UPDATED: November 20, 2024
On November 20, 2024, the European Union officially published the Cyber Resilience Act (CRA), which introduces cybersecurity obligations for internet-connected hardware and software products offered in the EU (such as wearables). The CRA will enter into force on December 10, 2024 and companies have until September 11, 2026 to comply with the first wave of obligations.
The CRA creates significant new obligations for manufacturers, importers and distributors of such products in the EU, including conformity assessments, vulnerability reporting and after sales security updates.
Who Will the CRA Apply To?
As a product safety regulation, the CRA aims to enhance the security of the “Internet of Things” (IoT) by reducing the vulnerability of internet-connected products to cyberthreats.
It applies to companies that manufacture, import, and distribute products with digital elements in the EU, such as connected glasses, toys, household appliances, and wearables, regardless of where the company is based. This includes both software and hardware products, remote data processing solutions (e.g., cloud processing of data from wearables, software used to control devices remotely), and separately sold components. However, certain products are excluded from its scope, such as medical devices, motor vehicles, and aviation and marine equipment.
Products will be subject to stricter requirements depending on their function and level of risk, namely:
- Baseline products with digital elements (e.g., smart speakers, toys), for which manufacturers can self-assess compliance.
- “Important products”or those that carry a significant risk of harm, such as to user health, security, or safety. This includes a wide array of day-to-day items, such as identity management systems, biometric readers, VPNs, network management systems, virtual assistants, and smart home products with security functionality and wearables, which will be subject to minimum cybersecurity obligations. It also includes cybersecurity products, such as firewalls and intrusion detection and prevention systems, that will be subject to stricter assessment procedures.
- Products deemed “critical” because they perform specific functions and can cause serious harm if manipulated, such as by disrupting, controlling, or damaging many other digital products (e.g., smart meters).
- Lastly,products with digital elements that also classify as high-risk AI systems under the AI Act must follow specific cybersecurity requirements. This includes identifying and mitigating threats to an AI system’s cyber resilience, such as protecting against attempts by unauthorized third parties to alter its use, behavior, or performance. For more information about the AI Act, please see 10 Things You Should Know About the EU AI Act.
Core Obligations
The CRA will introduce obligations for the design, development, and maintenance of hard- and software products. The following obligations will apply to manufacturers:
- Essential cybersecurity measures. Manufacturers will have to ensure products with digital elements are protected against unauthorized access, and that their essential functions remain available at all times. In addition, they should design, develop, and produce their products in a way that limits surface attacks. They should further remediate vulnerabilities without delay, carry out effective and regular testing, and enforce a coordinated vulnerability disclosure policy, which enables individuals or entities to report vulnerabilities to the manufacturer.
- Cybersecurity risk assessment. Manufacturers must assess a product’s cybersecurity risks during design and development and address them throughout the product’s life cycle to minimize those risks.
- Conformity assessment. Manufacturers must also conduct a conformity assessment of the product before placing it on the EU market. They can choose from various procedures, ranging from internal controls to third-party assessments, depending on the nature of the product (e.g., important, critical).
- Vulnerability patching and documentation.Manufacturers will have to patch and document vulnerabilities and maintain appropriate policies and procedures outlining such obligations, including coordinated vulnerability disclosure policies. Vulnerability patching support must be provided for a period of five years after sale.
- Incident reporting.Manufacturers will have to notify the national Computer Security Incident Response Team (CSIRT) and EU Agency for Cybersecurity (ENISA) of i) any exploited vulnerability in the product, and ii) any severe incident impacting product security. An early warning notification must be provided within 24 hours of becoming aware of the event. This should be followed by a full notification within 72 hours of becoming aware and a final report no later than 14 days after a corrective or mitigating measure is available. Manufacturers will have to also notify users of such an incident and where necessary, of the corrective measures they can use to mitigate its impact.
Meanwhile, importers and distributors of digital products that become aware of cybersecurity risks in products will need to notify the manufacturer and authorities (if significant). They will also face product information obligations and will need to verify if the required documentation is in place for products with digital elements.
Entry into Force and Enforcement
The CRA will become law on December 10, 2024. Incident reporting obligations will take effect on September 11, 2026, while the remaining obligations will take effect on December 11, 2027.
National authorities will enforce the CRA with a wide array of powers (e.g., request access to data to assess the design of products and conduct coordinated sweeps). In addition, national data protection authorities will be able to request access to any CRA compliance documentation. Companies that violate the CRA may face fines of up to EUR 15 million or 2.5 percent of worldwide annual turnover. In cases of persistent noncompliance, authorities may require recalling or withdrawing products from the EU market.
Part of a Wider Focus on Cybersecurity in the EU
The CRA is part of the EU’s broader cybersecurity strategy and one of a series of new laws designed to strengthen cybersecurity and resilience in the EU. For example, the CRA complements new rules for companies operating in essential sectors, such as digital infrastructure, health, and many more (under the NIS2 directive) and financial services (under the Digital Operational Resilience Act). For more information on these cybersecurity regulations, refer to our previous Wilson Sonsini alerts for management here and the NIS2 directive here.
In addition, the EU also regulates data sharing for data generated by IoT products and related services that are essential to how the products function. Manufacturers of IoT products will be in scope of these requirements and have until September 12, 2025, to comply with the new obligations.
Next Steps
Companies should proactively assess its potential impact on their operations and adjust their cybersecurity strategies accordingly. A key priority is determining whether any of your products fall into the high-risk categories of “important” or “critical” products, as these will face stricter requirements. Additionally, now is the time to begin preparing the necessary documentation for compliance, including policies for coordinated vulnerability disclosure, to ensure a smooth transition when the CRA takes effect.
Wilson Sonsini clients who believe they may be experiencing any kind of cybersecurity incident anywhere in the world can contact our experts 24/7 at our incident response hotline, which can be reached at either 32-2-2745777 or 1-650-849-3030.
Wilson Sonsini Goodrich & Rosati routinely advises clients on privacy and cybersecurity issues. For further inquiries about the EU’s cybersecurity regulations, please contact Cédric Burton, Laura Brodahl, or any attorney from Wilson Sonsini’s EU data, privacy, and cybersecurity practice.
Jessica O’Neill and Hattie Watson contributed to the preparation of this Wilson Sonsini Alert.