New Proposal from the EU Commission for a Cyber Resilience Act

On September 15, 2022, the European Commission presented a proposal for a Regulation on cybersecurity requirements for products with digital elements, known as Cyber Resilience Act (CRA). Introducing common cybersecurity rules for manufacturers and developers, the Act aims at ensuring the security of connected products and software throughout their entire lifecycle.

As the number of smart products grows incessantly, so does the number of cyberattacks and their associated costs – which reached €5.5 trillion in 2021. Nonetheless, to this date, most of the hardware and software placed on the EU market are not subjected to any cybersecurity requirements. The CRA is the latest effort put in by the EU to build a Cybersecurity ecosystem – currently comprising the NIS Directive, NIS 2 Directive and EU Cybersecurity Act – capable of addressing such problematics by providing clear rules on critical infrastructure, cybersecurity preparedness and response, and the certification of cybersecurity products.

Moreover, besides being a means to ensure security within the internal market, the Cyber Resilience Act is envisaged by the European Commission to become a point of reference for other jurisdictions across the world. Together with the recent proposal for a Regulation on Artificial Intelligence, the CRA exemplifies the willingness of the EU – embodied in the EU Digital Strategy – to become a global role model for the digital economy.

The Proposal in a nutshell

What products are affected?

The requirements set out in the proposed Regulation apply to products with digital elements that are intended to – or can be reasonably expected to – be directly or indirectly connected to another device or network.

According to Article 3(1) of the proposed text, products with digital elements shall be understood as “any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately” (EUR-Lex, 2019).

Not all connected products will fall under the scope of the new Regulation. Exceptions are provided with regard to devices for which cybersecurity requirements are already set out in existing EU legislation – e.g., medical devices, military products, or cars.

What is required?

Falling within the New Legislative Framework for product legislation in the EU, the proposed Regulation sets out the essential cybersecurity requirements for the design, development and production of products with digital elements and requires the manufacturer to follow a conformity assessment process to demonstrate compliance with the requirements applicable to their products. Depending on the type of device, manufacturers will have to:

  • Self-declare compliance – issuing a Declaration of Conformity – or,
  • Request the intervention of a Notified Body to certify the conformity of the devices.

At the end of the conformity process, the CE marking is affixed to the devices.

The obligations of manufacturers are not limited to the pre-market phase. To ensure the compliance and security of products throughout their entire lifecycle, the proposed Regulation sets out specific requirements for:

  • Handling vulnerabilities of products already on the market (e.g., implementation of security updates).
  • Reporting actively exploited vulnerabilities and incidents

Manufacturers may be assisted in fulfilling some of their obligations (e.g., availability of technical documentation for Competent Authorities and communication with said Authorities) by an Authorized Representative appointed through a written mandate.

Other Economic Operators involved in the placing on the market of the products – i.e., distributors and importers – will also have to comply with specific obligations proportionate to their role and involvement within the supply chain.

What’s next?

The EU Parliament and the Council are now examining the proposed text to present amendments. Once consensus by the two co-legislators is reached and the Regulation is published in the EU Official Journal, manufacturers will have two years to adapt to the new requirements (one year, regarding the dispositions on reporting).

Are you an economic operator involved in the manufacture or distribution of connected products? Don’t forget to regularly visit Obelis s.a. website to keep up to date with the latest regulatory updates on the Cyber Resilience Act!

Get in touch

Tommaso Poles

R&D Department



The information contained on is presented for general information purposes only, without obligation and it has been compiled with the utmost care to ensure it remains up to date. Nevertheless, Obelis Group cannot be held liable for the accuracy and completeness of the information published. Any reliance placed on such information is therefore strictly at the User’s risk.

Share This

Copy Link to Clipboard