What is the EU Cyber Resilience Act?

The CRA establishes horizontal cybersecurity requirements for products with digital elements that are made available on the EU/EEA market. Its primary goal is to enhance cybersecurity across the EU/EEA by ensuring that hardware and software products and their remote data processing solutions are designed, developed, and maintained with fewer vulnerabilities throughout their lifecycle.

Which Products are Covered by the EU Cyber Resilience Act?

So-called “products with digital elements” covered by the CRA include hardware and software products that are intended or foreseeable to operate with connectivity to other devices or networks. This includes a broad variety of connected products, such as laptops, smartphones, tablets, fitness trackers, drones, routers, browsers, baby phones, surveillance cameras with remote access, smart home appliances, and remote-controlled or connected machinery and factory equipment.

In each case, the CRA does not only apply to the connected product as such, but also to its remote data processing solution. This includes cloud-enabled functionalities of connected products that enable users to control the product at a distance. For other cloud computing services, such as software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS), the cybersecurity requirements of NIS 2 Directive (EU) 2022/2555 (NIS 2 Directive) apply if the relevant service provider is deemed an essential or important entity under the relevant national implementation laws of the NIS 2 Directive.

The CRA is the first horizontal regulation applicable to products with digital elements across all sectors. Before the CRA, the EU had only vertical, sector-specific cyber security requirements, such as in the field of medical devices, motor vehicles, civil aviation or marine equipment. These sector-specific regulations remain in force and products regulated under the relevant acts are exempt from the CRA. Likewise, products with digital elements developed or modified exclusively for national security or defense purposes are outside the scope of the CRA.

How Are Swiss Companies Affected by the EU Cyber Resilience Act?

The CRA applies if products with digital elements are made available on the EU/EEA market. Manufacturers and distributors domiciled outside the EU/EEA have to ensure compliance with the CRA if they make their covered products available in the EU/EEA. Given the EU/EEA’s significance as a primary sales market for numerous Swiss industries, the CRA will notably affect companies in Switzerland. Moving forward, exporters of products under the CRA will need to comply with the CRA.

What Are the Main Obligations Under the EU Cyber Resilience Act?

The main obligations under the CRA apply to manufacturers of products with digital elements and include the following:

• Product requirements: Manufacturers must ensure compliance with the essential cybersecurity requirements defined in Annex I to the CRA when placing a product with digital elements on the market, e.g., they must design and manufacture digital products to avoid known vulnerabilities and regularly update products to address security flaws. If components sourced from third parties are integrated into a product, the manufacturer must exercise due diligence so that those components do not compromise the cybersecurity of the product.
• Continuous risk assessment: Manufacturers must perform a cybersecurity risk assessment regarding the relevant product with digital elements. The cybersecurity risk assessment must be documented and updated during the support period. The support period shall reflect the length of time during which the product is expected to be in use, but is generally at least five years. The support period for a product may vary depending on its characteristics, often being longer for durable goods like fridges compared to smartphones. Manufacturers should also carefully select advertising language. Promising “lifelong happiness” with a device could imply a support obligation under the CRA for the user’s lifetime.
• Documentation and information: Before the product with digital elements is placed on the market, the manufacturer must draw up a technical documentation with all relevant details of the means used by the manufacturer to ensure that the product complies with the CRA. The manufacturer must keep the technical documentation at the disposal of the market surveillance authorities for at least 10 years after the product has been placed on the market or for the support period, whichever is longer. In addition, manufacturers must ensure that the product with digital elements is accompanied with the minimum information and instructions according to Annex II of the CRA (including the contact details of the manufacturer, the intended purpose of the product and the end-date of the support period).
• Reporting: Manufacturers must report any actively exploited vulnerability contained in the product and any severe incident having an impact on the security of the product to a designated Computer Incident Response Team (CSIRT) and the EU Agency for Network and Information Security (ENISA). For this purpose, the manufacturer must submit an early warning notification of an incident without undue delay and in any event within 24 hours of the manufacturer becoming aware of it. In addition, a detailed report on the incident must be submitted without undue delay, but at the latest within 72 hours, and a final report within 14 days.
• Conformity assessment: Manufacturers must perform a conformity assessment of the product with digital elements to determine whether the essential cybersecurity requirements set out in Annex I to the CRA are met. The EU differentiates between different product categories and classes and imposes stricter obligations the higher the criticality of the product. For the majority of products subject to the CRA, a self-assessment by the manufacturer will be sufficient to assess safety. For important and critical products, an assessment by a third party is required.

While the bulk of obligations applies to manufacturers, the CRA contains a set of reduced duties for the other actors in the supply chain of a product with digital elements. For instance, distributors of products with digital elements must act with due care, verify that the manufacturer has complied with its duties under the CRA relevant to the distributor’s operations and collaborate with the relevant market surveillance authorities.

When Will the EU Cyber Resilience Act Come Into Effect?

The CRA will enter into force on December 10, 2024, and is set to actually apply starting December 11, 2027, giving companies a three-year transition period to comply with the new requirements. Products with digital elements that have been placed on the market before that date, can also be subject to the CRA if, from that date, these products are substantially modified, e.g., in the event of a software update that changes the intended purpose of the product or if new features are added to a product.

Certain provisions of the CRA will be enforceable already earlier: The reporting obligations of manufacturers of products with digital elements will apply from September 11, 2026. Even earlier than that, the EU/EEA Member States must establish the regulatory infrastructure required to enforce the CRA, i.e., they must notify the EU Commission of bodies authorized to carry out conformity assessments under the CRA (conformity assessment bodies or notified bodies), ensure appeal procedures against decisions of the notified bodies and designate notifying authorities. These duties of EU/EEA Member States apply from June 11, 2026.

What Are the Sanctions for Violations of the CRA?

The CRA provides for administrative fines up to EUR 15 million or 2.5% of the company’s global annual turnover, whichever is higher. In addition to fines, the national market surveillance authority can take appropriate steps to prohibit or restrict a non-compliant product with digital elements from being made available on its national market, to withdraw it from that market, or to recall it if an economic operator does not take adequate corrective action intended to make the product comply with the CRA.

Does Switzerland Have a Law Similar to the EU Cyber Resilience Act?

Switzerland does not have a dedicated horizontal act for cybersecurity of products with digital elements, like the CRA.

The Swiss horizontal product safety regulation, the Product Safety Act (PSA), applies to hardware and software, including products of the kind covered by the CRA, but it does not include specific cybersecurity requirements. Horizontal cybersecurity requirements are provided for in the Swiss Federal Act on Data Protection (FADP; see our Bulletin here), insofar as the processing of personal data is at issue. In addition, sector-specific regulation addressing aspects of cybersecurity exists, such as the FINMA Circular 2023/1 on Operational Risks and Resilience. In a wider context, the revised Swiss Information Security Act (ISA), expected to come into force on January 1, 2025, provides for a duty of critical infrastructures to report cyberattacks to the National Cyber Security Centre (NCSC) and thus replicates obligations that are prescribed by the NIS 2 Directive in the EU.

Which Other Laws Apply When Bringing Digital Products to Market?

The EU has enacted comprehensive legislation to harmonize the digital market. In some cases, similar Swiss laws exist. These other EU and Swiss laws may need to be observed cumulatively if a company intends to make a product with digital elements available on the market. In particular, the following provisions may apply:

• General Data Protection Regulation (GDPR). The GDPR applies if personal data of individuals is processed in the context of the product. Similarly, the FADP needs to be complied with in such a case.
• Artificial Intelligence (AI) Act (EU AI Act): The EU AI Act applies if AI systems or general purpose AI models are used in the context of the product (see our Bulletin on the EU AI Act here). Switzerland does not (yet) have a law similar to the EU AI Act. It is expected that the Swiss Federal Council will inform end of 2024 or early 2025 how it intends to regulate AI.
• Data Act: If the product with digital elements is a connected product or a related service of the so-called internet of things (IoT), the Data Act applies. Switzerland does not have a law similar to the Data Act regulating the handling of personal and non-personal data in the context of the IoT.

Action Points for Swiss Companies

To prepare for the CRA, Swiss companies should undertake the following initial steps:

• Assess CRA scope: Swiss companies making products available in the EU/EEA should assess whether they are in scope of the CRA.
• Assess current compliance: Companies in scope of the CRA should evaluate current products and systems against the CRA requirements to identify any gaps in compliance.
• Implement necessary changes: Companies in scope of the CRA must ensure compliance with the CRA until the relevant provisions enter into force. If necessary, they must update security protocols, product designs, and compliance processes as needed to meet CRA standards. Companies should also review and adapt their contractual provisions to require their business partners (e.g., suppliers of components for products with digital elements) to comply with the CRA.
• Conduct regular training: Companies in scope of the CRA should train staff on CRA requirements and the importance of cyber resilience.
• Establish continuous monitoring: Companies in scope of the CRA should set up systems to continuously monitor compliance with CRA standards to swiftly address any deviations or updates.

These proactive measures will help Swiss companies navigate CRA regulations effectively and maintain access to the EU/EEA market.