UPDATED: November 20, 2024
On November 20, 2024, the European Union officially published the Cyber Resilience Act (CRA), which introduces cybersecurity obligations for internet-connected hardware and software products offered in the EU (such as wearables). The CRA will enter into force on December 10, 2024 and companies have until September 11, 2026 to comply with the first wave of obligations.
The CRA creates significant new obligations for manufacturers, importers and distributors of such products in the EU, including conformity assessments, vulnerability reporting and after sales security updates.
Who Will the CRA Apply To?
As a product safety regulation, the CRA aims to enhance the security of the "Internet of Things" (IoT) by reducing the vulnerability of internet-connected products to cyberthreats.
It applies to companies that manufacture, import, and distribute products with digital elements in the EU, such as connected glasses, toys, household appliances, and wearables, regardless of where the company is based. This includes both software and hardware products, remote data processing solutions (e.g., cloud processing of data from wearables, software used to control devices remotely), and separately sold components. However, certain products are excluded from its scope, such as medical devices, motor vehicles, and aviation and marine equipment.
Products will be subject to stricter requirements depending on their function and level of risk, namely:
Core Obligations
The CRA will introduce obligations for the design, development, and maintenance of hard- and software products. The following obligations will apply to manufacturers:
Meanwhile, importers and distributors of digital products that become aware of cybersecurity risks in products will need to notify the manufacturer and authorities (if significant). They will also face product information obligations and will need to verify if the required documentation is in place for products with digital elements.
Entry into Force and Enforcement
The CRA will become law on December 10, 2024. Incident reporting obligations will take effect on September 11, 2026, while the remaining obligations will take effect on December 11, 2027.
National authorities will enforce the CRA with a wide array of powers (e.g., request access to data to assess the design of products and conduct coordinated sweeps). In addition, national data protection authorities will be able to request access to any CRA compliance documentation. Companies that violate the CRA may face fines of up to EUR 15 million or 2.5 percent of worldwide annual turnover. In cases of persistent noncompliance, authorities may require recalling or withdrawing products from the EU market.
Part of a Wider Focus on Cybersecurity in the EU
The CRA is part of the EU’s broader cybersecurity strategy and one of a series of new laws designed to strengthen cybersecurity and resilience in the EU. For example, the CRA complements new rules for companies operating in essential sectors, such as digital infrastructure, health, and many more (under the NIS2 directive) and financial services (under the Digital Operational Resilience Act). For more information on these cybersecurity regulations, refer to our previous Wilson Sonsini alerts for management here and the NIS2 directive here.
In addition, the EU also regulates data sharing for data generated by IoT products and related services that are essential to how the products function. Manufacturers of IoT products will be in scope of these requirements and have until September 12, 2025, to comply with the new obligations.
Next Steps
Companies should proactively assess its potential impact on their operations and adjust their cybersecurity strategies accordingly. A key priority is determining whether any of your products fall into the high-risk categories of "important" or "critical" products, as these will face stricter requirements. Additionally, now is the time to begin preparing the necessary documentation for compliance, including policies for coordinated vulnerability disclosure, to ensure a smooth transition when the CRA takes effect.
Wilson Sonsini clients who believe they may be experiencing any kind of cybersecurity incident anywhere in the world can contact our experts 24/7 at our incident response hotline, which can be reached at either 32-2-2745777 or 1-650-849-3030.
Wilson Sonsini Goodrich & Rosati routinely advises clients on privacy and cybersecurity issues. For further inquiries about the EU’s cybersecurity regulations, please contact Cédric Burton, Laura Brodahl, or any attorney from Wilson Sonsini’s EU data, privacy, and cybersecurity practice.
Jessica O’Neill and Hattie Watson contributed to the preparation of this Wilson Sonsini Alert.