Cyber Resilience Act: The clock is ticking for compliance

Alert
|
5 min read
John Timmons |
Joe Devine

The Cyber Resilience Act (the "CRA") entered into force on 10 December 2024 and applies in full from 11 December 2027. Manufacturers of in-scope products should start the compliance journey as soon as possible to avoid impacts to the product development cycle and non-compliance risk exposure.

What is the CRA?

The CRA is a new EU regulation that introduces mandatory cybersecurity requirements for hardware and software products. The key objectives of the CRA include:

  • ensuring that in-scope products placed on the European market have fewer vulnerabilities, and that manufacturers remain responsible for cybersecurity throughout the product lifecycle;
  • improving transparency on security of hardware and software products; and
  • establishing resilience in the digital market in Europe and improving protections against cyber threats.

What kinds of products are caught by the CRA?

The CRA applies to "products with digital elements", meaning "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately".

Taking each of these terms in turn:

  • "software" means "the part of an electronic information system which consists of computer code" (e.g., operating systems, word processing applications, etc.);
  • "hardware" means "a physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data" (e.g., motherboards, microprocessors, etc.); and
  • "remote data processing solutions" means "data processing at a distance for which the software is designed and developed by or on behalf of the manufacturer of the product with digital elements concerned, the absence of which would prevent the product with digital elements from performing one of its functions" (e.g., cloud enabled functionalities provided by a manufacturer of smart home devices that enable users to control such devices).

The definition of "products with digital elements" is broad and applies to a wide range of products. For example, laptops, tablets, VR headsets, and baby monitors.

Who does the CRA apply to?

The CRA applies to manufacturers of in-scope products (e.g., a business that produces gaming devices), as well as importers (e.g., a business that brings smartphones produced by a foreign manufacturer into the European Union for sale) and distributors of in-scope products (e.g., a retailer of in-scope products).

Taking each of these terms in turn:

  • "manufacturer" means "a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge";
  • "importer" means "a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union"; and
  • "distributor" means "a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties".

Key requirements

From 11 December 2027, manufacturers of in-scope products must, among other things:

  • assess the cybersecurity risks associated with an in-scope product, and take steps to mitigate those risks during the planning, design, development, production, delivery and maintenance phases;
  • ensure that in-scope products comply with the CRA's essential cybersecurity requirements, and are not placed on the market if suffering from any known vulnerabilities;
  • prepare certain technical documentation, carry out a conformity assessment, and affix the product with the CE marking;
  • take steps to address vulnerabilities and/or issues identified during the in-scope product's support period;
  • ensure that in-scope products are accompanied by certain documentation and instructions; and
  • satisfy certain transparency requirements.

Certain in-scope products are deemed to be "important" (e.g., password managers, operating systems, internet connected toys, etc.) or "critical" (e.g., smartcards, etc.), and are subject to stricter conformity assessment procedures as a result. The European Commission is empowered to amend the lists of "important" and "critical" products.

Importers and distributors will also be subject to certain requirements. For example, importers of in-scope products must ensure that relevant manufacturers have conducted the appropriate conformity assessment for in-scope products, before permitting the sale of such products in the European Union.

Reporting obligations

From 11 September 2026 (i.e.. in advance of 11 December 2027), manufacturers will be required to notify the European Union Agency for Cybersecurity (ENISA) and their competent Member State authority of actively exploited vulnerabilities and severe incidents affecting in-scope products. This notification must be made without undue delay, and in any event within 24 hours of the manufacturer becoming aware of the vulnerability or incident. Where necessary, follow-up reports are required within 72 hours, and final reports are required: (i) no later than 14 days after a corrective or mitigating measure is available, in the case of actively exploited vulnerabilities; and (ii) within one month of the 72 hour report, in the case of severe incidents.

Manufacturers will also be required to notify users of affected in-scope products without undue delay.

Fines

The maximum penalty that could apply for non-compliance with the CRA is the greater of: (i) €15 million; or (ii) 2.5% of global annual turnover for the previous financial year.

How to prepare

Manufacturers should:

  • begin assessing whether products being made, and which will be, available on the EU market fall within the scope of the CRA, and whether they qualify as "important" or "critical"; and
  • develop a roadmap to ensure that in-scope products will comply with the CRA requirements by 11 December 2027.

Please contact John Timmons or Joe Devine if you have any questions about the CRA, or require assistance with taking steps to comply with the incoming requirements.

Natasha Parsons (Trainee Solicitor, United Kingdom, White & Case) co-authored this publication.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

John Timmons
John Timmons
Partner|London
Services
Artificial Intelligence (AI), Technology, Data, Privacy & Cybersecurity, Cybersecurity Advisory and Compliance, Privacy and Cybersecurity Litigation, Incident Response
Joe Devine
Joe Devine
Associate|London
Services
Data, Privacy & Cybersecurity, Technology, Technology Transactions

Service areas

Top