Welcome to SGS. Confirm your location for an enhanced experience: USA
Welcome to SGS. Confirm your location for an enhanced experience: USA
Contact

What are you looking for?

Some topics you might be interested in

SGS Annual ReportJob OpportunitiesUpcoming WebinarsSustainability Solutions

Why the Cyber Resilience Act Matters

Consumer CompactElectrical and Electronics25. Mar 2025
Share

Adopted in 2024, the Cyber Resilience Act (CRA) is a key step in strengthening the European Union’s cybersecurity framework.1 It mandates cybersecurity requirements for hardware and software products to enhance resilience, reduce vulnerabilities and protect consumers from increasing cyber threats. Manufacturers must understand the Act’s broader impact on product design, security protocols and market access as they prepare to meet these new requirements.

In an increasingly connected world, digital trust is vital. The CRA plays a crucial role in strengthening cybersecurity for European businesses and consumers by addressing vulnerabilities in digital products that expose users to cyberattacks. It offers a structured approach to enhancing cyber resilience, which is essential as cyber threats continue to evolve. By establishing clear cybersecurity requirements, the CRA ensures that both hardware and software products are resilient against malicious attacks. It applies to all connectable devices and software, including remote data processing solutions available on the EU market. Products that meet the regulations’ requirements for their risk level will display the CE mark, signaling compliance and commitment to cybersecurity.

The core principles of cyber resilience focus on:

  • Risk mitigation – minimizing vulnerabilities in digital products from the design stage onward
  • Incident recovery and response – ensuring effective strategies are in place to respond to and recover from cyber incidents
  • Business continuity – maintaining operational stability despite security incidents

The CRA impacts a wide range of economic operators within the European market, including manufacturers, software developers, distributors, importers and resellers involved in the supply of new or updated digital products. Unlike the Network and Information Security 2 (NIS2) Directive and Digital Operational Resilience Act (DORA), which relate to entities, the CRA regulates the security of products. This marks a fundamental change in cybersecurity governance in Europe.

Historically, cybersecurity efforts have primarily targeted industries handling sensitive data, such as financial institutions. However, as connected devices – from smart refrigerators and smartwatches to baby monitors – become more prevalent, they are increasingly targeted for cyberattacks. The CRA addresses this gap by ensuring that all connected devices, regardless of their function or market, meet specific security standards.

Building trust with certification

Under the CRA, manufacturers will be required to certify the cybersecurity of their products before they can be sold within the EU market. Certification not only ensures compliance but also serves as a key differentiator in the marketplace. As consumers become increasingly aware of cybersecurity risks, digital trust will be a significant factor in their purchasing decisions. Certification, therefore, becomes not just a regulatory requirement but a competitive advantage, offering assurance that a product is resilient to cyber threats.

By strengthening the cybersecurity of products with digital elements, the CRA contributes to a more secure and resilient digital ecosystem in Europe, positioning it to better handle emerging cyber threats.

Product categories and classification

One of the key elements of the CRA is its classification of digital products into four categories based on their cybersecurity risk level – Default, Important Products Class I, Important Products Class II and Critical Products. Each classification determines the level of security measures, certifications requirements and regulatory scrutiny the product must undergo before entering the European market. The higher the risk, the more rigorous the compliance process.

  • Default: Most products (around 90%), EU Declaration of Conformity (self-assessment)
  • Important Products Class I: Conformity assessment based on internal controls following harmonized standards (self-assessment possible)
  • Important Products Class II: High-risk products like hypervisors, firewalls and intrusion detection systems. Requires third-party certification
  • Critical Products: Devices with higher security risks, such as smart meter gateways and secure elements in smartcards. Requires stringent third-party certification through ENISA schemes, such as European Cybersecurity Certification (EUCC), at a minimum of ‘substantial’ level
Brighsight Graph Certification Type and Product Categories

Understanding these classifications and their associated compliance requirements is critical for manufacturers in determining the level of cybersecurity protection needed to meet the CRA’s requirements.

Timeline for CRA implementation

  • 2024 – Approved by the European Parliament, adopted by the EC, published in the Official Journal of the EU (OJEU) and entered into force on December 10, 2024
  • September 11, 2026 – Manufacturers must begin mandatory incident reporting, which requires reporting actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours and ensuring timely updates
  • December 11, 2027 – Full enforcement of CRA requirements
Brightside CEN CENELEC ETSI

Achieving compliance

The essential requirements of the CRA fall into two groups:

  1. Thirteen product cybersecurity requirements – cover the level of security and the intrinsic characteristics of the products
  2. Eight vulnerability handling requirements – cover the measures and processes implemented by manufacturers

These requirements are the core of the CRA, and their implementation will determine whether a product is considered to be compliant or not.

The European standardization organizations – European Committee for Standardization (CEN), European Committee for Electrotechnical Standardization (CENELEC) and European Telecommunications Standards Institute (ETSI) – have been tasked with developing new series of standards that comply fully with essential requirements of the CRA. Many of these new standards build on existing cybersecurity frameworks such as Security Evaluation Standards for IoT Platforms (SESIP), EN 303 645, IEC 62443 and EN 18031. Manufacturers already compliant with these standards will find it easier to align with the CRA’s requirements. However, these existing standards do not fully cover all the CRA’s essential requirements, creating a gap that still needs to be addressed.

Brightsight solution

Brightsight, an SGS company, provides comprehensive support for businesses navigating the CRA’s requirements. Our experts assist with gap analysis, evaluating existing cybersecurity practices and providing the necessary guidance to efficiently achieve certification. From training workshops and technical documentation reviews to conformance testing and final certification, we ensure that businesses are well-equipped to meet international market standards and maintain long-term compliance.

With a global network of state-of-the-art testing facilities, we are ready to help businesses achieve compliance with the CRA, ensuring products meet European cybersecurity standards and contributing to the resilience of the digital ecosystem.

Learn more about Brightsight

Enjoyed this article?

Find more news and updates in our Consumer Compact newsletter >

Delivered direct to your inbox

Subscribe to Consumer Compact >

References

1 Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024

© SGS Société Générale de Surveillance SA.

For more information, please contact:

Hans Konig

Hans Konig

Global Director, Cybersecurity, Brightsight

Get insights on international developments, new regulations, case studies and updates on SGS activities.

Follow us on LinkedIn
Sign up to Consumer Compact
Customer Satisfaction Evaluation

Related Links

Cybersecurity visual

Cybersecurity

Related Articles

View All News
Connectivity Battery Energy Storage
Features25. Mar 2025

Navigating the Challenges of Energy Storage Systems

Explore the key trends, market drivers, regulatory challenges, and innovative solutions shaping the global energy storage systems (ESS) industry.
Biobased Materials
Features25. Mar 2025

Transitioning to Biobased Materials in the Textile Industry

Biobased materials support sustainability initiatives in the textile and footwear industry.
Sustainable Toys
Features25. Mar 2025

How Do We Make Toys More Sustainable?

Explore how sustainability is transforming the toy industry, from evolving regulations and eco-friendly materials to innovative solutions and verification processes that ensure transparency and build consumer trust.
Lab Focus
Features25. Mar 2025

Battery Testing Capabilities Expanded at Suwanee Laboratory

Suwanee, Georgia, laboratory expands battery testing capabilities to enhance certification services for light electric vehicles (LEVs) and energy storage systems (ESSs).

News & Insights

View all
SGS Inspection Children Stroller
Webinar

24. Apr 2025

Juvenile Products: applying for the GS Mark

Modern Electric Stove
Event

07. Apr 2025

AHAM 2025

Sliced Oignons
News

26. Mar 2025

Thailand Intends to Mandate a Standard for Food Contact Stainless Steels

SGS PFAS Laboratory Fairfield, USA
Video

12. Feb 2025

SGS Live: Navigating PFAS Across Industries

Computer Chip Concept
White Paper

The Dimensions of Digital Trust

Event

13. Jan 2025

$name

View all

Contact Us

Send us a message
  • SGS Qualitest Algérie S.P.A

14 bis Rue Césarée,

Hydra, 16000,

Alger, Algeria