Berghof Logo Automation Berghof Logo Automation
Cyber Resilience Act EU

Cyber Resilience Act (CRA)

New EU regulation on cyber security - what manufacturers should know now


What is the Cyber Resilience Act about?

The Cyber Resilience Act (CRA) is a European Union regulation that sets comprehensive requirements for the cybersecurity of products with digital functions for the first time. The aim is to create a uniform level of protection throughout the internal market and thus better protect both consumers and businesses from digital threats.
It affects products that contain software and communicate with networks or other products, including many electronic components used in industry and in the private sector. The CRA was adopted in March 2024 and is expected to be fully applicable from December 2027 after a transition period.

Who exactly is affected by the CRA?

The regulation is aimed at manufacturers, importers and distributors of digital products and components – in other words, virtually all companies that develop, manufacture or place software or networked devices on the market. These include, for example:

  • Industrial control and regulation technology
  • Embedded systems with network connection
  • Firmware and operating systems
  • Smart home and IoT devices
  • Software programmes with cloud or app connection
  • and much more

What does the Cyber Resilience Act require?

The core of the CRA is to ensure cybersecurity throughout the entire product lifecycle. Security aspects should be incorporated into product design (security by design) and continuously reviewed throughout the product's lifetime. Among other things, the CRA stipulates:

  • The performance of risk assessments for each product
  • Measures to protect against known vulnerabilities
  • A secure default configuration without unnecessary access
  • The provision of security updates, even after market launch
  • A process for managing security vulnerabilities (vulnerability management)
  • The reporting of actively exploited vulnerabilities to the EU agency ENISA within 24 hours

Proof of CRA compliance is provided by the CE marking on the product

What does this mean in practice?

For manufacturers of electronic products, the CRA means an additional focus on security – right from the early development phase. The requirements apply not only to product technology, but also to internal processes, documentation and long-term support.

Companies must ensure that security aspects are taken into account throughout the entire life cycle of a product – from development and market launch to the provision of updates and the handling of potential vulnerabilities.

When does the CRA come into force?

  • Adoption by the EU Parliament: March 2024
  • Publication in the EU Official Journal: 2024
  • Transition period: 36 months
  • Mandatory application: from 2027

This page is for information purposes only – in particular for customers, partners and anyone who would like to find out about the upcoming changes in the field of cybersecurity.

Note: The content provided does not constitute legal advice.

Do you have any questions?

We look forward to receiving your call or e-mail. You are also welcome to send us a message using our contact form. We will contact you as soon as possible.

Contact form

This site uses third-party website tracking technologies to provide its services. I agree to this and can revoke or change my consent at any time with effect for the future.

Content settings Legal notice Privacy policy

Consent Management

Consent Management

Required

These are required for the basic functions of the website and help to make our website usable as well as enable access to secure areas of our website.

Consent Information

Title: PHPSESSID
Provider: Berghof
Cookies:
Cookie Name: PHPSESSID
Duration: Session
Description: This cookie is native to PHP applications. The cookie is used to store and identify the unique session ID of a user in order to manage the user session on the website. The cookie is a session cookie and is deleted when all browser windows are closed.
External Privacy Policy: https://www.berghof-process-control.com/en/privacy-policy
Title: dpconsentmanagement
Provider: Berghof
Cookies:
Cookie Name: dpconsentmanagement
Duration: 12 months
Description: The cookie is set by the DER PUNKT Consent Management and is used to store whether the user has consented to the use of cookies or not. No personal data is saved.
External Privacy Policy: https://www.berghof-process-control.com/en/privacy-policy
Title: fe_typo_user
Provider: Berghof
Cookies:
Cookie Name: fe_typo_user
Duration: Session
Description: Saves the current login status of the session.
External Privacy Policy: https://www.berghof-process-control.com/en/privacy-policy

Marketing

Marketing and statistics cookies are used to enable anonymous tracking. Here, anonymised data can be forwarded to possible third-party providers.

Consent Information

Title: Google Tag Manager & Analytics
Provider: Google Ireland Limited
Description: This Google Analytics cookie is used to distinguish users when collecting information about their page views. It collects information for visitor statistics.
Cookies:
Cookie Name: _ga
Duration: 1 year
Description:
Cookie Name: _gcl_au
Duration: 4 months
Description:
Cookie Name: _gid
Duration: 1 day
Description:
Cookie Name: _gat_gtag_{Property ID}
Duration: 1 day
Description:
External Privacy Policy: https://policies.google.com/privacy?hl=de
External Host: google.de
Legal notice Privacy policy