Why the Cyber Resilience Act Matters

Loading component...

Consumer CompactElectrical and ElectronicsMarch 24, 2025

Loading component...

Adopted in 2024, the Cyber Resilience Act (CRA) is a key step in strengthening the European Union’s cybersecurity framework.¹ It mandates cybersecurity requirements for hardware and software products to enhance resilience, reduce vulnerabilities and protect consumers from increasing cyber threats. Manufacturers must understand the Act’s broader impact on product design, security protocols and market access as they prepare to meet these new requirements.

In an increasingly connected world, digital trust is vital. The CRA plays a crucial role in strengthening cybersecurity for European businesses and consumers by addressing vulnerabilities in digital products that expose users to cyberattacks. It offers a structured approach to enhancing cyber resilience, which is essential as cyber threats continue to evolve. By establishing clear cybersecurity requirements, the CRA ensures that both hardware and software products are resilient against malicious attacks. It applies to all connectable devices and software, including remote data processing solutions available on the EU market. Products that meet the regulations’ requirements for their risk level will display the CE mark, signaling compliance and commitment to cybersecurity.

The core principles of cyber resilience focus on:

Risk mitigation – minimizing vulnerabilities in digital products from the design stage onward
Incident recovery and response – ensuring effective strategies are in place to respond to and recover from cyber incidents
Business continuity – maintaining operational stability despite security incidents

The CRA impacts a wide range of economic operators within the European market, including manufacturers, software developers, distributors, importers and resellers involved in the supply of new or updated digital products. Unlike the Network and Information Security 2 (NIS2) Directive and Digital Operational Resilience Act (DORA), which relate to entities, the CRA regulates the security of products. This marks a fundamental change in cybersecurity governance in Europe.

Historically, cybersecurity efforts have primarily targeted industries handling sensitive data, such as financial institutions. However, as connected devices – from smart refrigerators and smartwatches to baby monitors – become more prevalent, they are increasingly targeted for cyberattacks. The CRA addresses this gap by ensuring that all connected devices, regardless of their function or market, meet specific security standards.

Building trust with certification

Under the CRA, manufacturers will be required to certify the cybersecurity of their products before they can be sold within the EU market. Certification not only ensures compliance but also serves as a key differentiator in the marketplace. As consumers become increasingly aware of cybersecurity risks, digital trust will be a significant factor in their purchasing decisions. Certification, therefore, becomes not just a regulatory requirement but a competitive advantage, offering assurance that a product is resilient to cyber threats.

By strengthening the cybersecurity of products with digital elements, the CRA contributes to a more secure and resilient digital ecosystem in Europe, positioning it to better handle emerging cyber threats.

Product categories and classification

One of the key elements of the CRA is its classification of digital products into four categories based on their cybersecurity risk level – Default, Important Products Class I, Important Products Class II and Critical Products. Each classification determines the level of security measures, certifications requirements and regulatory scrutiny the product must undergo before entering the European market. The higher the risk, the more rigorous the compliance process.

Default: Most products (around 90%), EU Declaration of Conformity (self-assessment)
Important Products Class I: Conformity assessment based on internal controls following harmonized standards (self-assessment possible)
Important Products Class II: High-risk products like hypervisors, firewalls and intrusion detection systems. Requires third-party certification
Critical Products: Devices with higher security risks, such as smart meter gateways and secure elements in smartcards. Requires stringent third-party certification through ENISA schemes, such as European Cybersecurity Certification (EUCC), at a minimum of ‘substantial’ level

Loading component...

Brighsight Graph Certification Type and Product Categories

Loading component...

Understanding these classifications and their associated compliance requirements is critical for manufacturers in determining the level of cybersecurity protection needed to meet the CRA’s requirements.

Timeline for CRA implementation

2024 – Approved by the European Parliament, adopted by the EC, published in the Official Journal of the EU (OJEU) and entered into force on December 10, 2024
September 11, 2026 – Manufacturers must begin mandatory incident reporting, which requires reporting actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours and ensuring timely updates
December 11, 2027 – Full enforcement of CRA requirements

Loading component...

Loading component...

Achieving compliance

The essential requirements of the CRA fall into two groups:

Thirteen product cybersecurity requirements – cover the level of security and the intrinsic characteristics of the products
Eight vulnerability handling requirements – cover the measures and processes implemented by manufacturers

These requirements are the core of the CRA, and their implementation will determine whether a product is considered to be compliant or not.

The European standardization organizations – European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) and European Telecommunications Standards Institute (ETSI) – have been tasked with developing new series of standards that comply fully with essential requirements of the CRA. Many of these new standards build on existing cybersecurity frameworks such as Security Evaluation Standards for IoT Platforms (SESIP), EN 303 645, IEC 62443 and EN 18031. Manufacturers already compliant with these standards will find it easier to align with the CRA’s requirements. However, these existing standards do not fully cover all the CRA’s essential requirements, creating a gap that still needs to be addressed.

Brightsight solution

Brightsight, an SGS company, provides comprehensive support for businesses navigating the CRA’s requirements. Our experts assist with gap analysis, evaluating existing cybersecurity practices and providing the necessary guidance to efficiently achieve certification. From training workshops and technical documentation reviews to conformance testing and final certification, we ensure that businesses are well-equipped to meet international market standards and maintain long-term compliance.

With a global network of state-of-the-art testing facilities, we are ready to help businesses achieve compliance with the CRA, ensuring products meet European cybersecurity standards and contributing to the resilience of the digital ecosystem.

Learn more about Brightsight