The CRA will complement other EU laws designed to address the many challenges posed by cybersecurity and, more generally, the use of technology and the processing of different sets of data. Companies that manufacture and sell connected devices will need to be vigilant about the applicability of other EU digital laws such as the General Data Protection Regulation (GDPR), NIS2 Directive, Data Act, and AI Act.
What Is the Aim of the CRA?
Connected devices such as laptops, mobile devices, smartwatches, and cars are increasingly exposed to cyberthreats that can cause significant damage to businesses and individuals. Users of connected devices – both consumers and businesses – are often unaware of the inherent risks presented by the use of such devices, which prevents them from choosing the most appropriate device for their needs. The EU has taken action to address these issues by adopting the CRA.
The CRA sets new conditions for the production of secure connected devices and imposes stringent obligations that must be observed throughout a connected device’s life cycle. The CRA also establishes new vulnerability handling and reporting requirements and intensifies market surveillance rules to enforce the EU’s legal framework for cybersecurity. The CRA will become fully applicable on 11 December 2027, but certain reporting requirements will need to be met beginning 11 September 2026.
What Is in Scope of the CRA?
The CRA covers a wide range of connected devices, referred to as ‘products with digital elements’ (PDEs), that are classified into different categories according to their level of cybersecurity risk:
All PDEs – regardless of their cybersecurity risk level – must comply with the CRA’s basic cybersecurity standards. Important and critical PDEs will be subject to additional, stricter obligations.
Who Needs to Comply with the CRA?
The CRA potentially affects anyone involved in the manufacture and sale of PDEs in the EU:
The obligations of the CRA are primarily aimed at PDE manufacturers, but the CRA also imposes obligations on EU-based importers that place PDEs on the EU market and on distributors that supply PDEs to users in the EU.
What Are the Main Obligations of PDE Manufacturers?
Manufacturers subject to the CRA will be required to ensure a level of cybersecurity appropriate to the potential risks associated with the intended use of the PDEs. To this end, manufacturers will have to comply with various cybersecurity-related obligations, including:
What Are the CRA’s Reporting Requirements?
Manufacturers will be required, beginning 11 September 2026, to notify to competent regulators of actively exploited vulnerabilities affecting their PDEs and severe incidents that have an impact on the security of their PDEs by submitting the following:
What About Importers and Distributors?
Importers and distributors will also have to comply with certain CRA requirements. For instance, importers of PDEs placed on the EU market will have to verify that the necessary conformity assessment procedures have been followed and the required technical documentation has been made available by the manufacturer of the PDE. Importers will also have to identify themselves to users or other stakeholders of the PDE supply chain by indicating their name, postal address, and other contact details on the PDE packaging or on a document accompanying the PDE. Distributors must ensure that the PDEs they supply bear the CE markings and that both manufacturers and importers have shared with them all necessary documents (such as contact details and user instructions). Finally, both importers and distributors will be required to inform manufacturers and competent EU regulators if they suspect or become aware of a significant cybersecurity risk, vulnerability, or incident affecting a PDE.
How Will the CRA Be Enforced?
EU Member State market surveillance authorities (MSAs) will monitor compliance with the CRA. MSAs will have the power to inspect connected devices and to request access to all relevant information and documentation from manufacturers, importers, or distributors to verify the safety of the devices. Manufacturers will be required to cooperate with MSAs and implement new measures to address identified cybersecurity risks of PDEs already on the market.
MSAs will also work closely with other local and EU regulators, such as data protection authorities, the European Union Agency for Cybersecurity (ENISA), and Computer Security Incident Response Teams (CSIRTs) established under other EU digital laws such as NIS2. These other regulators are expected to share information and provide further guidance on the manufacture and distribution of connected devices to cooperate with MSAs. New EU regulatory authorities established under the AI Act will also support MSAs to cover the development, sale, and use of PDEs powered by AI systems.
What Are the Sanctions in Case of Non-compliance?
Manufacturers that fail to comply with the essential CRA cybersecurity requirements can be fined up to €15 million or 2.5% of their total annual worldwide revenues. MSAs may also impose additional fines on any operator in the PDE supply chain for breaches of other CRA requirements, depending on the nature, gravity, duration, and consequences of the breaches. Note that under the CRA, the provision of incorrect, incomplete, or misleading information to regulators in response to an information request can lead to fines of up to €5 million.
How Will the CRA Interact with Other EU Digital Laws?
The CRA regulates PDEs that involve the remote processing of data, both personal and non-personal. Companies involved in the development, production, sale, or maintenance of PDEs covered by the CRA must ensure compliance with the provisions of the GDPR if the PDE will be used to process personal data. For example, the GDPR principles of lawfulness, data minimisation, purpose limitation, and data protection by design and by default will have to be observed by companies acting as the controllers of personal data processed by PDEs. If there is a (severe) security incident that also qualifies as a personal data breach under the GDPR, the company may face reporting requirements under both the CRA and GDPR.
Manufacturers of PDEs are also advised to examine the extent to which the rules on connected products introduced by the Data Act may need to be complied with in tandem with the CRA. Since January 2024, the Data Act imposes important new requirements on data sharing, especially when users of connected products wish to have access to their (non-personal) data or switch service providers and bring their data along.
Finally, companies developing AI-powered PDEs may have to comply with additional requirements imposed by the recently enacted AI Act. They will have to review their product qualification under both the CRA and GDPR to determine how to properly conduct conformity and risk assessments.
Will the CRA Affect Companies in the United States?
PDEs may be manufactured in one country and used by businesses and consumers in other parts of the world. The EU has taken the cross-border dimension of PDEs into account and designed the CRA to impose certain requirements on non-EU-based manufacturers that develop and market PDEs for use by businesses and consumers in the EU. These manufacturers must work with EU importers and distributors to meet CRA requirements.
In addition to complying with all the CRA’s essential cybersecurity requirements, PDE manufacturers that are not located in the EU (but sell their devices in the EU) will have to report vulnerabilities and incidents to the relevant EU regulators and provide them with all necessary documentation (and in some cases, in languages other than English). U.S.-based companies that design or sell connected devices in the EU are therefore well-advised to assess to what extent the CRA (and other EU digital laws) may apply to their activities.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.
If you have any questions, or would like additional information, please contact one of the attorneys on our Privacy, Cyber & Data Strategy Team.