EU Cyber Resilience Act

The image shows a corridor view of a data center with server racks on both sides. The perspective is from the end of the corridor, looking towards a brightly lit panel at the far end. The image shows a corridor view of a data center with server racks on both sides. The perspective is from the end of the corridor, looking towards a brightly lit panel at the far end.

EU Cyber Resilience Act

October 15, 2024

Germany
Germany
Germany
The European Union has now adopted the Cyber Resilience Act (CRA) mandating minimum cybersecurity requirements for products with digital elements placed on the European market. The Regulation will come into force this year and obligations will apply in 36 months - with some exceptions applying earlier. The CRA addresses the supply chain of all products, hard- and software, which are capable of a direct or indirect connection to a device or network. Previously, cyber security minimum standards were already mandatory for certain products on a sector-specific basis, but not uniformly for all products. The Regulation addresses manufacturers, producers and importers to make products with digital elements safe to use, resilient against cyber threats and to adequately disclose security features.

Impact and actions

Obligations under the CRA include “security by design” and specific security safeguards that products must meet. This includes risk assessments, cyber incident reporting, vulnerability management and transparency obligations to ensure a high level of cybersecurity throughout the entire product lifecycle. The European Union Agency for Cybersecurity (ENISA) will be closely involved to provide cybersecurity certification standards, e.g. EUCC, EUCS, EU5G and EUAI, and to monitor large scale vulnerabilities in the European market. For example, software and hardware products will bear the “CE-marking” to indicate that they comply with the regulation’s requirements. Although the CRA harmonises standards across the EU, some member states are taking extra steps. E.g., the German BSI is publishing technical guidelines and Austria has published an implementation law.

Practical outlook

Businesses will now need to review which of their products are likely to fall within the scope of the regulation and the extent to which they meet essential security requirements. Especially considering the timeline of product design, manufacturers are now getting ready for Q4 of 2027.

In cases of non-compliance, products could be restricted from the EU market. Like pre-existing laws such as the NIS2 or the GDPR, the CRA introduces administrative fines of up to EUR 15 mio or 2.5% of a business's annual worldwide turnover.

Please reach out to your Eversheds Sutherland team to discuss any queries around the CRA and its implementation. Our worldwide team is here to assist you and put you in touch with the right contacts.

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.

Guides and Reports

Navigating EU Law

Industries

Business Topics

Key contacts

nilsmueller@eversheds-sutherland.com

Nils Müller

Partner

Munich, Germany | Hamburg, Germany

michael.roehsner@eversheds-sutherland.at

Michael Röhsner

Partner

Vienna, Austria

isabellanorbu@eversheds-sutherland.com

Isabella Norbu

Senior Associate

Munich, Germany

Latest Insights

  • legal updates
  • legal updates
  • podcasts and webcasts
  • legal updates

Latest News

  • client news
  • firm news
  • firm news
  • client news

Latest Events

Generic building in front of sun (1)

legal updates

June 03, 2026

shopping district

legal updates

May 29, 2026

Business meeting close up discussing data

podcasts and webcasts

May 29, 2026

Pay-Transparency-Waterdroplets-on-glass

legal updates

May 28, 2026

© Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website.

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website. For information on Konexo please also see the Legal Notices page of this website.