The EU Cyber Resilience Act, and why it matters for US companies

The Cyber Resilience Act (CRA) – as another crucial element of recent cybersecurity-driven legislation in the EU – will introduce comprehensive and detailed cybersecurity-related requirements for so-called products with digital elements and their manufacturers. These obligations range from technical specifications and documentation of products to remediation of vulnerabilities at no charge to the customer, including by providing security updates over the entire expected lifecycle of a product.

This article sets out the scope of the CRA, the key obligations for manufacturers, potential sanctions, and lastly why this all matters for US companies (regardless of whether or not they have any establishment in the EU).

Scope of the CRA

Generally speaking, the CRA applies to “[...] products made available on the [European] market with digital elements whose intended purpose or reasonably foreseeable use involves a direct or indirect logical or physical data connection to a device or network."

Products with digital elements mean “a software or hardware product and its remote computing solutions, including software or hardware components, which are placed on the market separately”. Remote data processing means “data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions.”

Accordingly, the CRA applies to substantially all IoT devices, but also to software and other apps that are (at least in part) installed on the customers’ infrastructure but include a remote data processing component for at least one of their functions (e.g. because they run in the cloud). There is, however, a plethora of less evident cases also subject to the CRA. For example, any industrial machine with a remote processing component (even if only for monitoring or remote maintenance purposes) will likely be subject to the CRA.

The CRA will apply to all in-scope products being placed on the market on or after 11 December 2027, but reporting obligations regarding identified vulnerabilities will already apply from 11 September 2026.

Impact for US companies

Even though the CRA is a European regulation, it is in essence a market entry regulation. In-scope products may be sold within the European market only if they (and thus their manufacturers) comply with the extended requirements set forth in the CRA.

Against this background, the CRA impacts any manufacturers wanting to place in-scope products on the European market, regardless of whether they are themselves established within the EU. Accordingly, US manufacturers selling products within the EU will have to assess whether their products fall within the scope of the CRA and in such cases implement all relevant requirements stemming from the CRA (cf. below) if they intend to keep selling their products in the EU.

Key obligations

The CRA imposes the following key obligations on in-scope manufacturers:

Cybersecurity by design
Products must fulfil certain cybersecurity criteria and the manufacturer must adhere to certain cybersecurity processes, in particular regarding vulnerability handling (cf. below), each as prescribed by the CRA. In particular, products with digital elements must:

• be made available on the market without known exploitable vulnerabilities;
• be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor-made product with digital elements, including the possibility to reset the product to its original state;
• ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;
• protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state-of-the-art mechanisms, and by using other technical means.

Supply chain
Third-party components, including open-source software, must be duly assessed before they are integrated into the product.

Technical documentation
Each in-scope product must be provided with detailed technical documentation including a software bill of materials (SBOM), including information on the design and development of the product with digital elements, including, where applicable, drawings and schemes and a description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing.

Vulnerability handling and provision of security updates for the expected product lifecycle
Manufacturers must immediately address and rectify vulnerabilities during the expected product lifecycle (in any case no less than 5 years), including by providing security updates. The security updates must be made available to users free of charge.

Conformity assessments
Depending on the criticality of a product, manufacturers must conduct conformity assessments taking into account the applicable requirements stemming from the CRA and appropriately extend the scope of any relevant CE markings. In higher criticality tiers, adherence to specific conformity processes or involvement of official certification bodies may be required.

Reporting obligations
Manufacturers shall notify any actively exploited vulnerability contained in the product as well as any severe incidents having an impact on the security of the product after becoming aware to the competent authorities.

Sanctions

Non-compliance may lead to prohibition and withdrawal of a product from the European market as well as to administrative fines of up to EUR 15 million or, if the offender is a business, up to 2.5% of its total worldwide annual revenue for the preceding financial year, whichever is higher.

How to prepare

In broad terms, to prepare for the CRA from a legal perspective, manufacturers should do the following:

Gauge your CRA exposure
Carefully assess whether you’re selling in-scope products on the European market. Considering the rather convoluted provisions determining the scope of applicability of the CRA (cf. above), this can lead to a high level of expenditure. To mitigate this, try to group together sufficiently similar products. As achieving CRA compliance can be a hard (and costly) effort, strategically assess whether it is still commercially worthwhile selling certain products on the European market.

Understand the requirements and adapt existing processes / implement missing processes
Familiarise yourself with the specific requirements and obligations set out in the CRA for your in-scope products. Subsequently adapt already existing quality assurance/certification to these extended requirements. As the CRA also envisages product design-related requirements (cf. above: cybersecurity by design) this may also require changes to the product development processes. Ensure that you have the necessary reporting processes in place.

Get all stakeholders on board
CRA compliance is a multi-disciplinary effort and not merely a box-ticking exercise. Therefore, ensure to have all required stakeholders at the table, including Legal, Engineering, Quality Management, Cybersecurity Governance, Procurement etc.

Conduct a gap analysis
Evaluate your current cybersecurity practices and identify (and subsequently mitigate) any gaps or vulnerabilities for in-scope products as well as any relevant internal processes.

Develop a compliance strategy
Create a comprehensive strategy to achieve and maintain compliance with the CRA. This should include policies, procedures, and controls to address all relevant requirements.