Access to the EU market will soon require more than just CE marking. Do you know what will be required from you?
What is the CRA?
The Cyber Resilience Act (CRA) establishes common minimum cybersecurity requirements and standards for products with digital elements, including hardware, software, and data remote processing solutions available on the EU market. Its objective is to improve the digital security of products and reduce their vulnerabilities, thereby building trust and creating added value for product users.
Compliance with the requirements set out in the CRA will raise the level of cybersecurity in many products and across the entire supply chain. In addition, the regulation requires products and software to receive up to date security updates. It also introduces manufacturers’ duty of care and incident reporting obligations.
The three key pillars of cyber resilience are:
- risk management
- incident response and recovery
- business continuity
The CRA will become a mandatory part of the CE marking requirements for placing products on the European market.
Who does the CRA apply to?
The Cyber Resilience Act applies to many companies that place new or updated digital products on the European market, including manufacturers, software developers, distributors, and importers.
It is important to understand that, unlike NIS2 or DORA, which regulate the network and information systems of critical entities, the CRA regulates products.
We trust that a company storing sensitive or highly sought after assets—such as a bank—is subject to strict regulation. Until now, however, the same level of data protection has not been expected from products such as smartwatches or baby monitors. Today, users want to be confident that an IoT product cannot be hacked.
Compliance with the essential CRA requirements creates added value for the product, as users of a compliant device can trust its security and understand the risks associated with its use.
By improving the security of products with digital elements, the CRA strengthens the digital resilience of all users—and consequently the entire European ecosystem.
Product categories under the CRA
The Cyber Resilience Act defines four categories of regulated products:
- Default category
- Important products – Class I
- Important products – Class II
- Critical products
The classification determines the required conformity assessment procedure for each product. The more critical the product, the more stringent the conformity assessment.
Independent third party assessment and approval are required for the following product categories:
Important products – Class II:
- Hypervisors
- Firewalls, intrusion detection and prevention systems
- Tamper resistant microprocessors
- Tamper resistant microcontrollers
Critical products:
- Devices incorporating security chips
- Smart meter gateways
- Smart cards or similar devices, including secure elements
Now is time to prepare
Dec 10th, 2024
CRA enters into force.
Sep 11th, 2026
Dec 11th, 2027
CRA becomes fully applicable.
How SGS can help you meet CRA requirements
What does the CRA mean in practice for your company? How do you identify gaps in your product’s cybersecurity solutions?
This is where SGS comes in. We support decision making through gap assessments and provide independent and impartial conformity assessments that add value to your business and build trust among your customers.
The CRA covers a wide range of products. For Class II important products and critical products, mandatory third party certification is required.
Do you need more information? We are ready to review your planned cybersecurity solutions and develop a tailored service package in a joint consultation to help you ensure CRA compliance for your product.
Contact us to begin assessing your specific needs.
Further reading
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements, amending Regulations (EU) 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
The New Legislative Framework, which clarifies the use of CE marking and establishes tools for product legislation.
The European Commission’s website, which provides background information on the EU’s cybersecurity strategy, legislation and certification, as well as the Cyber Resilience Act.
The EU Official Journal The Blue Guide on the implementation of EU product rules (2022).
About SGS
SGS is the world’s leading Testing, Inspection and Certification company. We operate a network of over 2,500 laboratories and business facilities across 115 countries, supported by a team of over 100,000 dedicated professionals. With more than 145 years of service excellence, we combine the precision and accuracy that define Swiss companies to help organizations achieve the highest standards of quality, compliance and sustainability.
Our brand promise – when you need to be sure – underscores our commitment to trust, integrity and reliability, enabling businesses to thrive with confidence. We proudly deliver our expert services through the SGS name and a portfolio of trusted specialized brands, including Applied Technical Services, Brightsight, Bluesign and Nutrasource.
SGS is publicly traded on the SIX Swiss Exchange under the ticker symbol SGSN (ISIN CH1256740924, Reuters SGSN.S, Bloomberg SGSN SW).
