Modern, circular office building with flags – ideal location for embedded service providers

Why the Cyber Resilience Act is not a paper tiger

Since the adoption of the Cyber Resilience Act (CRA), many manufacturers and suppliers are wondering how seriously the European Union intends to implement this new regulation. Will it ultimately remain a matter of well-intentioned declarations, or will there actually be consistent market surveillance with real consequences?

This post highlights why the CRA is more than a regulatory signal: it is a binding legal framework with far-reaching obligations, severe penalties, and clear enforcement mechanisms. Numerous facts, official statements, and structural preparations clearly show: the EU will enforce the CRA – and expects the same from the industry.

Consistent Market Surveillance

The EU is building on the established market surveillance system for the CRA: National market surveillance authorities are to monitor compliance with the requirements – for example, through inspections and sample checks. Violations can be pursued in a coordinated manner across Europe; the authorities of the member states share information with each other and with the EU Commission to ensure a uniform approach. ENISA (the EU Agency for Cybersecurity) also receives a central role: It coordinates notifications of security incidents and supports the supervisory authorities at the EU level.

It is noteworthy that the EU Commission can intervene itself if national authorities act hesitantly. In „exceptional circumstances,“ the Commission may withdraw products from the market EU-wide or take other corrective actions to ensure cybersecurity. This clearly shows that the EU is prepared to intervene centrally if necessary and not let the CRA be watered down. Active monitoring is also planned in practice: According to expert sources, market surveillance authorities will conduct targeted „sweeps” to systematically uncover violations. Overall, close monitoring is planned to ensure that the new cybersecurity obligations for products are actually implemented and not just on paper.

Planned sanctions for violations

The Cyber Resilience Act provides for significant sanctions, comparable to the strict penalties of the GDPR. The regulation requires all member states to enact „effective, proportionate, and dissuasive“ penalty provisions. Specifically, the CRA sets out the following fine frameworks:

  • Violation of basic safety requirements(Annex I) or key obligations of manufacturers (e.g., secure product design, security updates, risk assessment): Fines of up to €15 million or 2.51% of the company’s global annual turnover, whichever is higher. This underscores the high priority given to essential cybersecurity requirements in the CRA.
  • Violation of other obligations(such as documentation, labeling, or distributor obligations): Fines of up to €10 million or 21% of global annual turnover. Even less serious violations are therefore subject to severe penalties.
  • False or misleading informationtoward authorities or regulatory bodies: fines of up to €5 million or 11% of revenue. This is intended to deter companies from concealing information—a lesson learned from other regulations that is being explicitly applied here.
  • In addition to fines, authorities can alsoProduct-related measuresbe taken. The availability of dangerous or non-compliant products may be restricted or prohibited; it may even be ordered that productsrecalledorto be taken off the marketThis is to ensure that unsafe devices do not enter circulation in the first place.

The Commission's authority to halt the distribution of unsafe products across the EU in emergencies further intensifies this effect. Therefore, the planned sanctions are by no means symbolic; they are substantial enough to deter companies and compel compliance – similar to the drastic penalties known since the GDPR.

Public statements on the binding nature of the CRA

Representatives of EU institutions have made it clear publicly that the Cyber Resilience Act will not be a toothless tiger.

Thus, Henna Virkkunen from the European Commission emphasized on the occasion of the CRA coming into force:„We are determined to make Europe a safe place for our citizens and businesses. This new regulation is a major step forward to ensure that digital products do not pose a cyber risk to consumers in the EU.”The first is the "original" and the second is the "translate".

Spanish Minister of Technological Innovation, José Luis Escrivá, also stated, representing the EU Council Presidency, at the political conclusion of the negotiations:„Connected devices need a basic level of cybersecurity if they are to be sold in the EU... That's precisely what the Cyber Resilience Act will achieve once it is in force.

Such statements demonstrate that both the EU Commission and the Member States consider the regulation binding and essential for cybersecurity. Additionally, as an EU regulation, the CRA is directly applicable in all Member States and does not require transposition into national law – this prevents differences and weakening at the national level. The main obligations will thus apply bindingly throughout Europe starting in December 2027. This structure alone guarantees a uniform, mandatory regulatory framework. With this, the EU wants to – in the words of Commission President von der Leyen – enforce „common European cybersecurity standards.“ Overall, the official statements leave little doubt that the CRA is to be implemented with determination. “Watering down” would contradict the stated political aim of making Europe's digital single market more secure.

Illustrated: Manufacturer to Market in Electronic Documentation, Risk Management, Compliance, Functional Safety
CE-CRA Process and the Role of ENISA

Role of Notified Bodies, Harmonized Standards, and Third-Party Testing

A key element that ensures rigorous implementation is the CRA’s conformity assessment system. Similar to other CE marking requirements, the regulation relies on harmonized EU standards and—where necessary—independent testing bodies (Notified Bodies) to guarantee compliance with security requirements. All manufacturers must conduct a conformity assessment before placing a product on the market and declare that their product meets the „essential cybersecurity requirements.“ For the majority of less critical products (estimated at ~90% of products with digital elements), a self-declaration based on harmonized standards is provided for. These standards are developed by European standardization organizations and provide a presumption of conformity: If a product has been developed in accordance with a harmonized standard, it is considered compliant. This ensures that even in the case of self-assessment, a uniformly high level of security is maintained. The only remaining uncertainty at this time is how much leeway manufacturers have in interpreting specific measures. However, it is also clear that this is determined by a risk assessment in which manufacturers must identify and evaluate the threats.

However, for higher risk classes – products classified as „important“ or „critical“ – the CRA mandates more stringent testing procedures. This may require a third-party assessment by a Notified Body or the use of certification under a European cybersecurity certification scheme (e.g., the EUCC under the Cybersecurity Act). The underlying idea is: the greater the potential risk of damage from a product, the more independent and thorough the assessment must be. Thus, truly critical products cannot rely solely on manufacturers' self-declarations. Either a Notified Body tests the product according to strict criteria, or the manufacturer demonstrates compliance with CRA requirements through an EU certificate at a high assurance level. In this context, the CRA defines precise procedures and quality criteria for the work of Notified Bodies to ensure uniform standards. The very requirement to involve external testing bodies when necessary demonstrates the EU's intention to incorporate independent expertise and close loopholes. Additionally, the CE marking on the product will be mandatory, serving as a visible sign of conformity. This will make it easier to keep insecure products off the market, as no legal sale in the EU can take place without the CE mark. The inclusion of third-party testing and standards in the CRA ensures that the rules are practically verifiable and enforceable – meaning that not only the manufacturer's word is trusted, but also verifiable evidence. Manufacturers should therefore generally prepare to maintain this evidence.

Product Categories

The CRA is particularly interesting with regard to the specific product types in Annex III and Annex IV. These outline which product types fall under important and critical products. These must then always demonstrate security measures within the standardization framework of a standard or via an assessment. A self-assessment is therefore not possible.

Annex III of the CRA includes products that can present significant cybersecurity risks due to their functions, intended use, or technical specifications. These include, for example, password managers, identity management systems, VPN products, operating systems, routers, Microcontroller as well as smart home devices with security features like smart door locks or cameras. These important products are further divided into two classes: Class I and Class II. Depending on their class and risk assessment, manufacturers are required to either self-assess or undergo assessment by independent third parties.

Annex IV, however, concerns so-called critical products, which must meet particularly high security requirements due to their use in sensitive areas such as critical infrastructures. Examples include hardware with special security boxes, smart meter gateways, smart cards, and devices with security-relevant cryptographic elements. For these critical products, the CRA mandates a compulsory external conformity assessment by independent, notified bodies.

Infographic on Electrical Safety: Class I/II, Self-assessment; embedded hardware, embedded software, microcontrollers.
Class I and Class II Products

Manufacturers of products listed in Annex III and IV must create comprehensive technical documentation, establish clear and effective processes for identifying and eliminating vulnerabilities, and provide regular and transparent security updates. Manufacturers of critical products from Annex IV, in particular, are subject to strict additional requirements, including mandatory external audits and regular checks, to ensure ongoing compliance with high security standards.

Summary

The Cyber Resilience Act is not a paper tiger – but a binding regulatory framework that will fundamentally change the cybersecurity of products in Europe. With high fines, mandatory testing procedures, and clearly regulated responsibilities, the EU has made it unmistakably clear that it takes implementation seriously. Anyone who dismisses the CRA as a mere formality misunderstands the scope and consequences of this regulation.

For companies, this means: Now is the right time to align structures, processes, and products with the new requirements – before it gets expensive. Those who invest in cyber resilience today are not only acting in compliance with the law but also securing their future.

Further technical articles

Leave a Reply

Your email address will not be published. Required fields are marked *