CRA regulation

Our certifications
Standards & Directives CRA regulation

What are the CRA regulations?

The CRA (Cyber Resilience Act) Regulation, adopted in October 2024, represents a fundamental turning point for cybersecurity in Europe. Its main objective is to standardise the essential cybersecurity requirements for products with digital elements (= connected objects in the broadest sense).

Through this objective, the regulation seeks to create the conditions necessary for the development of secure products, but also during their lifetime, to enable users to take account of cybersecurity issues when using such products

Who is affected by the CRA regulation?

The CRA regulation imposes obligations on economic operators (manufacturers, importers and distributors) of products (software or hardware) with remote data processing solutions.

This will play out for all products with digital elements with the exception of medical devices, connected cars, products certified for civil aviation and marine equipment.

More simply, the CRA is intended to apply to connected objects in the broadest sense :

  • Hardware running an operating system
  • To the smartphones
  • To the servers
  • To connected toys
  • Connected televisions
  • And so on.

The CRA regulation is even intended to apply to products based on open source software.

Am I covered by the CRA ?

Talk to a specialist

What are the requirements of the CRA regulation ?

Manufacturers must comply with a set of strict cyber security requirements covering the following key points :

Requirements specific to product properties

01

Risk management

  • Carry out a complete and in-depth cybersecurity risk analysis based on the intended and foreseeable use of the product and the conditions under which it will be used
  • Take account of this risk analysis during design, development and manufacture
  • Guarantee risk monitoring for at least 5 years after the product is placed on the market
  • Regularly monitor and test the systems and security measures in place

Have an intrusion test carried out (PASSI certified)

02

Product safety

  • Making a product available on the market with no known exploitable vulnerability
  • Provide a product with a default security configuration
  • Design a product for which security updates are possible
  • Ensure protection against unauthorised access using appropriate control mechanisms
  • To design, develop and manufacture the product in such a way as to limit internal and external attack surfaces

Continuous auditing of my applications (HTTPCS)

03

Data protection

  • Protect the confidentiality of data stored, transmitted or processed
  • Protect the integrity of stored, transmitted or processed data, commands, programmes and configuration from unauthorised manipulation or modification
  • Only process data that is adequate, relevant and limited to what is necessary for the purpose of the product

Data management and RGPD support

04

Incident management

  • Protect the availability of essential and basic functions through resilience and mitigation measures against denial of service attacks
  • Design, develop and manufacture the product in such a way as to reduce the repercussions of an incident

05

Other requirements

  • Minimise the impact of the product on the availability of services provided by other devices or networks
  • Recording and monitoring internal activities
  • Provide the option of deleting or transferring data and settings in complete security

Requirements specific to vulnerability management

  • Identify and document vulnerabilities and product components
  • Manage and correct vulnerabilities without delay through security updates
  • Subject products to regular safety tests
  • Communicate about vulnerabilities corrected by security updates
  • Implement a coordinated vulnerability disclosure policy
  • Take steps to share information about potential product vulnerabilities
  • Implement secure update distribution mechanisms
  • Distribute patches and security updates without delay

Continuous auditing of my applications (HTTPCS)

Specific requirements for importers and distributors

Importers and distributors must ensure that the manufacturer complies with the manufacturer's obligations.

They are considered to be manufacturers if they place the product on the market under their own name or trademark or if they make substantial modifications to the products.

What are the penalties for non-compliance with the CRA regulations?

The CRA Regulation introduces a system of reinforced penalties to deter economic operators from failing to comply with its requirements.

Penalties consist of administrative fines in 3 cases :

For manufacturers

Member States have the option of imposing administrative fines of up to €15 million or 2.5% of total annual worldwide turnover, whichever is greater

For importers and distributors

Member States have the option of imposing administrative fines of up to €10 million or 2% of total annual worldwide turnover, whichever is greater

For providing inaccurate or misleading information to the authorities

Member States may impose administrative fines of up to €5 million or 1% of total annual worldwide turnover, whichever is greater

Details of penalties

The aim of the penalties is to deter breaches of the CRA regulation and to encourage economic players to invest in cybersecurity to effectively protect their connected products and their customers' data.

It is important to note that the precise arrangements for implementing sanctions may vary from one Member State to another. The economic players concerned must therefore refer to national legislation.

In addition to regulatory sanctions, economic players who fail to comply with the CRA regulation can also expose themselves to significant risks to their reputation and business in the event of a major vulnerability. The loss of customer confidence and damage to brand image can have considerable financial consequences.

How do you prepare for the CRA regulation?

The CRA regulation is due to come into force in December 2027. Many companies will therefore have to comply by strengthening their cybersecurity measures.

The CRA regulation represents a major step forward for cyber security in Europe and should help to better protect critical infrastructure and services from cyber attacks.

Here's a practical guide to help you prepare for the CRA regulation :

Assessing your situation

Identify whether your organisation falls within the scope of the CRA regulationIdentify whether your organisation falls within the scope of the CRA regulation

  • The regulation applies to economic operators who manufacture, import or distribute connected objects.

Carry out an in-depth analysis of your cyber security risksCarry out an in-depth analysis of your cyber security risks

  • Identify your critical assets, the potential threats to which they are exposed and existing vulnerabilities.
  • This analysis will enable you to define the priorities for implementing security measures.

Have my risk analysis carried out by ZIWIT experts

Implement the necessary safety measures

Apply the basic requirements of the CRA regulationApply the basic requirements of the CRA regulation

  • This includes putting in place risk management, security, data protection and incident management measures for both your products and your organisation.
  • You can refer to the annexes to the regulations and the practical guides published by the competent authorities for detailed guidance.

Reinforce your existing security measuresReinforce your existing security measures

  • Assess whether your current practices comply with the requirements of the CRA regulation
  • Update your security policies, procedures and technologies as necessary

Adopting a proactive approach to risk managementAdopting a proactive approach to risk management

  • Implement continuous monitoring and detection mechanisms to identify potential cyber threats and intrusions in real time.
  • Implement preventive protection measures such as strict access control and regular product updates.

Strengthen your incident and vulnerability management capabilities

Develop a documented incident response planDevelop a documented incident response plan

  • This plan must define the roles, responsibilities and procedures to be followed in the event of a cyber attack.
  • It must also include communication and system restoration plans.

Testing your vulnerabilitiesTesting your vulnerabilities

  • Carry out regular security tests ( configuration audits or penetration testing ) to continuously improve your safety

Seeking expert advice and support

Don't hesitate to ask for help from cybersecurity consultants and expertsDon't hesitate to ask for help from cybersecurity consultants and experts

  • These professionals can help you assess your risks, implement the necessary security measures and prepare for compliance audits.

Keep abreast of regulatory developments and new cyber threatsKeep abreast of regulatory developments and new cyber threats

  • Subscribe to communications from the competent authorities and take part in the webinars and training courses offered on the CRA regulation.

Let the ZIWIT experts help me achieve compliance

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09
*required