Unprotected in the Digital World?

CRA – Tackling the Growing Threat of Cyberattacks

The CRA introduces new obligations for manufacturers, importers, and distributors of connected products: they are required to ensure the cybersecurity of these products throughout their entire lifecycle. They must also report and remediate vulnerabilities.

The goal: to better protect both consumers and businesses from cyber risks and to establish uniform security standards across the EU.

Key Points:

• CE marking as proof of compliance
• Clearly defined scope of application
• Detailed security requirements, including software updates and mandatory reporting of vulnerabilities and security incidents
• Responsibility extends to manufacturers, importers, and distributors, including a 10-year documentation requirement for technical files, security information, and EU declarations of conformity
• Risk classification – stricter requirements for products deemed to pose moderate or significant risk
• Severe penalties – up to €15 million or 2.5% of global annual turnover for manufacturers, and up to €10 million or 2% for importers

The CRA entered into force on December 11, 2024 and will become fully applicable across all EU Member States starting August 12, 2026. In the meantime, companies must carefully prepare during the transitional period.

Special thanks to Monika Menz, who delivered a widely recognized presentation to members of the FBDi Competence Circle, offering an in-depth look at the CRA and its far-reaching obligations. Her insights are helping us prepare for the upcoming requirements in a focused and effective way.

❗The FBDi strongly encourages all affected companies to proactively address the upcoming compliance requirements without delay.