The EU Regulation on horizontal cybersecurity requirements for products with digital elements, the so-called Cyber Resilience Act, has been officially adopted on 10 October 2024 and will be published in the EU’s official journal in the coming weeks. This law will impose important obligations on manufacturers of connected products and those placing them onto the EU market. Implementation will begin in 2026 for certain portions of the law, and continue until 2027/2028 for some provisions. There are several elements for a company to keep in mind, which we have outlined below.

• Why?: The goal of the EU Cyber Resilience Act is to enhance the cybersecurity of products with digital elements (“PDE”) by harmonising cybersecurity measures to be implemented throughout the supply chain and the products’ lifecycle to reduce the increased risk of cyber threats affecting consumers, business and the public sector given the increased reliance on PDEs.
• What?:The Act introduces and harmonises EU-wide cybersecurity requirements for the design, development, production and making available on the market of PDEs. It applies to all products that are connected, directly or indirectly, to another device or to a network (e.g. home cameras, fridges, TVs, toys), with some exceptions, such as products for which EU cybersecurity requirements already exist (medical devices, aviation, cars) or military products. The Act only applies to economic operators in relation to PDEs supplied for the distribution or use in the EU market in the course of commercial activity. Software, including cloud as part of a product is covered by the Act but where software is provided as a service it is not covered by the Act but may be by the NIS 2 Directive. The Act does apply to radio equipment in scope of the Radio Equipment Directive 2014/53/EU.
• Who?: The Act creates obligations for manufacturers and, to a lesser extent, for authorised representatives, importers and distributors of PDE sold on the EU market.
• When?:The new regulation will enter into force 20 days after its publication in the EU’s Official Journal and will apply 36 months after its entry into force, with some provisions to apply at an earlier stage. In particular, reporting obligations will apply 21 months after the entry into force of the Regulation.

Obligations

Manufacturers who wish to sell PDEs in the EU are subject to numerous obligations. They shall notably ensure that their products have been designed, developed and produced in accordance with the essential cybersecurity requirements set out in Annex I of the Regulation. They shall also assess the cybersecurity risks of their PDEs, exercise due diligence when integrating components sourced from third parties into their PDE, and ensure that vulnerabilities of the PDE are handled effectively and in accordance with the vulnerability handling requirements for a support period of least 5 years after sale. The cybersecurity risk assessment shall be documented and updated during the support period, and will be part of the technical documentation the manufacturers have to draw up before placing the PDE on the market. They also have other transparency and reporting obligations, and shall, for example, notify the CSIRT (Computer Security Incident Response Team) designated as coordinator and ENISA (the European Union Agency for Cybersecurity) of any actively exploited vulnerability contained in the products that they become aware of.

Manufacturers will only be allowed to draw up the EU declaration of conformity and affix the mandatory CE marking on their PDE once they have demonstrated the compliance of their PDEs with the essential cybersecurity requirements by one of the conformity assessment procedures foreseen in the Regulation. Manufacturers shall keep the technical documentation and the EU declaration of conformity at the disposal of the market surveillance authorities for at lease 10 years after the placement of the PDE on the market.

Importers and distributors will also have to abide by the Regulation and place/make available on the market only products that comply with the essential cybersecurity requirements. Their obligations are less stringent but they may also be considered manufacturers in some cases, e.g. if they carry out a substantial modification of a product with digital element already placed on the market.

Risk-Based Approach

The EU Cyber Resilience Act categorises PDEs by risk. PDEs without critical cybersecurity risks are in the ‘default’ category and can be self-assessed by their manufacturer. Two categories of ‘important’ PDEs – Class I (e.g. identity management systems, standalone and embedded browsers, password managers, or smart home general purpose virtual assistants) and Class II (e.g. firewalls, intrusion detection, prevention systems, or tamper-resistant microprocessors)– are subject to more onerous requirements and can require third-party conformity assessments. In addition, critical products (i.e. hardware devices with security boxes, smart meter gateways within smart metering systems and other devices for advanced security purposes, and smartcards or similar devices) will be required to obtain a European cybersecurity certificate at assurance level at least “substantial” under a European cybersecurity certification scheme.

Essential Cybersecurity Requirements – Annex I of the Regulation

Essential cybersecurity requirements are numerous, and of two types; the requirements relating to the properties of products with digital elements and the vulnerability handling requirements. The latter concerns only manufacturers.

The first type includes, based on a cybersecurity risk assessment undertaken by the manufacturer, the availability of the products on the market without known exploitable vulnerabilities, with a secure by default configuration (unless agreed with the business user for a tailor-made product), security updates to address vulnerabilities, protection from unauthorised access by appropriate control mechanisms, confidentiality, integrity and minimisation of processed data, limitation of attack surfaces, provision of security related information, etc.

The second type of requirements covers the identification and documentation of vulnerabilities and components contained in the targeted products, the treatment and remediation of vulnerabilities without delay, the effective and regular testing and review of the products’ security, the implementation of a policy on coordinated vulnerability disclosure, etc.

Non-Compliant Products – Penalties

Failure to comply with the Regulation’s obligations may result in administrative fines imposed by the competent national market surveillance authorities of up to between EUR 5 and 15 million or, if the offender is an undertaking, up to between 1% and 2,5 % of the its total worldwide annual turnover for the preceding financial year, whichever is higher, depending on the type of obligation. Withdrawal of the PDE from the EU market and a prohibition to sell can also be imposed by the national market surveillance authorities.

Putting It Into Practice: Manufacturers are well advised to start conducting security risk assessments (with the different categories of products in mind, i.e. “regular”, “important” and “critical” PDEs) of their connected products and identify any vulnerabilities. They should address these and start drafting the necessary technical documentation. At the same time manufacturers should start integrating the principles of safety by design into their product development process, taking into account the essential cybersecurity requirements set out in the Regulation, and put in place policies such as the mandatory one on coordinated vulnerability disclosure. In practice, reporting obligations will take effect in the course of 2026, and the other obligations incumbent on manufacturers will follow at the end of 2027/beginning of 2028.

Listen to this post