On November 20, 2024, the Cyber Resilience Act was published in the Official Journal of the European Union. The Act introduces mandatory cybersecurity requirements for hardware and software products with digital elements and was previously signed by the European Parliament and Council of the European Union on October 23, 2024.

Essential requirements

The Act outlines that products with digital elements must meet several essential requirements outlined in the Act to ensure their cybersecurity and to be placed on the market, which include:

• security requirements relating to the properties of such products, including that design, development, and production of the product must be done in such a way that they ensure an appropriate level of cybersecurity based on the risks; and
• vulnerability handling requirements, such as identification and documentation of vulnerabilities, as well as putting in place tests, policies, and measures to facilitate information sharing.

Moreover, the Act clarifies which products qualify as 'important products with digital elements' and which additional requirements must be met. The Act also includes specific provisions for high-risk AI systems under the EU Artificial Intelligence Act (AI Act) to ensure harmonization.

General obligations of manufacturers

The Act clarifies obligations placed on manufacturers, which include:

• ensuring that essential requirements are met for their products when placing them on the market, notably by carrying out conformity assessments as described under the Act;
• carrying out a cybersecurity risk assessment and including it in the technical documentation;
• exercising due diligence when integrating components sourced from third parties;
• implement appropriate policies and procedures, including coordinated vulnerability disclosure policies;
• ensure that the products remain in conformity and take corrective actions if such is no longer the case; and
• accompany the product with information and instructions destined for users.

Reporting obligations of manufacturers

Under the Act, the manufacturer must, without undue delay and in any event within 24 hours of becoming aware of it, submit an early warning notification to the Computer Security Incident Response Team (CSIRT) and European Union Agency for Cybersecurity (ENISA) of any actively exploited vulnerability contained in the product with digital elements or any impact on the security of the product. The incident notification must follow within 72 hours of becoming aware of the incident. The Act also allows voluntary notification of any vulnerability or cyber threats that could affect the risk profile of a product. ENISA is mandated to establish a single reporting platform.

Regarding the users, the manufacturers must inform, without undue delay and after becoming aware, the users about the incident and, where necessary, about corrective measures that the user can deploy to mitigate the impact of the incident.

Obligations of importers and distributors

The Act clarifies that among other things:

• importers are required to only place on the market products with digital elements that comply with the essential requirements, as well as ensure that appropriate conformity assessments, 'CE marking', and technical documentation have been included; and
• distributors must act with due care, and the product must bear the 'CE marking.'

Enforcement

The Act will be enforced by surveillance authorities designated by Member States, which could:

• require operators to bring the non-compliance to an end and eliminate the risk;
• prohibit or restrict products in question on the market;
• order that the product is withdrawn or recalled; and/or
• impose fines of up to €15 million.

Key dates

The Act will enter into force 20 days following its publication on December 10, 2024.

The Act will become applicable on December 11, 2027, except for manufacturers' reporting obligations, which will apply as of September 11, 2026.

You can read the Act here.