The topic of cybersecurity is increasingly becoming the focus of European legislators. On 10 October 2024, the Council of the European Union adopted the Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020. This so-called Cyber Resilience Act (CRA) is intended to establish a uniform legal framework for basic cybersecurity requirements for placing products with digital elements on the Union market. To this end, vulnerabilities resulting from a low level of cybersecurity and the inadequate provision of security updates are to be remedied. It also aims to address users’ lack of understanding and limited access to information to enable them to select and safely use products with appropriate cybersecurity features. Unlike other directives and regulations that have recently been adopted to strengthen IT security – such as the DORA Regulation – the Cyber Resilience Act is not sector-specific in its scope of application, but horizontal and is intended to cover all products with digital elements. The regulation will apply from November 2027. Reporting obligations for vulnerabilities and security incidents will already apply from August 2026. The obligations imposed on manufacturers, importers and retailers are extensive and the penalties for non-compliance with the legal requirements are severe. According to the motto ‘trust is good, control is better’, market participants will be forced by the GDPR, as they were years ago, to initiate all measures necessary to comply with the obligations under the CRA. What should the addressees of the regulation, such as manufacturers, be prepared for?

Who is Considered a Manufacturer Under the CRA?

A manufacturer within the meaning of the CRA is a natural or legal person who develops or manufactures products with digital elements or who has products with digital elements designed, developed or manufactured and markets them under his own name or brand, whether in return for payment or free of charge. A product with digital elements is a software or hardware product and its remote data processing solutions, including software or hardware components, which are to be marketed separately. This includes products with digital elements whose intended or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or a network. This can be anything from software, PCs and smartphones to robotic vacuum cleaners that can communicate with other devices or networks. For the manufacturers of such products, the range of new obligations is extensive and can therefore only be mentioned in part here. Among other things, before placing a product with digital elements on the market, they must prepare technical documentation in accordance with the CRA and carry out a conformity assessment procedure or have one carried out in accordance with the requirements of the regulation. An EU declaration of conformity must then be issued and a CE marking affixed to the product. After placing the product on the market and during the expected lifetime of the product or for a period of five years from placing a product with digital elements on the market, whichever is shorter, manufacturers must ensure that the product remains CRA compliant (updates). In addition, the manufacturer must notify the European Union Agency for Cybersecurity (ENISA) of any actively exploited vulnerability contained in the product with digital elements without undue delay and in any event within 24 hours of becoming aware of it.

What Sanctions do Manufacturers Face if they Violate the CRA?

For the imposition of sanctions, the CRA provides that member states must adopt provisions on sanctions and take all measures necessary for the enforcement of the sanctions. The fines provided for by the CRA range from EUR 15,000,000 or – in the case of companies – up to 2.5% of the total worldwide annual turnover of the previous financial year, whichever is higher, for non-compliance with essential requirements or the above-mentioned producer obligations. Fines of up to EUR 10,000,000 or, in the case of companies, up to 2 % of the total worldwide annual turnover in the preceding financial year, whichever is higher, may be imposed for infringements of other obligations under this Regulation. If false, incomplete or misleading information is provided to notified bodies and market surveillance authorities in response to their request for information, fines of up to EUR 5,000,000 or – in the case of companies – up to 1% of the total worldwide annual turnover of the previous financial year, whichever is higher, will be imposed. It is therefore strongly advisable to comply with the requirements of the CRA and to implement them in a timely and conscientious manner.

Attorney Anton Schröder

I.  https://fin-law.de

E. info@fin-law.de

The lawyer responsible for questions relating to the Cyber Resilience Act, DORA and IT law at our law firm is Attorney Lutz Auffenberg, LL.M. (London). He is supported by Attorney Anton Schröder.