Today the EU's Cyber Resilience Act (Regulation (EU) 2024/2847) ('CRA') enters into force.

The CRA recognises that the continuously evolving world of smart products is frequently challenged by vulnerabilities which can potentially lead to cyber-security incidents. Whilst most of the Act's obligations will not be applicable until three years from now, 10 December is the day when the EU takes a big step towards it's ten-year Cybersecurity Strategy. To mark the occasion, we have outlined ten key points that entities in scope must be aware of in preparation for compliance with the CRA.

1. Products with Digital Elements

The objective of the CRA is to protect consumer rights in relation to Products with Digital Elements ('PDEs') across the EU. The definition of PDEs is broad. It includes any goods incorporating either software or hardware elements. From Internet of Things ('IOTs') products to computer components, remote data processing solutions and any other devices which foreseeably use or connect to a device or network. 

2. Entities in Scope

The CRA is applicable across the entire EU supply chain, capturing Manufacturers, Importers and Distributors of PDEs. If Importers or Distributors use any manufacturers' products with the Importer's or Distributor's own branding, they will be considered a Manufacturer for the purposes of the CRA.

3. Risk Categories

The CRA recognises that PDEs bear different levels of risk depending upon their intended use and the potential extent of the impact rising from a disruption. As such, the Act sets out four categories of risk:

• Default Products: Products in this category are considered to bear the lowest level of cybersecurity risk and as such they are subject to basic cybersecurity requirements. This group covers the majority of PDEs including IOTs such as smart connected toys, smart watches, smart speakers, smart fridges and other connectable home devices.
• Important Products (Class 1): These are PDEs which present a higher risk than Default Products. Examples of this category include operating systems, identity management systems, password managers and VPNs.
• Important Products (Class 2): The level of risk for products in this category is even higher than that of Important Products Class 1. Examples of this category include firewalls, tamper-resistant microprocessors and microcontrollers.
• Critical Products: This category comprises those PDEs bearing the highest level of risk. Examples of these include smart metre gateways¹ and hardware devices with security boxes, smartcards or similar devices.