EN SV
legislation

Cyber Resilience Act - EU forordning for sikre produkter 2

5 minutters læsning
Cyber Resilience Act - EU forordning for sikre produkter 2

The Cyber Resilience Act (CRA) establishes EU-wide rules for the security of produkter with digital elements. Learn about scope, manufacturer obligations and CE marking.

Scope and applicability of the CRA

The Cyber Resilience Act applies in principle to all produkter with digital elements (i.e., that are or contain some software), which have a network or device connection and are placed on the EU market.

However, produkter already regulated by other EU legislation such as medical enheder, vehicles or aviation are excluded. Defence articles, spare parts and produkter for which the Commission has granted an exemption are also outside the forordning. The forordning essentially aims to harmonize and strengthen cybersikkerhed krav for most connected produkter across the EU.

Open source software and cloud or software-as-a-Service (SaaS) solutions occupy a special role within the scope.

Open source software

Open-source software is explicitly included in the scope. Article 3(48) defines “free and open-source software” as software whose source code is openly shared and provided under a free and open licence that allows free access, use, modification and redistribution. For such open-source produkter, Article 24 requires that the “open-source software maintainers” implement a cybersikkerhed policy and cooperate with authorities on risiko mitigation.

Cloud and software-as-a-service (SaaS)

SaaS and cloud solutions fall under the Cyber Resilience Act only if they are regarded as "remote data processing solutions" within the meaning of Article 3(2). Otherwise they are not to be considered a “product with digital elements” as defined in Article 3(1) and thus would not be covered by the forordning.

Scope of the CRA - produkter with digital elements

In essence, all connected software, hardware and electronic produkter with data processing functions fall under the term “produkter with digital elements”.

ifølge Article 2 (Scope), the Cyber Resilience Act applies to:

> produkter with digital elements that are made available on the market and whose intended use or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network.

“produkter with digital elements” (Article 3) means any software or hardware product as well as its remote data processing solutions, including software or hardware komponenter placed on the market separately.

The core of the definition is that these are electronic information systemer that can process, store or transmit digital data. This includes both software komponenter and the physical hardware komponenter.

Remote data processing solutions refer to data processing for which the manufacturer is responsible and without which the product cannot perform one of its functions.

produkter may have a logical (virtual) and/or physical (electrical, optical, mechanical) connection to other enheder or netværk, directly or indirectly as part of a larger system.

Exemptions from the CRA

The CRA largely applies to most produkter with digital elements that are connected to enheder or netværk when placed on the EU market. It does not apply to produkter already regulated elsewhere. These include:

  • Medical enheder: produkter with digital elements falling under forordning (EU) 2017/745 on medical enheder (Article 2(2a)).
  • In vitro diagnostics: produkter with digital elements falling under forordning (EU) 2017/746 on in vitro diagnostic medical enheder (Article 2(2b)).
  • Motor vehicle komponenter: produkter with digital elements falling under forordning (EU) 2019/2144 on motor vehicles (Article 2(2c)).
  • Civil aviation: produkter with digital elements certified under forordning (EU) 2018/1139 on aviation safety (Article 2(3)).
  • Ship equipment: equipment falling under Directive 2014/90/EU on marine equipment (Article 2(4)).
  • produkter covered by other EU acts that achieve an equivalent or higher level of cybersikkerhed, as specified by the Commission in delegated acts (Article 2(5)).
  • Spare parts that replace identical komponenter in existing produkter with digital elements (Article 2(6)).
  • National security & defence: produkter developed or modified solely for national security, defence or processing of classified information (Article 2(7)).

Obligations of manufacturers of produkter

Manufacturers of produkter with digital elements have a wide range of obligations to ensure cybersikkerhed and conformity. These obligations include:

risiko styring AND CONFORMITY WITH ESSENTIAL krav

Manufacturers must ensure their produkter are designed, developed and produced in accordance with the essential krav, including the cybersikkerhed krav set out in Annex I, Part I (Article 13(1)).

To comply, manufacturers must carry out a cybersikkerhed risiko vurdering and consider it throughout the product livscyklus, including planning, design, udvikling, production, delivery and vedligeholdelse (Article 13(2)).

The risiko vurdering must be documented and updated and included in the technical dokumentation created for market placement (Article 13(3)-(4)).

Manufacturers must exercise due care when integrating komponenter, including third-party komponenter, to ensure those komponenter do not compromise product cybersikkerhed. This also applies to open-source software that has not been commercialised (Article 13(5)).

PROVISION OF UPDATES AND REMEDIATION OF sårbarheder

When a vulnerability in a component, including open-source komponenter, is identified, manufacturers must report the vulnerability to the component’s manufacturer or vedligeholdelse provider and take steps to remediate it (Article 13(6)).

Manufacturers must systematically document cybersikkerhed aspects of produkter and update the risiko vurdering accordingly (Article 13(7)).

Manufacturers must ensure that sårbarheder are effectively addressed during the entire support period, which must be at least five years (Article 13(8)).

Security updates must be available for at least ten years after placing the product on the market or for the duration of the support period (Article 13(9)).

When subsequent software versions are introduced, manufacturers must ensure that earlier versions can be upgraded to the latest version free of charge (Article 13(10)).

TECHNICAL dokumentation AND CONFORMITY vurdering

Manufacturers must produce technical dokumentation, carry out or have carried out conformity vurdering procedurer, issue the EU declaration of conformity and affix the CE marking (Article 13(12)).

The technical dokumentation and the EU declaration of conformity must be retained for at least ten years (Article 13(13)).

Manufacturers must ensure that produkter produced as part of a series continue to meet the krav (Article 13(14)).

PRODUCT LABELLING AND USER INFORMATION

Manufacturers must ensure their produkter have a unique identification number and that their contact information is provided on the product or packaging (Article 13(15)-(16)).

Manufacturers must designate a single point of contact to enable users to communicate directly and quickly with them, and ensure that this contact is easy to identify (Article 13(17)).

produkter must include required information and instructions for users, which must be available for at least ten years (Article 13(18)).

The end of support must be clearly and understandably indicated at the time of purchase (Article 13(19)).

Manufacturers must provide a copy of the EU declaration of conformity or a simplified EU declaration of conformity with the product (Article 13(20)).

CORRECTIVE MEASURES AND COOPERATION WITH AUTHORITIES

If produkter or processer are not compliant, manufacturers must promptly take corrective measures to bring them into conformity (Article 13(21)).

Upon request by market surveillance authorities, manufacturers must provide all necessary information and dokumentation and cooperate in measures to eliminate cybersikkerhed risks (Article 13(22)).

Manufacturers ceasing their business must inform the relevant market surveillance authorities and, where possible, users about the planned discontinuation (Article 13(23)).

These obligations ensure manufacturers are responsible for the security and conformity of their digital produkter and take all necessary measures to minimise potential cybersikkerhed risks.

Essential krav of the CRA

Article 13 requires that manufacturers ensure their produkter are designed, developed and produced in accordance with the essential krav, which include the cybersikkerhed krav in Annex I, Part I.

Fundamentally, the CRA requires a risiko-based approach to product udvikling. This is reflected particularly in the first requirement:

  • Appropriate cybersikkerhed level based on risks (Part I, paragraph 1) Example: A manufacturer conducts a risiko vurdering and implements appropriate security measures for its internet-enabled product.

Further krav must be implemented based on the risiko vurdering:

  • No known exploitable sårbarheder at the time of placing on the market (Part I, paragraph 2(a)) Example: All known sårbarheder are remediated before market placement.
  • sikker default konfiguration (Part I, paragraph 2(b)) Example: The product is shipped with unnecessary services disabled and strong default passwords.
  • sårbarheder addressable through security updates (Part I, paragraph 2(c)) Example: The product notifies users of new updates and provides a function for (automatic) security updates.
  • Prevention of unauthorized access via access control (Part I, paragraph 2(d)) Example: Multi-factor authentication and user access styring are implemented.
  • Confidentiality of data protected by encryption (Part I, paragraph 2(e)) Example: Stored and transmitted data are protected by encryption.
  • Integrity of data, commands and configurations protected (Part I, paragraph 2(f)) Example: Digital signatures and integrity checks detect unauthorized modifications.
  • Data minimisation (Part I, paragraph 2(g)) Example: Only data necessary for functionality are collected and processed.
  • Core functions remain available after incidents (Part I, paragraph 2(h)) Example: Fault-tolerant, redundant arkitektur and DDoS beskyttelse measures are implemented.
  • Minimal negative impact on other enheder and netværk (Part I, paragraph 2(i)) Example: Restricted network access and bandwidth control are enforced.
  • Minimisation of attack surface (Part I, paragraph 2(j)) Example: Unnecessary ports, services and interfaces are disabled.
  • Damage limitation in the event of incidents (Part I, paragraph 2(k)) Example: Mechanisms such as sandboxing, least privilege and address space layout randomisation (ASLR) are used.
  • Security overvågning and logging (Part I, paragraph 2(l)) Example: Security-relevant events are logged and monitored.
  • sikker data sanitisation (Part I, paragraph 2(m)) Example: Full and sikker erasure of all data and settings is possible for the user.

Manufacturers must also ensure sårbarheder are effectively addressed during the entire support period.

Key krav in this regard include:

  • dokumentation of sårbarheder and komponenter (Part II, paragraph 1) Example: A software bill of materials (SBOM) is provided in a common, machine-readable format.
  • Timely remediation of sårbarheder (Part II, paragraph 2) Example: Security updates are published promptly after discovery of a vulnerability.
  • Regular security test (Part II, paragraph 3) Example: Penetration tests and code reviews are performed routinely.
  • Disclosure of remediated sårbarheder (Part II, paragraph 4) Example: Details on sårbarheder and security updates are published.
  • Coordinated vulnerability disclosure (Part II, paragraph 5) Example: A policy for timely remediation and controlled disclosure is implemented.
  • Point of contact for vulnerability reports (Part II, paragraph 6) Example: A sikker communication channel for vulnerability rapportering is provided.
  • sikker distribution of updates (Part II, paragraph 7) Example: Security updates are distributed via encrypted and authenticated channels.
  • Timely and free provision of security updates (Part II, paragraph 8) Example: Security updates are provided promptly and generally free of charge.

rapportering obligations under the CRA

Manufacturers are obliged to report sårbarheder and security-relevant incidents comprehensively and promptly to ensure product cybersikkerhed and enable a rapid response to potential trusler.

These rapportering obligations include notification to the competent CSIRT and to ENISA via a unified rapportering platform. The rapportering duties are divided into specific timeframes to ensure information on sårbarheder and security incidents is conveyed promptly and accurately.

Below are the detailed manufacturer obligations divided by sårbarheder and security-relevant incidents, and the corresponding timeframes.

Handling sårbarheder

Manufacturers must promptly report actively exploited sårbarheder found in their produkter to minimise exploitation by attackers and to ensure product security. These reports must be made within specified deadlines so that competent authorities can be informed quickly and take appropriate measures.

First early warning

The first early warning must be made within 24 hours of becoming aware of the actively exploited vulnerability. This notification must be sent to the competent CSIRT and to ENISA and include an initial alert about the vulnerability including the Member States where the product is available (Article 14(2)(a)).

Detailed notification

Within 72 hours of becoming aware of the vulnerability, a detailed vulnerability notification must be sent to the competent CSIRT and to ENISA. This notification must include general information about the affected product, the general nature of the vulnerability and exploits, the corrective or mitigation measures taken and measures users can take. It must also indicate how sensitive the reported information is (Article 14(2)(b)).

Final report

No later than 14 days after a corrective measure is available, a final report must be submitted to the competent CSIRT and to ENISA. This report must include a detailed description of the vulnerability, including its severity and impact, information about the attacker (if available) and details of the corrective measures taken (Article 14(2)(c)).

Handling security-relevant incidents

Manufacturers must also report serious security incidents that may affect the security of their produkter. These reports must be made within specified deadlines to ensure the impact of such incidents is minimised and appropriate countermeasures are taken rapidly.

First early warning

The first early warning must be made within 24 hours of becoming aware of the security-relevant event. This notification must be sent to the competent CSIRT and to ENISA and provide a preliminary description of the incident, including whether the incident is suspected to be due to unlawful or malicious actions, and information on affected Member States (Article 14(4)(a)).

Detailed notification

Within 72 hours of becoming aware of the incident, a detailed incident notification must be sent to the competent CSIRT and to ENISA. This notification must include general information on the type of incident, an initial vurdering, corrective or mitigation measures taken and measures users can take. It must also indicate how sensitive the reported information is (Article 14(4)(b)).

Final report

Within one month of the detailed notification, a final report must be submitted to the competent CSIRT and to ENISA. This report must provide a detailed description of the incident, including its severity and impact, the nature of the threat or cause of the incident and the measures taken and ongoing (Article 14(4)(c)).

Notification of users

Manufacturers must inform affected users and, where necessary, all users about actively exploited sårbarheder or security incidents. This information must also include risiko mitigation and remedial measures that users can take (Article 14(8)).

Obligations of other actors

Beyond manufacturers, the CRA defines additional krav for importers and distributors of produkter as well as open-source software maintainers.

Importers

Under Article 19, importers may place on the market only produkter that comply with the essential krav. They must ensure the manufacturer has carried out the conformity vurdering procedurer, that technical dokumentation is available and that the CE marking has been affixed. They must provide their name and contact information on the product, the packaging or in the accompanying documents. In case of non-overholdelse or safety risks, they must take measures and inform the competent authorities. The EU declaration of conformity and the technical dokumentation must be kept for at least 10 years, and importers must cooperate with market surveillance authorities upon request.

Distributors

Under Article 20, distributors must act with due care and ensure that the product bears the CE marking and meets the krav. They must check whether the manufacturer and importer have provided the necessary information and markings. If they suspect non-overholdelse or safety risks, they must not place the product on the market and must inform the manufacturer and market surveillance authorities. Distributors must also cooperate with authorities and provide relevant information upon request.

Open-source software maintainers

The CRA recognises the special role of free and open-source software (FOSS) in the digital ecosystem. FOSS projects generally fall into the self-vurdering category. The CRA introduces the concept of an “open-source software steward”, which applies to legal entities that support FOSS projects without directly monetising them.

These open-source software maintainers have specific but less extensive obligations than commercial software manufacturers. Under Article 24, maintainers must adopt and document a cybersikkerhed policy that promotes sikker udvikling and handling of sårbarheder. They must cooperate with market surveillance authorities and provide required dokumentation on request. Maintainers are obliged to report actively exploited sårbarheder and serious incidents insofar as they are involved in the udvikling of the produkter or these incidents affect their systemer.

The precise impacts of the CRA on the open-source community and the associated challenges and opportunities are examined in the article “Der Cyber Resilience Act und seine Auswirkungen auf Open-Source-software”.

Non-overholdelse with the CRA

Sanctions and consequences for non-overholdelse are structured and tailored to different types of overtrædelser to ensure product security:

  • Non-overholdelse with essential krav: Failure to comply with the essential cybersikkerhed krav in Annex I or obligations under Articles 13 and 14 may be punished with fines of up to 15 million euros or up to 2.5% of the worldwide annual turnover of the preceding financial year, whichever is higher.
  • overtrædelser of procedural and labelling obligations: overtrædelser such as incorrect affixing of the CE marking, absence of the EU declaration of conformity or failure to provide technical dokumentation can be fined up to 10 million euros or up to 2% of worldwide annual turnover. This category also covers non-overholdelse by importers and distributors.
  • False statements and misleading information: Providing incorrect, incomplete or misleading information to notified bodies and market surveillance authorities, especially in response to information requests, can lead to fines of up to 5 million euros or up to 1% of worldwide annual turnover.

When determining the amount of fines, the nature, gravity and duration of the infringement as well as economic impact on the affected market are taken into account. The aim is to create a strong deterrent effect while preserving proportionality to enhance security in the EU digital single market.

implementering of the CRA and the IEC 62443

The IEC 62443 standarder series plays an important role in implementing the Cyber Resilience Act. In particular, IEC 62443-4-1, IEC 62443-4-2 and IEC 62443-3-3 address key CRA krav in the areas of security krav and vulnerability styring.

The detailed mapping of CRA krav to various standarder published by ENISA confirms this relevance. It shows how IEC 62443 covers many CRA krav, especially in industrial automation and control systemer. The standarder series therefore provides a valuable ramme for manufacturers to systematically implement CRA krav. At the same time, the ENISA mapping highlights gaps that need further standardisation work to close.

Overall, IEC 62443 helps companies meet CRA regulatory krav and improve the cybersikkerhed of their produkter.

Conformity with the CRA

The CRA introduces a comprehensive system for assessing and ensuring conformity of produkter with digital elements. The system aims to achieve a high level of cybersikkerhed and resilience across the EU internal market. Conformity vurdering is central and varies depending on the product’s risiko classification and criticality.

The conformity vurdering procedure to be chosen depends on the product’s risiko level.

produkter with digital elements

produkter with digital elements (Article 6) constitute the base category. These produkter must meet the basic krav in Annex I, Part I, and the manufacturing processer must comply with Annex I, Part II. No specific conformity vurdering procedurer are prescribed for this category, but manufacturers must ensure that produkter meet security krav when properly installed, maintained and used as intended.

Important produkter

Important produkter with digital elements (Article 7) form the second category. These produkter are defined by core functionalities corresponding to categories listed in Annex III. They must undergo specific conformity vurdering procedurer to ensure overholdelse with the essential cybersikkerhed krav.

Important product categories are divided into Class I and Class II as set out in Annex III. These classes are based on:

  • Class I: produkter critical for cybersikkerhed, including authentication, intrusion prevention, endpoint security, etc.
  • Class II: produkter that pose a significant risiko of adverse effects, such as network styring, konfiguration control, virtualisation or processing of personal data.

For Class I important produkter: if harmonised standarder or European certification schemes for cybersikkerhed are not or only partially applied, the product and its manufacturing processer must either undergo an EU type-examination (Module B) together with internal production control (Module C) or a comprehensive quality assurance (Module H).

For Class II important produkter, the manufacturer must demonstrate conformity with the basic krav by similar procedurer or, where applicable, via a European cybersikkerhed certification under the cybersikkerhed Act. Integration of such a product into another product does not automatically subject the latter to the same vurdering procedurer.

Critical produkter

The third category covers critical produkter with digital elements (Article 8). These produkter are defined by delegated acts of the European Commission and must possess core functions listed in Annex IIIa.

Critical produkter must obtain a European cybersikkerhed certificate under the cybersikkerhed Act with an assurance level of substantial or higher. Criteria for identifying these produkter include critical dependency by essential entities and potential for severe disruption of critical supply chains across the internal market.

Annex III for important produkter (Article 6) may be amended by delegated acts to add or change categories based on cybersikkerhed functions and risks. The Commission must consider market impacts and Member States’ readiness to adopt certification systemer.

For critical produkter (Article 6a), the Commission may also determine by delegated acts which produkter require a European cybersikkerhed certificate and set the appropriate assurance level matching the product’s risks and intended use.

Conformity vurdering procedurer in the CRA

The CRA provides various conformity vurdering procedurer to ensure produkter with digital elements comply with the basic krav in Annex I. These procedurer include:

Internal control

The simplest procedure where the manufacturer verifies and documents conformity internally (Annex VIII, Module A).

EU type-examination

An independent examination of the product design by a notified body followed by internal production control by the manufacturer (Annex VIII, Modules B and C). This is intended especially for important Class I produkter when harmonised standarder, common specifications or European cybersikkerhed certifications are not fully applied or available.

Comprehensive quality assurance

Under the conformity vurdering based on comprehensive quality assurance (Annex VIII, Module H), a notified body assumes overall quality control of the manufacturing process.

European cybersikkerhed certification

For critical produkter listed in Annex IV, certification under the cybersikkerhed Act is required to demonstrate overholdelse with the basic krav, where available and applicable (Article 8(1)). The certification must reach at least a “substantial” assurance level and may require the involvement of a notified body depending on the chosen certification and beskyttelse profile.

Currently, the EUCC (EU cybersikkerhed Certification Scheme on Common Criteria) is the first scheme under the cybersikkerhed Act, based on ISO/IEC 15408 (Common Criteria). It is particularly suitable for security-critical produkter such as firewalls or cryptographic enheder. Further sector-specific certification schemes are in udvikling.

Further information on individual conformity vurdering procedurer can be found in the contribution to CE marking.

Choosing the conformity vurdering procedure

produkter in all categories, including non-critical, important (Class I and II) and critical produkter, can potentially be certified through the legal cybersikkerhed certification system. For important produkter not covered by harmonised standarder and for critical produkter lacking an adopted certification system, involvement of a notified body is required (Modules B+C or H). The internal production control method (Module A) primarily applies to non-critical produkter and to Class I important produkter only when a harmonised standard has been comprehensively applied.

The following diagram illustrates the decision process for selecting the appropriate procedure under the Cyber Resilience Act.

Product type Internal control (Module A) EU type-examination (Module B+C) Comprehensive quality assurance (Module H) cybersikkerhed certificate
Non-critical
Important - Class I <br>(Annex III) (✓)¹
Important - Class II <br>(Annex III)
Critical <br>(Annex IV) (✓)² (✓)²
  1. Use of a harmonised standard is required to achieve full conformity.
  2. Only possible if no delegated act has been adopted that mandates certification for the product category.

Current status and CRA transitional periods

On 20 November 2024 the Cyber Resilience Act (CRA) was published in the Official Journal of the European Union. Key transitional dates:

  • 20.11.2024: Publication of the CRA in the OJEU
  • 10.12.2024: Entry into force of the CRA
  • 11.06.2026: krav for conformity vurdering bodies
  • 11.09.2026: rapportering obligations for manufacturers
  • 11.12.2027: Full applicability

The final text of the CRA is available in the Official Journal of the EU: https://eur-lex.europa.eu/oj/daily-view/L-series/default.html?&amp;ojDate=20112024

Frequently asked questions (FAQ) on the CRA

Have more questions about the Cyber Resilience Act? See the detailed FAQ article: Häufige Fragen zum Cyber Resilience Act

It answers key questions on scope, deadlines and specific krav for updates and conformity vurdering, and offers practical recommendations for companies preparing for the new obligations.

Support for CRA implementering

The Cyber Resilience Act creates the EU’s first unified ramme for the cybersikkerhed of digital produkter - from operating systemer and connected enheder to industrial control systemer. Manufacturers are required to systematically integrate security krav into product udvikling, actively manage sårbarheder and demonstrate conformity.

Secuvi supports companies in translating CRA krav into existing processer and produkter. We assist with impact assessments, develop practical implementering strategies and accompany technical, organisational and dokumentation measures through to market placement.

Whether for new developments or existing product portfolios, we clarify regulatory obligations and help embed security and overholdelse sustainably in your organisation.

Further information on CRA implementering: secuvi.com