Skip to main content
Marsh logo

Article

Cyber Resilience Act (CRA): A new framework for connected devices

Explore the Cyber Resilience Act (CRA), the EU's framework for enhancing cybersecurity in digital products. Learn key requirements and compliance steps.

12/02/2025 · 3 minute read

As digital technologies continue to expand their reach across industries, the European Union (EU) is taking significant steps to enhance the cybersecurity of products and services within its jurisdiction. The Cyber Resilience Act (CRA), a regulation adopted by the EU October 23, 2024, represents a landmark regulatory framework aimed at ensuring that digital elements, including hardware and software sold in the EU meet robust security standards.

This regulation has far-reaching implications for manufacturers, developers, and businesses across the globe, underscoring the EU’s commitment to building a safer and more resilient digital economy.

What is the CRA?

The CRA establishes a unified set of cybersecurity requirements for all products with digital elements that are placed on the EU market. This includes software, connected devices, and hardware, regardless of whether they are manufactured within or outside the EU.

CRA applies to manufacturers, importers, and distributors of products connected directly or indirectly to another device or network. So, it covers b2b as well as b2c. It covers software as well as hardware, products, and connected components.

Key requirements of the CRA

The CRA mandates specific obligations for manufacturers, importers, and distributors of digital products. These include:

  • Secure product design: Products must follow secure-by-design and by-default principles, incorporating cybersecurity measures at the earliest stages of development.
  • Vulnerability management: Vendors are required to monitor, identify, and patch vulnerabilities throughout the product lifecycle. This includes releasing regular security updates and providing clear instructions to users on how to maintain the security of their products.
  • Transparency obligations: Companies must inform users about the cybersecurity risks associated with their products and provide adequate documentation to facilitate safe use.
  • Market surveillance: EU authorities will conduct compliance checks to ensure that products meet the CRA requirements before they can be sold in the market.
  • Penalties for non-compliance: Businesses that fail to comply may face fines of up to €15 million or 2.5% of their annual global turnover, whichever is higher.

Who will be impacted?

The CRA applies broadly to any organisation involved in the design, manufacturing, importation, or distribution of digital products within the EU. Key sectors affected include:

  • Technology providers: Developers of software and connected devices.
  • Manufacturers: Companies producing internet-of-things devices, industrial machinery, and other hardware with digital components.
  • Retailers and distributors: Those selling digital products in the EU market.

Additionally, businesses outside the EU must comply if they wish to sell their products within the region.

Steps to prepare for CRA compliance

To ensure alignment with the CRA, consider the following steps:

  • Perform a compliance gap analysis: Assess existing cybersecurity practices and identify gaps relative to CRA requirements.
  • Implement secure development practices: Incorporate secure-by-design principles into product development lifecycles.
  • Establish vulnerability and risks management programmes: Develop processes to monitor, identify, and mitigate vulnerabilities throughout the product lifecycle and enhanced by a risk management approach
  • Collaborate across supply chains: Work closely with suppliers to ensure third-party components meet CRA standards.
  • Engage legal and cybersecurity experts: Seek professional guidance to navigate the complexities of CRA compliance and avoid costly penalties.

Conclusion

The CRA marks a significant step toward creating a safer digital ecosystem. By mandating stringent security measures for digital products, the CRA not only protects consumers but also elevates the standards for businesses operating in the EU market.

While compliance may present initial challenges, proactive organisations can leverage the CRA to enhance their security posture, build trust, and gain a competitive edge in an increasingly interconnected world.

Now is the time for businesses to act. Those that prioritise cybersecurity today will be the trusted leaders of tomorrow.

To learn more contact a Marsh representative.

Contact us

The article is for information purposes only. Marsh makes no representation or warranty as to its accuracy. Marsh shall have no obligation to update the article and shall have no liability to any party arising out of this document or any matter contained herein. Any statements concerning actuarial, tax, accounting, labour, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, tax, accounting, labour, or legal advice, for which clients should consult their own professional advisers. Any analysis and information are subject to inherent uncertainty, and the article could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Although Marsh may provide advice and recommendations, all decisions regarding the measures should be adopted are the ultimate responsibility of the client.