The Cyber Resilience Act (2024/2847) is a European regulation establishing security requirements for connected products containing digital elements. This may concern physical products and services-as-a-product as well.
- The CRA will normalize and elevate product security levels across the European market. It is a strategic point for the entire ecosystem: manufacturers, importers, and integrators providing hardware, firmware, and software.
- The CRA ensures that security is integrated by design from manufacturing to maintenance processes throughout a product’s lifecycle.
- The CRA imposes penalties (up to €15M or 2.5% of global turnover) in case of non-compliance, along with products prohibited from sale.
You can download the Cyber Resilience Act below and continue browsing our Library and website to find relevant and accurate information provided by SPAC alliance and its members.
The annexes of the CRA specify several points of the regulation (details of the products and services concerned, declaration methodology, and evaluation procedure):
- Annex 1: Essential Cybersecurity Requirements
- Cybersecurity requirements relating to the properties of products with digital elements
- Vulnerability handling requirements
- Annex 2: Information and instructions to the users
- Annex 3: Important products with digital elements
- Class 1 (including access control readers, biometric readers, smart locks, CCTV…)
- Class 2 (hypervisors, firewalls, microprocessors, microcontrollers)
- Annex 4: Critical products with digital elements
- Annex 5: EU Declaration of Conformity
- Annex 6: Simplified EU Declaration of Conformity
- Annex 7: Content of the technical documentation
- Annex 8: Conformity assessment procedures
