With the Cyber Resilience Act (Regulation (EU) 2024/2847) — the CRA — the European Union has created the first binding cybersecurity framework for all products with digital elements placed on the EU market. This covers both hardware and software: from connected household appliances and industrial controls to application software and operating systems. The CRA closes a longstanding regulatory gap: until now, cybersecurity requirements for products existed only in sector-specific rules, and a coherent, cross-product minimum standard was entirely absent. The CRA fundamentally changes this and sets new benchmarks for the entire European Single Market.
As of today, 11 June 2026, the provisions on the notification of conformity assessment bodies have entered into application. This means national authorities — in Germany, the Federal Office for Information Security (BSI) — have now established and published the required procedures for evaluating, designating, and officially notifying conformity assessment bodies. For manufacturers who need or wish to have their products certified by external bodies, this milestone is directly relevant: it is now clear which bodies are officially authorised and what accreditation requirements they must meet.
The Cyber Resilience Act takes a risk-based approach and distinguishes between different conformity pathways depending on the criticality of the product. However, the fundamental requirement applies equally to all products with digital elements: they must be designed and manufactured so that they achieve an appropriate level of cybersecurity. The legislature has set out specific minimum technical requirements that must be met before a product may be placed on the EU market.
At its core, the CRA requires that products be placed on the market without known exploitable vulnerabilities. The principle of minimal attack surface must be implemented; default configurations must be secure; and security updates must be provided throughout the entire product lifecycle — for at least five years. In addition, manufacturers must establish a vulnerability management process and demonstrate that they systematically address and remediate discovered security flaws.
The CRA divides products with digital elements into three categories, to which different conformity obligations are assigned. The classification is based on the security risk the product could pose in the event of an attack.
The CRA follows a phased implementation schedule. Companies should incorporate these deadlines into their compliance roadmap now.
All economic operators placing products with digital elements on the EU market are affected: manufacturers, importers, and distributors. Open-source software is also covered by the CRA, though exceptions apply for non-commercial projects. Companies that incorporate open-source components into commercial products bear full responsibility for the CRA compliance of the final product.
The penalties are severe: for violations of the essential cybersecurity requirements, fines of up to €15 million or 2.5% of global annual turnover may be imposed. The BSI, as the national market surveillance authority, can withdraw non-compliant products from the market, order recalls, and prohibit distribution.
Affected companies should take concrete steps now.
The Cyber Resilience Act marks a turning point in European product law. Cybersecurity becomes a mandatory legal requirement — comparable to physical product safety under product safety legislation. Those who invest early will secure competitive advantages and avoid substantial fines.
Do you have questions about the Cyber Resilience Act or the cybersecurity obligations applicable to your products? The lawyers at HUFELD PartGmbB are here to provide comprehensive advice. Get in touch now.
Are you looking for a specific topic?
.png)
