Cyber Resilience Act

From 11 December 2027, only products that comply with the requirements of the Cyber Resilience Act (CRA) may be placed on the market within the European Union. The CRA contains requirements for the cybersecurity of products with digital elements.

What new requirements does the Cyber Resilience Act entail? Which products fall under the scope of the CRA? What do companies need to do? We have summarised the key facts for you.

What is the Cyber Resilience Act?

The Cyber Resilience Act (CRA) is an EU regulation that defines the Industrial Security requirements on products with digital elements. Affected products must undergo a fundamental review and modification. This is absolutely essential, as only CRA-compliant products may be placed on the market from December 2027 onwards.

When does the Cyber Resilience Act enter into force?

The CRA was published in the Official Journal of the EU on 20 November 2024. It entered into force on 10 December 2024 and will become mandatory in the EU from 11 December 2027. However, the manufacturers’ obligation to report exploited vulnerabilities will apply already from 11 September 2026, in accordance with the CRA.

What exactly does the CRA require?

The aim of the CRA is to provide better protection from cyber attacks for consumers and businesses. The CRA contains a variety of specifications for manufacturers, importers and distributors of products with digital elements, which are capable of communicating with other products. This includes hardware and software products. This extends across the whole product lifecycle, so from design, development, manufacture, delivery, and maintenance of the product, as well as its entire mission time at the customer's premises.

Is the Cyber Resilience Act a regulation or a directive?

The Cyber Resilience Act is an EU regulation and as such applies in all member states of the European Union, without being transposed into national law.

Which products fall under the scope of the CRA?

The CRA concerns components, specifically products with digital elements, for which a conformity check will be required.

The Cyber Resilience Act (CRA) applies to all products that contain digital components – such as software or high-risk AI systems – and are connected to networks or other devices. As a result, the scope of the CRA is very wide and includes the following product groups, among others:

• Industrial hardware and software such as IoT devices, programmable logic controllers (PLCs) and sensors
• Software solutions such as desktop, web and mobile applications, as well as operating systems
• Intelligent devices for private use, as well as hardware and software

These products are classified into different categories, depending on the potential risk. In particular, systems used in critical infrastructure, industrial production or the energy and industrial sector fall into higher risk classes. For these products, the requirements for the conformity assessment procedure are changing, as they can have a significant impact on public safety and economic stability.

What can we do? What are the requirements for companies?

A manufacturer of products with digital elements must comply with the Security requirements from the CRA. This entails the creation of a risk analysis and the definition and implementation of countermeasures to reduce any risks. It is also mandatory to create and maintain documentation on the risk assessment (and also on the countermeasures taken to reduce security risks). This must be retained for at least 10 years. Continuous monitoring for potential security vulnerabilities, free provision of security updates throughout the typical useful life of a product (at least 5 years), and the reporting of identified security vulnerabilities to ENISA and, where applicable, national bodies within 24 hours are also mandatory.

Even products that are already CRA-compliant and are not modified must still be tested and evaluated in accordance with transparent rules. Documentation of the results of the inspection must be kept for ten years. A software bill of materials must also be created, and it is necessary to prove that development and testing has been carried out in accordance with Industrial Security standards.

What does the EU declaration of conformity mean in relation to the CRA?

The manufacturer will continue to issue the EU declaration of conformity, stating that compliance with the essential cybersecurity requirements has been demonstrated. For manufacturers, this means that compliance with the requirements regarding risk assessment, vulnerability management, and documentation will be verified by a conformity assessment. If all the requirements are met, a declaration of conformity is issued. 

Is there still one EU declaration of conformity for all EU legislation?

If a product with digital elements is subject to several pieces of European Union legislation, each of which requires an EU declaration of conformity, a single EU declaration of conformity is issued for all EU legislation. This declaration specifies the relevant EU acts, along with their references in the Official Journal.

For how long must the EU declaration of conformity be available?

The manufacturer draws up a written declaration of conformity for each product model and keeps it available to the national authorities for ten years after the product with digital elements was placed on the market or during the support period, whichever is longer. The declaration of conformity must state the product model for which it was issued. A copy of the declaration of conformity shall be made available to the relevant authorities upon request.

What is the difference between the Cyber Resilience Act and NIS 2?

• The CRA contains basic cybersecurity requirements for the design, development and manufacture of products with digital elements, as well as obligations for economic operators with regard to these products in terms of cybersecurity.
• The NIS 2 Directive is aimed at companies and requires them to take organisational and technical measures to reduce Industrial Security risks within the company.
• Strengthening cybersecurity in the EU: The two sets of regulations – the CRA and the NIS 2 Directive – complement each other by addressing different levels of cybersecurity: the CRA focuses on product security, while NIS 2 targets the security of infrastructure and essential services. Together, they make an important contribution to the overall improvement of cybersecurity within the European Union.

For some years now, Pilz has been structuring its development process in accordance with the standard IEC 62443-4-1. As the "basic standard for Industrial Security", this standard defines the secure development of products, the "Security Development Lifecycle Process". In an audit, TÜV Süd has confirmed that our development processes are compliant. Pilz developments not only Safe, but also Secure!

This is important for our customers, because with Regulation (EU) 2024/2847 – the Cyber Resilience Act (CRA), there is another regulation relating to Security that will become mandatory in 2027, in addition to the new Machinery Regulation (Regulation (EU) 2023/1230).

Specifically this means that existing products will be modified where necessary, new products will be developed in compliance with the CRA and compliance (CE marking) will be adapted in accordance with the applicable requirements. Products that no longer meet the requirements will either be discontinued or continue to be available as spare parts. However, in the latter case they can no longer be used in new installations.