European Cyber Resilience Act: Framework for manufacturers
Sarah Kolberg | April 5, 2024

The first draft of the European Cyber Resilience Act was presented by the European Union in September 2022. The Cyber Resilience Act is another initiative by the European Union to regulate cybersecurity. However, unlike NIS 2, the framework is not for operators, but for product manufacturers. The goal is to ensure cybersecurity for products with digital elements in the European Single Market. Find out more about the product requirements and other obligations of manufacturers.
Who does the Cyber Resilience Act apply to?
Unlike the NIS 2 Directive, the European Cyber Resilience Act (CRA) is not tied to company size thresholds and therefore applies to manufacturers of all sizes. Which products are affected? All products that have a digital communication interface will be regulated by the CRA. It is irrelevant whether this is used for external communication or the product communicates as part of a machine. This includes hardware and software products as well as hardware and software components that have a direct or indirect, logical, or physical data connection to a device or network.
There are some exceptions, as there are more specific EU regulations for this group of devices:
- Medical devices
- In-vitro diagnostics
- Type approval of motor vehicles
- Civil Aviation & Aviation Safety
- Marine equipment
There is also an exemption for spare parts. The CRA does not apply to spare parts that are made available on the market to replace identical components in products with digital elements. The prerequisite is that they have been manufactured to the same specifications as the components they are intended to replace.
Why do we need the Cyber Resilience Act?
IoT devices are increasingly becoming a gateway for cyber criminals, as manufacturers have often not taken any security measures. The Cyber Resilience Act is intended to incorporate the “security by design” concept into development processes and throughout the entire life cycle of products. Cybersecurity is to become an integral part of the product, thus protecting consumers and guaranteeing safe use.
Obligations of manufacturers due to Cyber Resilience Act
Cybersecurity measures that are appropriate to the current threat situation should be taken into consideration during the design, development, production, and use of the products by customers. The CRA makes manufacturers responsible for guaranteeing cybersecurity over the life cycle of the product, which goes beyond the previous market surveillance obligations. This includes obligations to deal with vulnerabilities, security support and reporting obligations.
Manufacturers are obliged to carry out a risk assessment of the product regarding cybersecurity and to take the results into account in the production stages. The product requirements are selected based on the risk assessment and must be documented accordingly.
The period during which security support for a product must be guaranteed is a big topic of the CRA. Previously, it was planned to offer support over the entire life cycle of the product. However, this would be particularly challenging for manufacturers of durable goods. An agreement has been reached that the support period will be determined by manufacturers based on various indicators.
These include:
- User expectation
- Product type
- Intended use
- Orientation towards other regulations
- Period of other similar products
- Support periods of central integrated components
Manufacturers should guarantee reliable availability in the operating environment for at least 5 years. If a support period shorter than 5 years is specified, this must correspond to the product lifetime.
Security requirements for product features
The CRA stipulates the premise of “security by design” for products with digital elements. This means that security measures should already be considered during the development of the product. A risk assessment of the product must be carried out. Depending on the type of product, there may be restrictions about the requirements, but all detailed requirements must be examined and checked for feasibility. If the product cannot fulfill a requirement due to its nature, this must be documented
The following requirements must be checked and, in so far as the nature of the product permits, fulfilled:
- Provision of the product without known vulnerabilities
- Secure standard configuration with the option of resetting to factory settings (can be omitted as a requirement e.g. for customized products in the B2B sector)
- Addressing vulnerabilities with security updates: These should have an opt-out option if they are carried out automatically, as automatic updates are usually unwanted in OT environments.
- Access control: authentication & proof of identity
- Ensuring data confidentiality & data integrity
- Minimization of data: Only data required for the product purpose should be collected and used.
- Monitoring of accesses, changes to data, services or functions
- Minimization of negative effects on availability through other devices, networks or services
- Minimization of attack surfaces (e.g. interfaces)
- Appropriate mechanisms and techniques to contain the potential exploitation of security vulnerabilities
Requirements for handling vulnerabilities
Another major aspect of the CRA is security support. Security updates should be offered for the product over a defined period of time in order to close security gaps and protect the product appropriately against acute threats. There are a number of requirements for security support:
- Identification & documentation of vulnerabilities
- Creation and maintenance of a software bill of material, i.e. a record of the components of a software product and the relationships within a software supply chain
- Quickest possible elimination of vulnerabilities and free provision of software updates, where possible separation of security updates & functional updates
- Regular checks and tests of the product to identify any need for software updates
- Comprehensive information on the provision of software updates for users
- Strategy for a coordinated communication process for the disclosure of vulnerabilities
- Facilitate the exchange of information on vulnerabilities & set up a reporting office: Official place to submit information on security vulnerabilities
- Secure distribution of security updates
Reporting obligations for manufacturers
The CRA also contains reporting obligations for manufacturers. The responsible authorities are the CSIRTs and ENISA. The time frames of the reporting obligations are based on NIS2, only the subject of the reports is different.
CSIRTs & ENISA must be notified of every actively exploited vulnerability via a “single reporting platform”. Actively exploited means that there is evidence that a product in use has been compromised through a vulnerability.
The deadlines:
- Early warning within 24 hours
- Notification after 72 hours
- Final report within 14 days after remediation of the vulnerability
Severe incidents must be reported in the same way, but different deadlines apply here. The incident is considered severe if it has an impact on the security of the product with digital elements, for example if the manufacturing company has suffered data loss due to a cyber-attack and sensitive information about the product has been leaked.
The deadlines:
- Early warning within 24 hours
- Notification after 72 hours
- Final report within 1 month of notification
In both cases, the users of the product must be informed and supported with recommendations and corrective actions to mitigate the possible effects.
Classification of products
Before products with digital interfaces are introduced to the market, technical documentation, including a risk assessment, must be prepared and a conformity assessment procedure carried out (“CE marking”).
The Cyber Resilience Act assigns products to different classification levels. Which products fall into which classification can be found in Annex III & IIIa of the CRA. Appropriate conformity assessment procedures must be carried out based on the classification. If products are cyber-critical or network-critical, they are considered Class I important products. If the products are cyber-critical and network-critical, they are classified as Class II important products. In addition to this classification, there are also critical products.
Cyber-critical or network-critical = Class I important products
- Identity management systems
- Access management systems
- Browsers
- Password managers
- Malware detection, remediation and quarantine software
- Products with digital elements and VPN function
- Network management systems
- SIEM
- Boot Manager
- Public Key Infrastructure
- Software for the issuance of digital certificates
- Physical & virtual network interfaces
- Operating systems
- Routers, switches, modems with internet connection
- Microprocessors with security-relevant functions
- Microcontrollers with security-relevant functions
- ASIC & FPGA with security-relevant functions
- Smart home devices with virtual assistants
- Smart home devices from the security sector
- Network-enabled toys with social interactive features such as speaking or filming as well as location tracking
- Wearables with health monitoring
Cyber-critical and network-critical = important Class II products
- Hypervisors and container runtime systems that support the virtualized execution of operating systems and similar environments
- Firewalls
- Systems for detecting and/or preventing intrusions
- Tamper-resistant microprocessors & microcontrollers
Critical products (Annex IIIa)
- Hardware devices with security boxes
- Smart meter gateways in intelligent metering systems
- Devices for advanced security purposes, including for secure crypto processing
- Smart cards or similar devices
A declaration of conformity must be drawn up for all products with digital interfaces. The products must be accompanied by information and instructions for users. If it is known or there is reason to believe that the product is not compliant, corrective action must be taken.
Cyber Resilience Act Summary
The CRA is intended to establish procedural and organizational security measures for the design of products and their features. The CRA is therefore a cybersecurity framework for manufacturers of hardware and software products with digital interfaces.
It focuses on the following:
- Compliance of products
- Security by design, development & production
- Assessment of products
- Responsibility over the life cycle of the product
- Vulnerability management & security support
- Action and reporting infrastructure for product-relevant cyber incidents and exploited vulnerabilities