Cyber Resilience Act Compliance Requirements

This document is a guide detailing the Cyber Resilience Act (CRA), a new legislation aimed at enhancing cybersecurity for digital products and services in the EU. The CRA introduces a phased implementation period of three years, during which manufacturers, importers, and distributors of products with digital components must comply with stricter cybersecurity requirements. The guide outlines the obligations for manufacturers, including conducting risk assessments, complying with essential cybersecurity requirements, and managing vulnerabilities for at least five years. Importers must verify compliance before market placement, while distributors are responsible for ensuring products bear the necessary certifications. The document also discusses the roles of relevant regulators, including the European Union Agency for Cybersecurity (ENISA) and national market surveillance authorities. Penalties for non-compliance are significant, with fines based on annual turnover. The CRA will come into force on December 10, 2024, with certain provisions applicable earlier, emphasizing the urgency for businesses to prepare for compliance.