New Cybersecurity Law starts applying – ensure your company is compliant

Cybersecurity, Latest News ,

What is the CRA?

The Cyber Resilience Act (CRA) is an EU regulation that establishes mandatory cybersecurity requirements for products with digital elements (hardware and software) sold in the European market. Its purpose is to ensure products are secure by design, secure by default, and maintained throughout their lifecycle.

Main Objectives

  • Improve the cybersecurity of digital products.
  • Reduce vulnerabilities in hardware and software.
  • Increase transparency for consumers and businesses.
  • Ensure continuous security updates and vulnerability management.
  • Harmonize cybersecurity rules across all EU Member States.

Scope

The CRA applies to:

  • Software applications
  • Operating systems
  • IoT devices
  • Smart devices
  • Industrial systems
  • Connected hardware and software products

Examples:

  • Smart TVs
  • Smart cameras
  • Routers
  • Mobile applications
  • Connected home devices

For a long list of examples of products caught by the CRA, click here

Key Requirements

  1. Security by Design and by Default

Manufacturers must integrate cybersecurity from the beginning of product development.

  1. Vulnerability Management

Manufacturers must:

  • Identify vulnerabilities
  • Fix vulnerabilities promptly
  • Provide security updates
  1. Incident Reporting

Manufacturers must report actively exploited vulnerabilities and significant security incidents to relevant authorities within specified deadlines.

  1. Documentation and Compliance

Manufacturers must provide:

  • Technical documentation
  • Risk assessments
  • Security information for users
  • EU Declaration of Conformity
  1. Lifecycle Security Support

Security support and updates must continue throughout the product’s expected lifecycle.

Stakeholders Affected

The CRA imposes obligations on:

  • Manufacturers
  • Importers
  • Distributors
  • Economic operators placing digital products on the EU market

Penalties for Non-Compliance

Failure to comply may result in:

  • Fines up to €15 million or
  • 2.5% of global annual turnover (whichever is higher)

 

For Cyprus, the CRA does not need separate national transposition because it is an EU Regulation, not a Directive. That means it becomes directly applicable in all EU Member States, including Cyprus, on the same dates.

CRA timeline for Cyprus:

  • 10 December 2024 → CRA entered into force.
  • 11 June 2026 → Rules on notification of conformity assessment bodies begin to apply.
  • 11 September 2026 → Vulnerability and serious incident reporting obligations start applying. Manufacturers must report actively exploited vulnerabilities and severe incidents.
  • 11 December 2027Main CRA obligations become fully applicable across Cyprus and the EU. This includes:
    • Security by design
    • Security by default
    • Vulnerability management
    • Technical documentation
    • CE conformity requirements
    • Security updates throughout the product lifecycle

Our law firm can offer an applicability assessment of your products for a very reasonable fee, telling you whether your company is caught by this new law and should therefore undergo compliance. If you are interested in this assessment, email us and we will send you a short questionnaire to fill in to enable us to ascertain whether the CRA applies to you. We will let you know within 48 hours.

You also offer training on the CRA or one-hour informative sessions with the responsible employee of your company. If you are interested, please email us for further information.

error: Content is protected !!