Who is affected?
As the Cyber Resilience Act sets out cybersecurity requirements for products with digital elements placed on the EU market, this law focuses on the economic operators responsible for these products. In the regulation, these are the manufacturers, importers and distributors of the products that fall under the CRA’s scope.
Although this encompasses a wide range of sectors and products, some exemptions are made:
If the product is developed exclusively for military or national security purposes.
If it falls under the regulations on medical devices: (EU) 2017/745 and (EU) 2017/746, motor vehicles and products: (EU) 2019/2144 or marine equipment: (EU) 2014/90.
- If it has been certified in accordance with the regulation on aviation rules: (EU) 2018/1139.
- If it is open-source software that is developed without commercial intent.
Classifying products
All products that fall under the scope of the CRA will be divided into four categories. Depending on under which category the product falls, different sets of measures in terms of compliance will have to be taken.
Timeline
The CRA has entered into force on 10 December 2024. Most of its provisions will become fully applicable as of 11 December 2027, giving organizations time to adjust and meet the requirements gradually. However, manufacturers will be required to fulfill vulnerability reporting obligations already starting 11 December 2026.
Maturity & gap assessment
Economic operators, i.e., manufacturers, importers and distributors of digital products falling under the scope of the CRA, will need to ensure compliance with a new set of security requirements. Our teams can support your company to assess your existing controls and security measures, and identify any remaining gaps to achieve compliance.
Compliance support
Our specialised teams can provide you with extensive expertise in addressing the security of your digital products. We can support you with software development life cycle (SDLC), development, security and operations (DevSecOps) services, hardware and software assessments, as well as vulnerability scanning and reporting. We can also help you set up secure Identity and Access Management (IAM) systems to ensure correct access to software, as well as continuous monitoring of the environment to find, analyse and resolve attempted malicious activity.
Connect with PwC Belgium
