Jump to Section
Cyber Resilience Act Obligations Overview
The Cyber Resilience Act establishes comprehensive requirements across 71 articles. Below are the key obligations extracted directly from the legislative text.
Key Obligations
Ensure cybersecurity of products with digital elements before market release
Meet essential cybersecurity requirements during product design, development and production
Implement vulnerability handling processes for the product's expected lifetime
Comply with market surveillance and enforcement rules
Products with digital elements that connect to devices/networks must comply with CRA requirements
Manufacturers must assess if their products fall within scope based on connectivity capabilities
Organizations must verify their products are not covered by exclusions before applying CRA requirements
Economic operators must understand their role classification (manufacturer, importer, distributor, etc.) to determine their specific obligations
Manufacturers must identify if their products qualify as 'products with digital elements' subject to the regulation
Organizations must use these standardized definitions when documenting compliance, reporting incidents, and communicating with authorities
Label non-compliant products clearly at trade shows and exhibitions
Mark unfinished software as 'for testing only' when made available
Essential Requirements
Subject matter
This article establishes the EU Cyber Resilience Act's main purpose: to set cybersecurity rules for digital products sold in the EU market. It requires manufacturers to build security into their products from the start and maintain it throughout the product's lifetime.
Key Requirements:
- Ensure cybersecurity of products with digital elements before market release
- Meet essential cybersecurity requirements during product design, development and production
- Implement vulnerability handling processes for the product's expected lifetime
- Comply with market surveillance and enforcement rules
Applies to:
All economic operators (manufacturers, importers, distributors) placing products with digital elements on the EU market
Scope
The CRA applies to any product with digital elements that can connect to a device or network (like IoT devices, software, or smart products) when sold in the EU market. However, it excludes medical devices, vehicles, aviation equipment, marine equipment, military/defense products, and spare parts that are identical replacements.
Key Requirements:
- Products with digital elements that connect to devices/networks must comply with CRA requirements
- Manufacturers must assess if their products fall within scope based on connectivity capabilities
- Organizations must verify their products are not covered by exclusions before applying CRA requirements
Applies to:
All products with digital elements (hardware or software) that have direct or indirect data connections to devices or networks, when made available on the EU market, except for specifically excluded categories
Definitions
This article defines 51 key terms used throughout the Cyber Resilience Act, including what counts as a 'product with digital elements' (any software or hardware product), who the economic operators are (manufacturers, importers, distributors), and important cybersecurity concepts like vulnerabilities and incidents. These definitions establish the common language and scope for understanding who must comply with the regulation and what products are covered.
Key Requirements:
- Economic operators must understand their role classification (manufacturer, importer, distributor, etc.) to determine their specific obligations
- Manufacturers must identify if their products qualify as 'products with digital elements' subject to the regulation
- Organizations must use these standardized definitions when documenting compliance, reporting incidents, and communicating with authorities
Applies to:
All economic operators involved in developing, manufacturing, importing, or distributing products with digital elements in the EU market, including manufacturers, open-source software stewards, authorized representatives, importers, and distributors
Free movement
Member States cannot block compliant CRA products from being sold in their markets. Products that don't comply can still be shown at trade events or used for testing purposes, but must be clearly labeled as non-compliant.
Key Requirements:
- Label non-compliant products clearly at trade shows and exhibitions
- Mark unfinished software as 'for testing only' when made available
- Ensure products comply with CRA before general market availability
- Limit non-compliant software availability to testing periods only
Applies to:
Member States, manufacturers, distributors, and anyone presenting or testing products with digital elements in the EU market
Procurement or use of products with digital elements
Member States can add extra cybersecurity requirements when they buy or use digital products for special purposes like national security, as long as these don't conflict with EU law. When governments buy digital products covered by CRA, they must check that these products meet the Act's cybersecurity requirements and can handle vulnerabilities.
Key Requirements:
- Member States must ensure CRA compliance is considered in public procurement processes
- Any additional national cybersecurity requirements must be consistent with EU law
- Additional requirements must be necessary and proportionate to their purpose
- Procurement processes must verify manufacturers' ability to handle vulnerabilities effectively
Applies to:
Member States when procuring or regulating the use of products with digital elements, particularly for national security, defense, or public procurement purposes
Requirements for products with digital elements
Any product with digital elements (like smart devices, software, or connected products) can only be sold in the EU if it meets essential cybersecurity requirements and the manufacturer has proper security processes in place. Products must be secure when properly installed and maintained, with security updates available.
Key Requirements:
- Meet essential cybersecurity requirements from Part I of Annex I
- Ensure products are secure when properly installed and maintained
- Provide necessary security updates
- Implement manufacturer processes that comply with Part II of Annex I requirements
- Only market products that meet these requirements under reasonably foreseeable conditions of use
Applies to:
Manufacturers and distributors of any products with digital elements being placed on the EU market
Operator Obligations
Obligations of manufacturers
Manufacturers must ensure their digital products meet cybersecurity requirements before selling them, conduct risk assessments, handle vulnerabilities throughout the product's support period (minimum 5 years), and provide clear documentation and contact information to users. They must also fix security issues promptly and keep security updates available for at least 10 years.
- • Design and develop products according to essential cybersecurity requirements
- • Conduct and document cybersecurity risk assessments
- • Determine and provide a support period (minimum 5 years)
Reporting obligations of manufacturers
Manufacturers must report actively exploited vulnerabilities and severe security incidents in their digital products to EU authorities within 24 hours of discovery. The reporting process includes three stages: early warning (24 hours), detailed notification (72 hours), and final report (14 days for vulnerabilities, 1 month for incidents).
- • Notify actively exploited vulnerabilities within 24 hours to designated CSIRT and ENISA
- • Submit vulnerability notification within 72 hours with details about the exploit and mitigation measures
- • Provide final vulnerability report within 14 days after fix is available
Obligations of importers
Importers are responsible for ensuring that any digital products they bring into the EU market meet all CRA cybersecurity requirements and have proper documentation. They must verify manufacturer compliance, maintain records for 10 years, and immediately report any cybersecurity risks to authorities.
- • Only import products that comply with essential cybersecurity requirements
- • Verify manufacturer has conducted conformity assessments and created technical documentation
- • Ensure products have CE marking and EU declaration of conformity
Obligations of distributors
Distributors must verify products have proper CE marking and documentation before selling them, and immediately stop selling and notify authorities if they discover cybersecurity problems. They must also inform authorities if the manufacturer goes out of business.
- • Verify CE marking presence before market distribution
- • Verify manufacturer and importer compliance with documentation requirements
- • Not distribute products suspected of non-conformity until resolved
Conformity & Enforcement
Presumption of conformity
Products that meet official EU standards (harmonised standards) or approved common specifications are automatically considered compliant with the CRA's cybersecurity requirements. The EU Commission can create alternative compliance specifications when standardization bodies fail to deliver adequate standards.
EU declaration of conformity
Manufacturers must create an EU declaration of conformity that confirms their product meets all required cybersecurity standards. This declaration must follow a specific template, be kept updated, and be available in the required languages for each EU country where the product is sold.
Conformity assessment procedures for products with digital elements
This article defines how manufacturers must prove their products meet cybersecurity requirements through different testing procedures. The strictness of testing depends on product risk level - standard products can self-test, important products need partial third-party testing, and critical products require full certification from approved bodies.
Presumption of conformity of notified bodies
If a testing/certification body can prove it meets specific European standards that have been officially published, it's automatically considered qualified to assess product compliance with the CRA. This creates a streamlined qualification process for certification bodies.
Next Steps
These requirements are extracted from the official legislative text. For detailed implementation guidance: