The European Union has adopted the Cyber Resilience Act (CRA), a new cybersecurity regulation for digital products. Proposed in 2022, the CRA was driven by growing concerns over cyberattacks on hardware and software devices, which caused global losses estimated at €5.5 trillion in 2021. The law aims to ensure manufacturers build security into products from the ground up, protecting consumers and businesses from cyber threats in the digital age.

Background

Cyberattacks on critical infrastructure and industrial systems have highlighted the need for stronger cybersecurity rules in the EU. As more industrial equipment, household appliances, and Internet of Things (IoT) devices come online, security vulnerabilities multiply. More and more consumers are falling victim to hacks that exploit weaknesses in everyday smart devices. Cyber incidents can cause severe economic and social disruption, and even endanger lives — underscoring the urgency to act.

Before the CRA, many digital products had minimal cybersecurity protections. Widespread vulnerabilities often went unpatched because manufacturers failed to provide consistent security updates. At the same time, users lacked enough information to assess or configure the security of the devices they used. On top of that, most hardware and software products were not subject to EU-level cybersecurity regulations, creating a protection gap where companies had little incentive to prioritize security. The Cyber Resilience Act was introduced to address these problems by setting uniform cybersecurity standards for all digital products on the EU market.

Objectives

The Cyber Resilience Act is designed to improve the cyber resilience of Europe's digital ecosystem. Specifically, it has two main goals:

1. Create conditions for developing secure digital products – ensuring that hardware and software placed on the market have fewer vulnerabilities, and that manufacturers prioritize security throughout a product's lifecycle.
2. Empower users (both consumers and businesses) to factor cybersecurity into their decisions when choosing and using products with digital elements.

The Act also outlines four specific objectives to support these goals:

• Ensuring manufacturers improve product security from the design and development phase all the way through the product's lifetime (secure by design and secure by default).
• Establishing a coherent cybersecurity framework that makes it easier for hardware and software manufacturers to comply with requirements.
• Increasing transparency around the cybersecurity features of digital products (so users can know how secure a product actually is).
• Enabling businesses and consumers to use digital products safely.

Implications for Tech Companies

The CRA has far-reaching implications for tech companies. The regulation covers almost all products with digital elements sold on the EU single market — from computer hardware and software to IoT devices like smartwatches and smart home appliances, and even networked critical infrastructure systems in energy, transport, healthcare, and finance. Given this broad scope, the law applies to manufacturers, suppliers, importers, and distributors of any technology product that contains a digital component in the EU.

The Act significantly shifts cybersecurity responsibility onto manufacturers. Companies must ensure their products meet the new security requirements before entering the market. Manufacturers are required to conduct cyber risk assessments, issue EU declarations of conformity, and cooperate with authorities to demonstrate compliance. Importers and distributors must also verify that the products they sell meet CRA security standards.

Beyond that, manufacturers must implement vulnerability handling processes throughout a product's lifecycle. They're expected to address any security weaknesses discovered through updates, and report serious cyber incidents within 24 hours to the relevant EU authorities. The CRA also emphasizes transparency: users will receive clearer information about the cybersecurity properties of products, enabling them to make smarter purchasing decisions. EU regulators will carry out market surveillance to enforce these rules and ensure industry compliance.

Companies are given a transition period to adapt to the new rules. Once the CRA comes into force, manufacturers will have roughly two years to meet the new security requirements, and one year to comply with vulnerability and incident reporting obligations. Non-compliance will carry stiff penalties:

• Up to €15 million or 2.5% of global annual turnover (whichever is higher) for failing to meet cybersecurity requirements.
• Up to €10 million or 2% of worldwide turnover for lesser violations (such as failing to report incidents properly).

These hefty penalties make clear how seriously the EU intends to enforce the CRA.

Cybersecurity and Consumers

For consumers, the CRA promises safer digital products. Everyday devices — from phones, computers, and smart home gadgets to internet-connected toys — must meet minimum security standards before they can be sold. Manufacturers must patch vulnerabilities and provide regular security updates, reducing the risk of hacking, malware, and data breaches. Overall, the Act protects consumers and businesses from products with inadequate security features.

The CRA also empowers users with better information. Companies need to be more transparent about the security aspects of their products — for example, through labels or documentation detailing a product's level of protection. This lets consumers factor cybersecurity into their buying decisions. Shoppers will find it easier to identify products with appropriate security features that meet the standards. This is expected to push manufacturers to compete on security, raising the overall bar for user protection.

Impact on Businesses and the Tech Industry

In the short term, tech companies in Europe will need to invest in compliance — adapting product development processes, training staff, and potentially redesigning products to meet CRA requirements. This may increase costs and complexity, particularly for startups and small businesses. But in the long term, uniform security standards create a more level playing field for companies. Cybersecurity becomes a baseline expectation for all products, which can boost consumer trust in technology.

Investing in better security can also save companies from the massive costs of cyber incidents — in fact, mandatory vulnerability management under the CRA is estimated to save European companies and consumers billions of euros by preventing cyberattacks across the supply chain.

Global Influence

On the global stage, the Cyber Resilience Act is poised to raise cybersecurity standards worldwide. As the first law of its kind to comprehensively regulate the security of digital products, the CRA establishes the EU as a leader in cybersecurity regulation. It's even been said that the law could be a global "game changer" when it comes to product security governance.

Tech companies outside Europe that want access to the EU market will need to comply with the CRA, potentially adopting similar practices in their global operations. Other countries or regions may well follow the EU's lead by introducing comparable regulations to protect their consumers and critical systems from cyber threats.

Conclusion

The Cyber Resilience Act makes clear that cybersecurity is now a fundamental requirement in the digital product landscape. The regulation is expected not only to protect European consumers and businesses from cyber threats, but also to drive higher security standards globally for a safer digital ecosystem.

Sources

1. European Commission – Cyber Resilience Act Proposal
2. Wikipedia – Cyber Resilience Act
3. Global Relay – Guide to the EU Cyber Resilience Act
4. Industrial Cyber – EU Adopts Cyber Resilience Act
5. DLA Piper – EU Cyber Resilience Act Published
6. CRA Update (EU Council)