Prepare for the Cyber Resilience Act today
Navigate the new regulatory landscape, ensure product and supply chain security, and build customer trust with our expert guidance for manufacturers, importers, and distributors.
Cyber Resilience Act
The Cyber Resilience Act (CRA) is a groundbreaking EU regulation designed to bolster the cybersecurity of digital products across the entire supply chain. It ensures that products with digital elements are secure by design, protecting consumers and businesses from growing cyber threats. The CRA sets mandatory cybersecurity requirements for manufacturers, importers, and distributors, fostering a more secure digital ecosystem across the European market and establishing clear responsibilities for each actor.
The Cyber Resilience Act demands a comprehensive and knowledgeable approach for all economic operators: We provide the expertise to guide manufacturers, importers, and distributors through every step.
Who will be affected
The Cyber Resilience Act (CRA) impacts all manufacturers, importers, and distributors of products with digital elements that are placed or made available on the EU market. This broad scope includes a vast range of hardware and software products, from consumer devices to industrial equipment. Whether your company is a manufacturer creating digital products, an importer bringing them into the EU, or a distributor making them available to end-users within the EU, the CRA applies to you. This includes companies based both within and outside the EU if they participate in the EU digital product supply chain.
When will it apply
The Cyber Resilience Act was adopted in October 2024 and became effective on December 11, 2024. The main portion of the regulation will apply from December 2027, providing a transition period for businesses to adapt to the new requirements.
However, companies must start reporting incidents and vulnerabilities to designated bodies from September 2026. It’s crucial for manufacturers, importers, and distributors to begin preparing now to ensure timely compliance across all their operations.
Why should you comply
Non-compliance with the Cyber Resilience Act can result in significant financial penalties for manufacturers, importers, and distributors, including fines up to 15 million Euro or 2.5% of your total worldwide annual turnover, whichever is higher. Beyond financial repercussions, non-compliance can damage your reputation, erode customer trust, disrupt supply chains, and leave your products and customers vulnerable to cyber threats. Compliance is not just a legal obligation for each actor in the supply chain; it’s a strategic imperative for building a secure and sustainable business in the digital age and maintaining access to the EU market.
Discover your CRA readiness
Is your organization and your supply chain prepared for the Cyber Resilience Act? Understanding your current cybersecurity posture and that of your partners is the first step towards comprehensive compliance. Contact us for a tailored assessment to identify your gaps and chart a clear path to CRA readiness for manufacturers, importers, and distributors.
Effects of new regulation
Regulation (EU) 2024/2847 (CRA) introduces comprehensive cybersecurity requirements for digital products across the EU, impacting manufacturers, importers, and distributors. This regulation goes beyond previous directives by directly targeting product security and placing specific obligations on each economic operator throughout the product lifecycle and supply chain. The CRA aims to create a level playing field, enhance consumer trust, and drive innovation in secure digital technologies, with shared responsibility across the supply chain.
We’ve outlined the key impact areas and requirements for manufacturers, importers, and distributors below:
Key points:
- Secure-by-Design Principles: Integrating security from the earliest stages of product development.
- Vulnerability Management: Establishing processes for identifying, addressing, and disclosing vulnerabilities.
- Regular Security Updates: Providing timely updates to patch vulnerabilities and maintain product security.
- Incident Reporting: Implementing mechanisms for reporting cybersecurity incidents and vulnerabilities.
- Documentation & Transparency: Providing clear information about product security features and vulnerabilities, including Software Bill of Materials (SBOM).
- Conformity Assessment & CE Marking: Undergoing conformity assessments and affixing CE marking to demonstrate compliance.
Key points:
- Compliance Verification: Ensuring that products they place on the EU market comply with CRA essential requirements and manufacturer obligations.
- Documentation Checks: Verifying manufacturer’s conformity assessment, technical documentation, and EU declaration of conformity.
- Product Labeling: Ensuring products bear the CE marking and include necessary user instructions and importer contact information.
- Non-Compliance Action: Preventing placement of non-compliant products on the market and taking corrective actions for products already placed.
- Information Sharing: Informing manufacturers and market surveillance authorities about vulnerabilities and risks.
- Documentation Retention: Keeping EU declaration of conformity and technical documentation for the required period.
- Cooperation with Authorities: Providing information and cooperating with market surveillance authorities upon request.
Key points:
- Due Diligence: Acting with due care to ensure that products they make available on the market comply with CRA requirements.
- Verification of Compliance Markers: Checking for CE marking and verifying that manufacturers and importers have fulfilled their obligations.
- Non-Compliance Prevention: Not making non-compliant products available on the market.
- Corrective Actions: Taking corrective actions for non-compliant products already made available.
- Information Sharing: Informing manufacturers and market surveillance authorities about vulnerabilities and risks.
- Cooperation with Authorities: Providing information and cooperating with market surveillance authorities upon request.
Key points:
- Reduced Vulnerabilities: Proactive security measures across the supply chain leading to fewer vulnerabilities in digital products.
- Improved Software Updates: Timely and effective security updates ensuring ongoing protection for products in the market.
- Increased Consumer Confidence: Enhanced security fostering greater trust in digital products and the digital economy.
- Innovation in Cybersecurity: Driving the development of innovative security solutions and technologies across the ecosystem.
- Stronger Digital Ecosystem: Contributing to a more secure and resilient digital environment for businesses and consumers through shared responsibility.
Key points:
- September 2026: Incident and vulnerability reporting obligations begin for all economic operators.
- December 2027: Main regulation becomes applicable, full compliance required for manufacturers, importers, and distributors.
- Significant Penalties: Non-compliance can result in substantial fines and other enforcement actions for all operators.
- Market Access Implications: Compliance is essential for accessing the EU market for all involved in the supply chain.
- Supervisory Authorities: National authorities will oversee and enforce CRA compliance across all economic operators.
Credit Institution & Asset Manager
Supporting a client in carrying out a DORA GAP analysis from the perspective of the company’s IT by locating the responsibilities and mapping the new requirements to the existing IT governance. Documented gaps and action recommendations were provided, with efforts and timelines jointly defined. A thorough, cross-functional impact analysis was key to ensuring a smooth implementation. The project is now in rollout, and we continue to support the IT Team as affected first line department.
Insurance Company
Currently assisting an insurance client with DORA compliance. Starting with an awareness session for the Board and IT Management. Carrying out an impact assessment on (expected) affects in relation to implemented requirements. Delivered a DORA implementation concept. A key success factor was to implement a cross-divisional central coordination to manage the cross-departmental scope effectively.
Automotive Finance Service Provider
Supporting a Leasing Company by determining the applicability of DORA against the background of the Financial Market Stabilization Act in Germany, which has yet to be passed. Conducted a GAP analysis against current regulations (MaRisk / BAIT) and new implementation requirements. The success factor is the careful and comprehensive impact analysis, especially since the customer has various branches in European and non-European countries.
Get Inspired
Do you want to delve deeper into the Cyber Resilience Act and understand its implications for your role in the supply chain? Explore our whitepaper and other resources created by our cybersecurity experts.
Enhancing Cybersecurity with the Cyber Resilience Act (CRA)
This whitepaper aims to provide a comprehensive overview of the CRA, its key provisions, and its impact on product security.
Let’s build a secure digital future together.
Nabeel Siddiqie
Partner – Cybersecurity