The proposal for a regulation on horizontal cybersecurity requirements for hardware and software, known as the EU Cyber Resilience Act (CRA), would introduce common cybersecurity requirements to apply throughout the expected lifecycle of devices.

At present, there are no general cybersecurity requirements at EU level applying to all devices with digital elements. The existing cybersecurity rules apply specifically to certain products or sectors (e.g. the EU Cybersecurity Act, ECA).

The draft regulation covers a wide range of hardware and software. It applies the same cybersecurity requirements to all devices but adapts the way of assessing conformity to their risk level.

The draft CRA targets mainly manufacturers by imposing on them cybersecurity requirements in relation to the design of devices with digital elements. After the devices have been placed in the EU market, manufacturers would have to exercise a duty of care for at least five years.

Devices which do not comply with the requirements introduced by the draft regulation would be prohibited from accessing the EU market.

Our new cheat sheet provides an overview of the obligations introduced by the draft CRA and can be downloaded hereunder:
 

Download cheat sheet

(Updated 13 December 2024)

Clients of our European Digital Economy service, can also access it directly on our client portal via the following link: