Cyber Resilience Act - Overview of new cybersecurity requirements for products with digital elements

In September 2022, the European Commission published its proposal for the Cyber Resilience Act ("CRA", Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020). This is an EU regulation that will be directly applicable in all Member States once it enters into force and does not require any further transposition acts. The proposal aims to further advance the European data strategy and eliminate the legislative patchwork in the field of cybersecurity in the European single market.

Aim of the Regulation

With the CRA, the European legislator aims to introduce horizontal security requirements for "products with digital elements" in order to strengthen cybersecurity for the range of all tangible products with digital elements and associated services throughout the supply chain. The term “product with digital elements” means any software or hardware product and its data processing solutions. It bears a close resemblance to the concept of digital products in Section 327 (1) sentence 1 of the German Civil Code (BGB), which has already found its way into German law as part of the Digital Content Directive ((EU) 2019/770) transposition. In factual terms, the proposed CRA covers any everyday object that has a digital function. Services, such as software-as-a-service (SaaS), on the other hand, are generally not covered by the scope of the regulation. The same applies to medical devices as well as those related to aviation safety and to the requirements for motor vehicles, as the European legislator has already issued comprehensive provision on cybersecurity in more specific regulations in this regard. With manufacturers, importers and distributors as the addressees of the regulation, the personal scope of application includes all actors in a supply chain. The ultimate aim is to minimize cybersecurity risks of products with digital elements and to ensure safe use for businesses and consumers throughout the European single market.

Relevant provisions

To achieve these goals, a variety of new obligations is imposed on manufacturers, distributors and importers of products with digital elements. These are laid down in Art. 10 et seq. of the proposed CRA and vary depending on the actor and the criticality of the product.

For example, manufacturers are to be required to take cybersecurity requirements into account when designing, developing and manufacturing products with digital elements, and to conduct a cybersecurity risk assessment for this purpose. Annex I of the proposed CRA contains a list of specific requirements that are reminiscent of the data protection principles set out in Article 5(1) of the GDPR and the provisions on privacy by design and privacy by default set out in Article 25 of the GDPR. In order to demonstrate the compliance of the products with these cybersecurity requirements, a conformity assessment procedure is to be carried out, which is based on the risk level of the product. The proposed CRA distinguishes between normal, critical, and highly critical products, and provides stricter procedures for high-risk products. Furthermore, manufacturers are required to continuously review their products with regard to vulnerabilities and risks and to develop appropriate procedures and strategies for this purpose. In addition, in the event of an incident that affects the security of the product, the authorities and users must be notified immediately and appropriate corrective or mitigating measures must be taken. Furthermore, manufacturers are required to prepare technical documentation regarding the fulfilment of the relevant cybersecurity requirements and the means used for this purpose before introducing a product on the market. The manufacturers are also required to monitor and address vulnerabilities in their products for a period of up to five years after market launch, including, for example, the supply of security updates. In view of the longevity of many technical products, the shortness of this period has already triggered a great deal of criticism in the legal literature. It therefore remains to be seen whether this period will be adjusted in the further course of the legislative process.

Importers and distributors are also subject to comprehensive inspection obligations: For example, importers must always ensure that a complete check of cybersecurity requirements is carried out before putting a product onto the European market, must inform manufacturers in the event of vulnerabilities and, if necessary, notify market surveillance authorities in the event of significant cybersecurity risks. Distributors, on the other hand, are only required to verify that the product bears the CE marking and that it is accompanied by the necessary technical information, the declaration of conformity, and the importer's contact information. Other persons who substantially modify a product are considered manufacturers and are therefore subject to the obligations mentioned above.

Monitoring by the authorities

To monitor compliance with these obligations, member states will be required to designate market surveillance authorities. These authorities will monitor compliance with the cybersecurity requirements and cooperate with the EU Commission and ENISA for this purpose. In addition, they will also exchange information with data protection authorities. The powers of the market surveillance authorities include the initiation of investigations and the imposition of measures to bring products back into conformity, up to product recalls. Furthermore, they may carry out coordinated control actions (so-called "sweeps"), which apparently mean the simulated cyber-attacks. The requirements for such measures, which have not yet been adequately defined, have also been met with widespread criticism.


The Cyber Resilience Act features a penalty scheme that is similar to that of the GDPR. Penalties are to be "effective, proportionate and dissuasive" according to Art. 53 (1) (2) CRA. Fines for non-compliance with the essential cybersecurity requirements for manufacturers can be as high as €15 million or 2.5% of the preceding year's annual worldwide turnover, whichever is higher. For all other violations by any of the addressees, fines of up to €10 million or 2% of total annual turnover are proposed. If incorrect, incomplete or misleading information is provided in the course of official investigations, fines of €5 million or 1% of total annual turnover may be imposed.

Current status, outlook and recommendations

The Cyber Resilience Act is still at the beginning of the legislative process. Currently, only a first draft is available. Feedback submissions on the existing draft closed on January 9, 2023. In addition, amendments are expected to be proposed by the European Parliament and the European Council.

After the final version of the Act comes into force, there will initially be a transitional period of 24 months. This does not include the obligation for manufacturers to report security incidents, which already applies after 12 months. Nevertheless, we advise keeping an eye on the further course of the legislative process and to respond to the extensive requirements of the CRA at an early stage as well as to take into account the additional economic and bureaucratic effort in the development processes of new products at an early stage.


Lawyer, Partner
Dr. Carlo Piltz
Lawyer, Partner
Dr. Carlo Piltz

Go back


German Federal IT security authority publishes guidelines for AI developers

The German Federal Office for Information Security (BSI) is already providing support with a whole series of statements on the subject of artificial intelligence (partly even in English).

It is therefore all the more gratifying that the BSI has in the meantime also addressed the question of how developers can practically protect machine learning systems from the most relevant threats and take adequate protective measures in a guideline.

The BSI distinguishes between three central threats in its guideline: Evasion attacks, attacks that aim to extract information, and backdoor attacks. These attacks will be briefly presented and illustrated in the following.

Whistleblower protection and the right of access on a collision course – challenges in the parallel application of whistleblower protection and Art. 15 GDPR

The enactment and applicability of the German implementation law (“German Whistleblower Protection Act”) for the Whistleblowing Directive (Directive (EU) 2019/1937) is in sight even though the law was not passed yet because the “Bundesrat” did not agree to the text adopted by the “Bundestag”. It might still take some time until the two parliaments agree on a final text. However, there is time pressure due to Germany already falling far behind the deadline for the implementation of the European Directive. This also means that the legal obligation to set up an internal reporting channel is getting closer for very many German companies (all with generally at least 250 employees).

NIS-2 Directive: New provisions to strengthen cyber resilience and security

The Directive on measures for a high common level of cybersecurity across the Union ("NIS-2 Directive") published in the Official Journal of the European Union on December 27, 2022, aims to harmonize cybersecurity requirements in the EU and imposes new cybersecurity obligations on companies. It will replace the previously applicable NIS Directive.