EU Cyber Resilience Act

Cybersecurity is once again headline news and continues to get attention from law makers as new laws pass with the hope of closing out cybersecurity vulnerabilities.

Regulation (EU) 2024/2847 horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) was published in the Official Journal on 20 November 2024 and into force on 10 December 2024.

The main obligations will apply from 11 December 2027, though some provisions will apply earlier. This Act complements the EU cybersecurity framework, which includes NIS2 (see our FAQs: EU’s NIS2 Directive) and the EU Cybersecurity Act.

What is this about?

This Regulation is mainly concerned with “products with digital elements” (PDEs). PDEs are products that are connected to another device or network, directly and indirectly. Network connected devices are also commonly known as the Internet of Things, or “smart objects”.

These products cover an ever-widening range of products, such as facial recognition locks, smart refrigerators, fitness trackers, and industrial level smart machines in manufacturing. This regulation does not apply to those PDEs which are already subject to cyber security regulations: medical devices, aeronautical products, and cars.

What kind of products fall under scope of the EU Cyber Resilience Act?

The scope of this Regulation covers both software and hardware products and classifies them into three categories: Default (which should apply to the majority of PDEs), Important Products, which are separated into class I and class II, and Critical Products.

In general, Important and Critical PDEs attract more regulatory obligations regarding conformity assessment procedures.

Some examples of default products include:

• Photo editing tools
• Video games
• Smart home devices like speakers, TVs and toys

Examples of Class I important products include:

• Password managers
• Remote access / sharing software
• Browsers

Examples of Class II important products include:

• Operating systems
• Smartcards and smartcard readers
• Firewalls for industrial use
• Robot controllers
• Routers for industrial use

Critical Products are:

• Hardware devices with security boxes
• Smart meter gateways within smart metering systems and other devices for advanced security purposes including for secure crypto-processing
• Smartcards or similar devices.

What are the main obligations under the EU Cyber Resilience Act?  

This Regulation seeks to ensure that PDEs are more secure and introduces cybersecurity requirements for hardware and software products throughout their whole life cycle. In some respects, the new Regulation mirrors existing product safety obligations for non-digital products. The Act also aims to ensure that PDEs on the EU market will have fewer vulnerabilities. This Regulation also seeks to improve transparency and make it easier for consumers to identify hardware and software products with proper cybersecurity features.

Manufacturers’ obligations shall include:

• Meeting essential requirements before placing PDEs on the EU market.
• Undertaking cybersecurity risk assessments.
• Including risk assessments in some technical documentation.
• Due diligence obligations.
• Reporting vulnerabilities and incidents.
• Handling vulnerabilities in accordance with the essential requirements of the Act.
• Keeping appropriate policies and procedures on vulnerability disclosure policies and potential vulnerabilities.

Importers and distributors’ obligations will include:

• Ensuring the appropriate assessments, technical documentation and markings are in place before placing a product on the market.
• Ensuring that PDEs are accompanied by clear and easily understood instructions and information.
• Informing manufacturers or market authorities about vulnerabilities or non-compliance.
• Ensuring documents can be made available upon request.

What are the penalties for non-compliance?

For non-compliance with the essential cybersecurity requirements: administrative fines of up to €15 million, or 2.5% of total worldwide annual turnover for the preceding financial year, whichever is higher.

For non-compliance with other obligations: €10 million, or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher.

For suppling incorrect, incomplete, or misleading information to authorities in response to a request: €5 million, or 1% of total worldwide annual turnover for the preceding financial year, whichever higher.

When will the EU Cyber Resilience Act apply?

The main obligations apply 36 months after entry into force, on 11 December 2027. However, manufacturers should be aware that reporting obligations will apply earlier, from 11 September 2026, regardless of when the product has been placed on the market.

For more information, visit us at Governance & Compliance, or Contact Us for a consultation.