As digital elements become increasingly integrated into everyday products—from routers and smart meters to robot vacuum cleaners and smart fridges—and we are increasingly reliant on these products with digital elements (“digital products”) in our daily routines, the risk of cyber incidents occurring increases accordingly. In environments with many such connected devices, even minor vulnerabilities can lead to significant issues, ranging from financial loss to physical harm.
To address these growing risks, the EU Cyber Resilience Act (“CRA”) recently came into force. The CRA introduces robust horizontal mandatory cybersecurity requirements, ensuring that all digital products meet minimum security standards throughout their lifecycle. Thus, the CRA aims to protect businesses and consumers, mitigate cybersecurity risks, and contribute to a safer and more secure digital ecosystem.
The CRA shifts the focus from traditional cybersecurity measures, which typically ended at product launch, to a comprehensive approach that covers the entire lifecycle of digital products.
Purpose & scope
Under the CRA, consumers must receive necessary protection against unsafe products. It introduces a framework where cybersecurity is integrated from the initial design stage (security by design) and continuously monitored throughout the product's lifecycle, ensuring consumer protection at all stages.
The CRA applies to products with digital elements intended for connection to a device or network. Such digital products refer to any software or hardware product, as well as remote data processing solutions, including software or hardware components that are sold separately. Examples of such products include (i) routers, (ii) smart meters, (iii) remote access software, and (iv) Internet of Things devices, such as robot vacuum cleaners and smart fridges.
Examples of digital products that are excluded from applicability of the CRA are (i) products already governed by sector-specific regulations, such as medical devices, automotive products and aeronautical equipment, (ii) products developed exclusively for national security or military use, (iii) open-source software developed or delivered in a non-commercial context, and (iv) software-as-a-service.
The CRA places cybersecurity responsibilities on manufacturers, developers and distributors of products with digital elements – so called “economic operators” – to ensure the highest possible standards are met.
Obligations under the CRA
Obligations related to digital products span their entire lifecycle, from design, development and production (ex ante) to the obligations for products placed on the market and in use (ex post). The majority of the obligations are directed at manufacturers, although distributors and importers must also meet certain obligations. In fact, they are treated in the same way as manufacturers if they market a digital product under their own brand or make significant modifications to an existing product.
Manufacturers must:
- meet the EU-wide standards for the design, development and production of digital products (as laid down in Annex I of the CRA). Products with digital elements must:
- be designed, developed and produced to ensure an appropriate level of cybersecurity,
- and delivered without known vulnerabilities
- conduct conformity assessments whether these cybersecurity requirements are actually met. Certain ‘critical’ products require higher security levels
- monitor the products throughout their expected lifecycle and provide free updates to software
- maintain (technical) documentation for five years, demonstrating compliance with requirements
- provide clear, simple and understandable user instructions for products with digital elements
- address vulnerabilities and fix them for up to five (5) years, take corrective actions if non-compliance is discovered, and document all measures. Such measures may include:
- providing security updates, or
- initiating product recalls
- report vulnerabilities to the European Union Agency for Network and Information Security (“ENISA”) within 24 hours, with a detailed report in 72 hours and a final report in 14 days or one month. If the issue impacts product safety, vulnerabilities and mitigating measures must be reported to the users of the product immediately.
Supervision and enforcement
To ensure compliance with these obligations, the CRA introduces stringent supervision and enforcement measures. Manufacturers failing to meet their obligations may face fines of up to € 15 million or 2.5% of the manufacturer’s total global annual revenue from the previous financial year (whichever is higher). Distributors and importers that do not comply with their obligations could incur fines of up to € 10 million or 2% of their total global annual revenue from the previous financial year (whichever is higher).
Member States will designate national authorities responsible for market surveillance, compliance and enforcement.
Netherlands
In the Netherlands, it is expected that the Rijksdienst Digitale Infrastructuur (“RDI”), as the National Cybersecurity Certification Authority (“NCCA”), will oversee compliance with the CRA, ensuring that all economic operators meet the required cybersecurity and reporting standards. Oversight requires strong collaboration between national and international regulators, which the RDI is working to strengthen.
Belgium
In Belgium, it is anticipated that the Centre for Cybersecurity Belgium (“CCB”) will take on a leading role, particularly as the designated Computer Security Incident Response Team (“CSIRT”). The CCB will also collaborate with ENISA through a unified reporting platform in line with Article 14 of the CRA.
Under the CRA, the CCB is responsible for promoting cybersecurity awareness, supporting compliance efforts (especially for small manufacturers and developers), and serving as Belgium's CSIRT, managing vulnerability and incident reports through ENISA's platform. Additionally, it acts as the NCCA, overseeing CRA standards, conformity assessments and certifications.
Implementation
The CRA entered into force on 11 December 2024. As an EU Regulation, it applies directly in all Member States without requiring transposition into national laws. A phased implementation timeline is in place to allow economic operators to gradually adapt (with the main obligations applying from 11 December 2027):
- 11 June 2026: conformity Assessment Bodies will begin assessing product compliance with CRA requirements
- 11 September 2026: manufacturers must adhere to mandatory vulnerability and incident reporting obligations
- 11 December 2027: full CRA compliance is required, including meeting essential cybersecurity requirements before market entry, managing vulnerabilities throughout the product lifecycle, and ensuring transparency for users.
The CRA’s practical impact will depend on the effectiveness with which the requirements are implemented in practice, and compliance will largely depend on the enforcement capabilities of the relevant national authorities.
Our specialists Renée Schipper, Sara Ataei and Bente van Dijk are happy to help you navigate the legal complexities of the CRA — feel free to reach out.
As digital elements become increasingly integrated into everyday products—from routers and smart meters to robot vacuum cleaners and smart fridges—and we are increasingly reliant on these products with digital elements (“digital products”) in our daily routines, the risk of cyber incidents occurring increases accordingly. In environments with many such connected devices, even minor vulnerabilities can lead to significant issues, ranging from financial loss to physical harm.
To address these growing risks, the EU Cyber Resilience Act (“CRA”) recently came into force. The CRA introduces robust horizontal mandatory cybersecurity requirements, ensuring that all digital products meet minimum security standards throughout their lifecycle. Thus, the CRA aims to protect businesses and consumers, mitigate cybersecurity risks, and contribute to a safer and more secure digital ecosystem.
The CRA shifts the focus from traditional cybersecurity measures, which typically ended at product launch, to a comprehensive approach that covers the entire lifecycle of digital products.
Purpose & scope
Under the CRA, consumers must receive necessary protection against unsafe products. It introduces a framework where cybersecurity is integrated from the initial design stage (security by design) and continuously monitored throughout the product's lifecycle, ensuring consumer protection at all stages.
The CRA applies to products with digital elements intended for connection to a device or network. Such digital products refer to any software or hardware product, as well as remote data processing solutions, including software or hardware components that are sold separately. Examples of such products include (i) routers, (ii) smart meters, (iii) remote access software, and (iv) Internet of Things devices, such as robot vacuum cleaners and smart fridges.
Examples of digital products that are excluded from applicability of the CRA are (i) products already governed by sector-specific regulations, such as medical devices, automotive products and aeronautical equipment, (ii) products developed exclusively for national security or military use, (iii) open-source software developed or delivered in a non-commercial context, and (iv) software-as-a-service.
The CRA places cybersecurity responsibilities on manufacturers, developers and distributors of products with digital elements – so called “economic operators” – to ensure the highest possible standards are met.
Obligations under the CRA
Obligations related to digital products span their entire lifecycle, from design, development and production (ex ante) to the obligations for products placed on the market and in use (ex post). The majority of the obligations are directed at manufacturers, although distributors and importers must also meet certain obligations. In fact, they are treated in the same way as manufacturers if they market a digital product under their own brand or make significant modifications to an existing product.
Manufacturers must:
- meet the EU-wide standards for the design, development and production of digital products (as laid down in Annex I of the CRA). Products with digital elements must:
- be designed, developed and produced to ensure an appropriate level of cybersecurity,
- and delivered without known vulnerabilities
- conduct conformity assessments whether these cybersecurity requirements are actually met. Certain ‘critical’ products require higher security levels
- monitor the products throughout their expected lifecycle and provide free updates to software
- maintain (technical) documentation for five years, demonstrating compliance with requirements
- provide clear, simple and understandable user instructions for products with digital elements
- address vulnerabilities and fix them for up to five (5) years, take corrective actions if non-compliance is discovered, and document all measures. Such measures may include:
- providing security updates, or
- initiating product recalls
- report vulnerabilities to the European Union Agency for Network and Information Security (“ENISA”) within 24 hours, with a detailed report in 72 hours and a final report in 14 days or one month. If the issue impacts product safety, vulnerabilities and mitigating measures must be reported to the users of the product immediately.
Supervision and enforcement
To ensure compliance with these obligations, the CRA introduces stringent supervision and enforcement measures. Manufacturers failing to meet their obligations may face fines of up to € 15 million or 2.5% of the manufacturer’s total global annual revenue from the previous financial year (whichever is higher). Distributors and importers that do not comply with their obligations could incur fines of up to € 10 million or 2% of their total global annual revenue from the previous financial year (whichever is higher).
Member States will designate national authorities responsible for market surveillance, compliance and enforcement.
Netherlands
In the Netherlands, it is expected that the Rijksdienst Digitale Infrastructuur (“RDI”), as the National Cybersecurity Certification Authority (“NCCA”), will oversee compliance with the CRA, ensuring that all economic operators meet the required cybersecurity and reporting standards. Oversight requires strong collaboration between national and international regulators, which the RDI is working to strengthen.
Belgium
In Belgium, it is anticipated that the Centre for Cybersecurity Belgium (“CCB”) will take on a leading role, particularly as the designated Computer Security Incident Response Team (“CSIRT”). The CCB will also collaborate with ENISA through a unified reporting platform in line with Article 14 of the CRA.
Under the CRA, the CCB is responsible for promoting cybersecurity awareness, supporting compliance efforts (especially for small manufacturers and developers), and serving as Belgium's CSIRT, managing vulnerability and incident reports through ENISA's platform. Additionally, it acts as the NCCA, overseeing CRA standards, conformity assessments and certifications.
Implementation
The CRA entered into force on 11 December 2024. As an EU Regulation, it applies directly in all Member States without requiring transposition into national laws. A phased implementation timeline is in place to allow economic operators to gradually adapt (with the main obligations applying from 11 December 2027):
- 11 June 2026: conformity Assessment Bodies will begin assessing product compliance with CRA requirements
- 11 September 2026: manufacturers must adhere to mandatory vulnerability and incident reporting obligations
- 11 December 2027: full CRA compliance is required, including meeting essential cybersecurity requirements before market entry, managing vulnerabilities throughout the product lifecycle, and ensuring transparency for users.
The CRA’s practical impact will depend on the effectiveness with which the requirements are implemented in practice, and compliance will largely depend on the enforcement capabilities of the relevant national authorities.
Our specialists Renée Schipper, Sara Ataei and Bente van Dijk are happy to help you navigate the legal complexities of the CRA — feel free to reach out.