Blog
03-02-2025
Cyber Resilience Act: Cybersecurity of Digital Products
On November 20, 2024, the Cyber Resilience Act (CRA) was published with the ultimate goal of ensuring that hardware and software associated with products with digital elements are more secure, extending this protection throughout the entire lifecycle of these products. The aim is to address the inadequate levels of cybersecurity inherent in many ubiquitous products in our daily lives (e.g., home
cameras, smart refrigerators, televisions) or to impose security updates for these same products. On the other hand, the implementation of the CRA will allow consumers and businesses to determine which products are (more) cybersecure.
cameras, smart refrigerators, televisions) or to impose security updates for these same products. On the other hand, the implementation of the CRA will allow consumers and businesses to determine which products are (more) cybersecure.
The CRA applies to products with digital elements (also referred to as "digital products”) made available on the EU market whose "intended purpose or reasonably foreseeable use includes a logical or physical, direct or indirect data connection to a device or a network.” These are products that combine traditional goods or services with digital functionalities or components. This includes all products that are directly or indirectly connected to other devices or a network, such as products associated with the Internet of Things (IoT).
This regulation will be fully effective from December 11, 2027. However, the obligation for manufacturers of digital products to notify any actively exploited1 vulnerability and serious incidents impacting the security of the product with digital elements, of which they become aware, to the CSIRT network and ENISA2 within 24 hours, will apply as early as September 11, 2026. The obligations related to the notification process and the implementation of conformity assessment bodies by Member States will apply from June 11, 2026.
With the implementation of this Regulation, only products with digital elements that meet the essential cybersecurity requirements set out, namely, in Part I of Annex I of the CRA, may be made available on the EU internal market, provided they are correctly installed, maintained, used for their intended purpose or under reasonably foreseeable conditions, and, if applicable, have had the necessary security updates installed. On the other hand, these products can only be placed on the market if the processes applied by the manufacturer also meet the various essential cybersecurity requirements set out in Part II of Annex I.
It is up to the manufacturer to demonstrate compliance with the essential cybersecurity requirements and to carry out a conformity assessment3 of the said product. A cybersecurity risk assessment must also be conducted, ensuring that the CE marking4 is affixed, indicating that the necessary standards are met and that they can be safely sold throughout the EU.
Digital products whose main functionality falls within a category of products listed in Annex III of the Regulation are considered important products with digital elements, and those whose main functionality falls within a category of products listed in Annex IV are considered critical products with digital elements and are subject to stricter conformity assessment procedures. Seeking to create additional levels of transparency and neutrality, this assessment must necessarily be carried out by third parties (conformity assessment bodies). Among the important and critical products with digital elements are authentication and access control readers, including biometric readers, password managers, VPNs, SIEMs, network management systems, among others.
The Regulation establishes a broad set of new obligations for manufacturers of digital products, but also for importers and distributors of these products, who are responsible for verifying, assessing, and ensuring that they are secure and comply with applicable law (e.g., verifying the inclusion of the CE marking on the product).
Users of products with digital elements, such as .PT, must consult the information and instructions that must be provided by the manufacturer.
Also in this regard, non-compliance with the law may result in the imposition of heavy fines—up to 15 million euros or 2.5% of the offender’s global turnover in the previous fiscal year—or product recalls.
The implementation of the Regulation will be supervised at the European level by ENISA. Each Member State will be responsible for designating the national authorities that will oversee the application of these additional cybersecurity requirements.
The CRA is an important legal instrument that is part of the EU Cybersecurity Strategy of 2020 and joins other applicable regulations in this field, namely the NIS2 Directive, the CER Directive, and the DORA Regulation, seeking to strengthen digital security in the EU, protecting consumers, businesses, and critical infrastructures.
1 A vulnerability for which there is reliable evidence of its exploitation in a system by a malicious actor without the system owner's authorization (Article 3(42) of the CRA).
3 A risk analysis that ensures products comply with certain rules before being placed on the EU market. The conformity assessment is carried out during the design and production phases of the product.
4 The "CE" marking appears on many products marketed within the extended single market of the European Economic Area (EEA). This marking indicates that products sold in the EEA have been assessed and meet high standards of safety, health, and environmental protection.
Please note: the articles on this blog may not convey the opinion of .PT, but of its author.
Back to Posts