Cyber Resilience Act | Freshfields

Find a lawyer Our capabilities Your career Search

Our capabilities

Select language:

Our capabilities

Select language:

Our thinking
Tech, data and AI: The digital frontier
EU Digital Strategy
Cyber Resilience Act

Cyber Resilience Act

Status: In force

In force since 10 December 2024.
Application: 11 December 2027 of generally all rules of the CRA, with certain exceptions where obligations are applicable earlier: (1) 11 September 2026 for the reporting obligations of manufacturers for incidents and vulnerabilities, (2) 11 June 2026 for the establishment of national conformity assessment bodies

Summary

Horizontal regulation that covers all wired and wireless products connected to the internet and software.

Scope

Applies to manufacturers, importers and distributers of wired and wireless products connected to the internet and software placed on the EU market

Key elements

Obligations for manufacturers: essential cybersecurity requirements; mandatory vulnerability handling process for the expected product lifetime or 5 years (whichever is shorter); conformity assessment (either third party or self-assessment depending on criticality and risk class of the product), high-risk AI products will have to apply the conformity assessment from AI Act.; information /transparency obligation
Due diligence obligations for importers and distributers: ensuring that products comply with essential cybersecurity requirements and bear the CE marking

Challenges

Definition of hardware and software products that fall under the CRA is still being discussed
Overlap with other Acts of the EU Digital Strategy

EU Digital Strategy Hub

Data Governance Act

European Data Spaces

Cyber Resilience Act

Digital Markets Act

Digital Services Act

AI Liability Directive

European Media Freedom Act

Political Advertising Regulation

Digital Operational Resilience Act (DORA)

Related capabilities

Artificial intelligence

Data, privacy and cyber security

Blogs

Blogs

German Election #2: Digital Policies in the 2025 Election Campaign – How Germany’s Political Parties Want Germany to Catch Up on Digitalisation

On 23 February 2025, almost 60 million German voters will elect a new federal parliament in snap elections after the collapse of the...

Cyber Resilience Act – How to implement the new cybersecurity rules for digital products

The Cyber Resilience Act (CRA) has become reality: it has been published in the Official Journal of the EU on 20 November 2024 and will...

Top EU data regulation trends for 2023

2022 was a year full of challenges for global businesses, and in particular in the realm of data protection regulation in the EU. 2023...

Cybersecurity Resilience Act - EU proposes stricter cybersecurity rules for connected products

The European Commission proposed a Cyber Resilience Act (CRA) on 15 September 2022 aimed at protecting consumers and businesses from...

Contacts

Düsseldorf, Frankfurt am Main

Theresa EhlenPartner

Christoph WerkmeisterPartner

Vienna, Düsseldorf

Lutz RiedePartner

Andrew AustinPartner, Head of London Dispute Resolution

Related capabilities

Artificial intelligence Automotive Data, privacy and cyber security Fintech Industrials Life sciences Technology

Related capabilities

FIND US IN

NAVIGATE TO

About us Your career Our thinking Our capabilities News

CONNECT

Find a lawyer Alumni Contact us

NEED HELP

Fraud and scams Complaints Terms and conditions

LEGAL

Accessibility Cookies Legal notices Transparency in supply chains statement Responsible procurement Privacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: