The EU Cyber Resilience Act: Enhancing Digital Security in the AI Era

On 20 November 2024, the EU Cyber Resilience Act (CRA) was published in the Official Journal of the EU, kicking off the phased implementation of the CRA obligations.

The European Union has introduced the Cyber Resilience Act to bolster the cybersecurity of connected devices and software products within its jurisdiction. The CRA is a harmonizing EU regulation, the first of its kind focusing on safeguarding consumers and businesses from cybersecurity threats.  It is a key element of the EU’s Cybersecurity Strategy for the Digital Decade.

CRA is an EU Regulation similar to the GDPR and the EU AI Act. It is, therefore, directly applicable to all EU Member States. The CRA provides for a phased transition period, with the provisions on notification of conformity assessment bodies applying from 11 June 2026 and the reporting obligations for manufacturers taking effect from 11 September 2026. The remaining obligations will come into effect on 11 December 2027.

Overview of the EU Cyber Resilience Act

The Cyber Resilience Act establishes a unified regulatory framework to address cybersecurity risks associated with digital products (PDEs). The act seeks to close gaps in software and hardware security by mandating stringent measures for manufacturers, developers, and vendors operating within the EU. As cyber threats grow in sophistication, the CRA’s robust framework aims to ensure that connected devices are designed, manufactured, and maintained with security as a core priority.

With few exceptions for specific categories, the CRA covers all products connected directly or indirectly to other devices or networks – smartphones, Internet of Things (IoT) devices, software applications, and cloud services – marking one of the most comprehensive regulatory efforts in the EU’s history.

Purpose of the Cyber Resilience Act

The primary aim of the CRA is to enhance the resilience of digital systems across the EU by:

1. Minimizing cybersecurity risks: Setting baseline requirements for the security of connected products to mitigate vulnerabilities that malicious actors could exploit.
2. Improving market transparency: Ensuring that manufacturers disclose the security features and vulnerabilities of their products to consumers.
3. Harmonizing cybersecurity practices: Providing uniform rules across all EU member states to streamline compliance and promote fair competition.

The CRA helps protect consumers, safeguard critical infrastructure, and foster trust in digital technologies by addressing these objectives.

Scope and Applicability

The Cyber Resilience Act applies to PDEs sold within the EU, regardless of whether they are manufactured locally or imported. This includes:

• Devices that connect directly or indirectly to the internet.
• Software products that play a critical role in the functioning of connected devices.
• Cloud-based services and platforms integral to the operation of connected products.

The CRA applies to all economic operators of PDEs available on the EU market. This includes:

• manufacturers (and their authorized representatives)
• importers
• distributors
• any other natural or legal person subject to obligations concerning the manufacture of PDEs or making them available on the market (including retailers).

Manufacturers must ensure their products comply with the act’s security requirements throughout the product lifecycle, including during the design, development, and maintenance phases. This applies even after the products are on the market, requiring ongoing vulnerability management and software updates.

The application of the CRA is subject to certain exclusions where relevant PDEs are already covered by certain regulations – such as the NIS2 Directive and the AI Act (which are considered lex specialis to the CRA as lex generalis).

Importance of the Cyber Resilience Act

The CRA is critical in addressing several pressing challenges in today’s digital ecosystem:

1. Rising cyber threats: With the rapid proliferation of IoT devices, cyberattacks have surged, targeting vulnerabilities in connected systems. The CRA provides a much-needed regulatory framework to mitigate these risks.
2. Consumer protection: By enforcing transparency and accountability, the act empowers consumers to make informed decisions and trust the products they use.
3. Economic impact: The CRA reduces the financial and reputational damage caused by cyberattacks, benefiting businesses and ensuring the stability of the EU’s digital economy.
4. Critical infrastructure security: As many connected products are integral to essential services, such as healthcare and transportation, the CRA strengthens the resilience of critical infrastructure.

Connection with the EU AI Act

The EU AI Act and the CRA share a common goal: fostering trust and safety in the digital age. While the AI Act focuses on regulating the ethical use and deployment of artificial intelligence, the CRA addresses the cybersecurity risks that could compromise AI systems.

For example, the CRA explicitly provides that PDEs that also qualify as high-risk AI systems under the AI Act will be deemed in compliance with the AI Act’s cybersecurity requirements where they fulfill the corresponding requirements of the CRA.

AI technologies, often embedded in connected devices, rely on secure data flows and robust infrastructure to function effectively. A lack of cybersecurity can lead to data breaches, manipulation of AI algorithms, or even unauthorized control of AI-powered devices. The CRA’s emphasis on securing digital products directly complements the AI Act’s efforts to ensure the safe and ethical use of AI.

Moreover, both acts promote transparency and accountability. For instance, while the AI Act mandates that AI developers disclose the datasets and algorithms powering their systems, the CRA requires manufacturers to disclose vulnerabilities and provide security updates. Together, these regulations create a robust ecosystem where innovation and safety go hand in hand.

Implications for Businesses

Businesses operating in the EU or exporting to its market must prepare to comply with the CRA by:

• Conducting cybersecurity assessments of their products.
• Implementing secure design principles and vulnerability management processes.
• Maintaining detailed documentation to demonstrate compliance with CRA requirements.
• Collaborating with cybersecurity experts to navigate the complexities of the regulation.

Non-compliance can result in significant penalties, including fines of up to €15 million or 2.5% of annual global turnover, whichever is higher.

Conclusion

The EU Cyber Resilience Act is a landmark regulation that strengthens the security and resilience of connected products in an increasingly digital world. By aligning with complementary regulations like the EU AI Act, it establishes a comprehensive framework for safeguarding Europe’s digital future. For businesses and consumers alike, the CRA represents a crucial step toward building a secure, trustworthy, and innovative digital ecosystem.

As implementation unfolds, organizations must prioritize compliance to avoid penalties and position themselves as leaders in a highly competitive digital market.