cybersecurity Standards for Digital Products

In an era of widespread digitalisation and the growing interdependence of IT systems – covering everyday devices, industrial controllers and mobile applications alike – cyber security is no longer optional, but has become a strict legal requirement. Regulation (EU) 2024/2847 of the European Parliament and of the Council, known as the EU Cyber Resilience Act (CRA), is a key piece of legislation introducing a range of new harmonized rules with which businesses across many sectors of the economy will need to comply.

Below, we provide a detailed analysis of how the new cybersecurity regulation may affect current and future business operations, including its key provisions, new obligations and CRA requirements for manufacturers, importers and distributors.

What Is the Cyber Resilience Act and When Will It Apply?

The CRA is not merely a set of non-binding recommendations, but a mandatory legal act of the European Union aimed at harmonising mandatory cybersecurity requirements for products with digital components placed on the EU market. The CRA is not merely a set of non-binding recommendations, but a mandatory legal act of the European Union aimed at harmonising mandatory cybersecurity requirements for products with digital components placed on the EU market.

Its scope covers both hardware and software products. The Act comprehensively regulates the rules for placing products on the market, sets requirements for the design and production stages, requires manufacturers to address detected vulnerabilities throughout the product’s entire lifecycle, and defines the rules for market surveillance and enforcement of the new provisions.

The purpose of the EU regulation is to provide end users of products containing digital solutions with greater protection against cyber threats, cyberattacks and broader cybersecurity threats that may affect economic and social activities. In this respect, the CRA is intended to protect users by improving the security of digital products before they reach the market.

Who Does the new cybersecurity regulation Apply To?

The scope of application of the CRA is exceptionally broad, as the regulation is, by definition, intended to apply to any product containing a digital element. In particular, the following categories of products are covered by the regulation:

  • Computer systems and applications – including operating systems and desktop, mobile apps and web software;
  • Smart consumer electronics – meaning smart devices intended for consumers and the software associated with them; for example smart home devices, such as smart speakers and baby monitors, intended for consumers and the software associated with them;
  • Automation and industrial infrastructure – including measuring equipment and sensors, programmable logic controllers (PLCs), as well as Internet of Things (IoT) architecture.

At the same time, it should be noted that different obligations will apply to manufacturers, importers and distributors of the products described above and covered by the CRA. Depending on the circumstances, these obligations may apply to any natural or legal person involved in making products available on the market in the course of a commercial activity. The classification of specific technologies is based on an assessment of the level of risk and wider risk management considerations.

The higher-risk category includes, in particular, solutions implemented in the fuel and energy sector, manufacturing plants and critical infrastructure facilities.

The higher-risk category includes, in particular, solutions implemented in the fuel and energy sector, manufacturing plants and critical infrastructure facilities.

For these products, the EU legislator has provided for separate, more restrictive conformity assessment procedures, reflecting their strategic importance for the country’s economic stability and public safety.

Consequently, manufacturers, distributors and importers of software products and other products containing digital elements should carry out an appropriate assessment to determine whether they fall within the scope of the CRA and identify their obligations in this regard.

Key Obligations Under the EU Cyber Resilience Act

The CRA shifts the burden of responsibility to economic operators, requiring them to take a proactive approach to security throughout the entire product lifecycle. The key requirements for businesses are as follows:

Implementation of the Security by Design principle

Products must be designed to minimise cybersecurity vulnerabilities and ensure a secure default configuration. In practice, this means that businesses should embed security into the product from the earliest stages of development. Compliance with the essential cybersecurity requirements and standards provided for in the regulation will be confirmed by the CE marking, which must be affixed to the product in order for it to be placed on the European Union market.

Vulnerability management over time

the manufacturer is required to conduct ongoing monitoring of vulnerabilities and provide free automatic security updates, for the duration of the support period, which should typically be at least five years.

Technical documentation and SBOM

Businesses will be required to prepare a Software Bill of Materials (SBOM), i.e. a detailed list of software components, enabling a rapid response if a vulnerability is detected in a specific library. This is particularly important for supply chain security, as vulnerabilities may arise not only in the product itself, but also in third-party software components.

Multi-level conformity assessment

Products are divided into risk classes. Most standard products will require self-certification, while “important” and “critical” products, such as operating systems, firewalls and processors, may have to undergo an appropriate conformity assessment involving external notified bodies.

CRA and NIS 2: What Is the Difference?

Although both legal acts are pillars of the new EU cybersecurity strategy and complement one another, they focus on entirely different areas of responsibility. The key distinction lies in the difference between the security of products themselves and the operational security of organisations.

  • The CRA focuses on the product dimension. It defines fundamental cybersecurity requirements already at the design, development and production stages of devices and software containing digital elements. It therefore imposes direct obligations on manufacturers, distributors and importers placing such solutions on the EU market.
  • Directive (EU) 2022/2555 of the European Parliament and of the Council, known as the NIS 2 Directive, focuses on the organisational and process-related dimension. It is addressed directly to organisations, in particular those operating in essential and important sectors. It requires companies to implement appropriate technical, operational and organisational measures to manage risk and protect their own ICT infrastructure.

Cyber Resilience Act Timeline: Key Dates for Businesses

Although the regulation was adopted on 10 December 2024 and published in the EU’s Official Journal its implementation has been appropriately deferred to give obliged entities time to adapt to the new rules. The regulation will be implemented according to the following milestones:

  • Initial organisational steps – June 11, 2026: Notification of Conformity Assessment Bodies – from this date, provisions enabling Member States to designate qualified third parties responsible for assessing product compliance under the CRA will come into effect.
  • First obligations for businesses – on 11 September 2026, businesses will become subject to a reporting obligation concerning actively exploited vulnerabilities and serious incidents;
  • Full implementation of the CRA – on 11 December 2027, the regulation will become fully applicable. From that date, no product with digital elements may be placed on the EU market without demonstrating compliance with the CRA. Lack of certification means no CE marking, which in practice prevents the product from being marketed.

Cyber Resilience Act Timeline: Key Dates for Businesses

CRA compliance: How We Can Help?

Implementing the CRA is a complex process from both a legal and technical perspective. We help businesses assess how the horizontal cybersecurity requirements under the CRA apply to their products and internal compliance processes.

As a law firm, we not only interpret the regulations, but also support clients in determining the appropriate course of action. Properly planned CRA compliance can help maintain market access and strengthen customer trust in products placed on the EU market.

If you believe that the regulation described above may apply to your business, we recommend contacting our firm to discuss the next steps.

Expert team leader D&P Legal Michał Puk
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Michał Puk
Expert team leader D&P Legal
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Michał Puk
Expert team leader D&P Legal Julia Kwiatkowska
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Michał Puk