Find a lawyerOur capabilitiesYour careerSearch
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  2. Tech, data and AI: The digital frontier
  3. EU Digital Strategy
  4. Cyber Resilience Act
Cyber Resilience Act
Status: In force
  • In force since 10 December 2024.
  • Application: 11 December 2027 of generally all rules of the CRA, with certain exceptions where obligations are applicable earlier: (1) 11 September 2026 for the reporting obligations of manufacturers for incidents and vulnerabilities, (2) 11 June 2026 for the establishment of national conformity assessment bodies

Summary

Horizontal regulation that covers all wired and wireless products connected to the internet and software.

Scope

  • Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software​ placed on the EU market

Key elements

  • Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
  • Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking​

Challenges

  • Definition of hardware and software products that fall under the CRA is still being discussed
  • Overlap with other Acts of the EU Digital Strategy

EU Digital Strategy Hub
Data Governance Act
Data Act
European Data Spaces
Cyber Resilience Act
Digital Markets Act
Digital Services Act
NIS2 Directive
AI Act
AI Liability Directive
DSM Directive
European Media Freedom Act
eIDAS 2.0
Political Advertising Regulation
Digital Operational Resilience Act (DORA)
Related capabilities
Artificial intelligence
Automotive
Data, privacy and cyber security
Fintech
Industrials
Life sciences
Technology
Blogs

Blogs

Blog
Feb 5 2025
German Election #2: Digital Policies in the 2025 Election Campaign – How Germany’s Political Parties Want Germany to Catch Up on Digitalisation
On 23 February 2025, almost 60 million German voters will elect a new federal parliament in snap elections after the collapse of the...
Blog
Nov 20 2024
Cyber Resilience Act – How to implement the new cybersecurity rules for digital products
The Cyber Resilience Act (CRA) has become reality: it has been published in the Official Journal of the EU on 20 November 2024 and will...
Blog
Mar 10 2023
Top EU data regulation trends for 2023
2022 was a year full of challenges for global businesses, and in particular in the realm of data protection regulation in the EU. 2023...
Blog
Sep 15 2022
Cybersecurity Resilience Act - EU proposes stricter cybersecurity rules for connected products
The European Commission proposed a Cyber Resilience Act (CRA) on 15 September 2022 aimed at protecting consumers and businesses from...
Contacts
Düsseldorf, Frankfurt am Main
Theresa EhlenPartner
Düsseldorf
Christoph WerkmeisterPartner
Vienna, Düsseldorf
Lutz RiedePartner
London
Andrew AustinPartner, Head of London Dispute Resolution
Related capabilities
Artificial intelligenceAutomotiveData, privacy and cyber securityFintechIndustrialsLife sciencesTechnology
Related capabilities
FIND US IN
All locations
NAVIGATE TO
About usYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: