Tech & Sourcing @ Morgan Lewis


On September 15, the EU Commission published a proposal for a Cyber Resilience Act (Proposed CRA), which builds on the 2020 EU Cybersecurity Strategy and the 2020 EU Security Union Strategy, with the aim of ensuring the cybersecurity of products with digital elements and the provision of sufficient information to consumers about the cybersecurity of the products they buy and use.


The Proposed CRA applies to hardware and software products that are connected directly or indirectly to another device or network (Digital Products), exempting those for which there are existing EU rules, such as medical devices, motor vehicles, aviation, or products designed for military, classified, or national security purposes.

The Proposed CRA further distinguishes certain Digital Products regarded as critical into class I and II, as set out in Annex III, with class II representing products considered to be higher risk and necessitating stricter compliance requirements.

Compliance Requirements

The Proposed CRA imposes obligations on manufacturers, importers, and distributors of Digital Products to the EU market to, generally, ensure that the relevant products comply with the essential cybersecurity requirements, which are primarily set forth in Annex I of the Proposed CRA.

For the manufacturers, they must, among other things:

  • perform security requirements by conducting conformity assessment of their Digital Products with cybersecurity requirements in Annex I;
  • put in place vulnerability handling requirements by identifying and reporting vulnerabilities and facilitating the reporting of vulnerabilities by users;
  • document product technical components and instructions to users; and
  • ensure that conformed products have CE markings.

Distributors and importers of Digital Products to the European Union must also ensure that the products meet the conformity requirements before placing them in the European or report any non-conformity to market surveillance authorities. However, they may be deemed to acquire manufacturers’ status (and liabilities) where such products are placed in the EU market under their brand name or trademark.


As is typical for EU legislations, the Proposed CRA requires member states to determine the nature and manner of the administration of penalties for non-compliance.

To ensure conformity of the punitive measures across the European Union, the Proposed CRA imposes fines of up to 15 million euros ($14.5 million) or 2.5% of the total worldwide turnover for the preceding financial year, whichever is higher, for non-compliance with the rules.  Member states may also impose any other corrective measures.

Next Steps

The Proposed CRA will become applicable 24 months after its coming to force, but manufacturers will be expected to comply with reporting obligations 12 months after its entry to force.

A UK business that manufactures or distributes Digital Products to users in the European Union will need to ensure that its products comply with the requirements of the rules, and should be aware of the Product Security and Telecommunications Infrastructure Bill, a similar legislation currently being considered by the House of Lords of the United Kingdom.

Trainee solicitor Samuel Omotayo contributed to this blog post.